Board index   FAQ   Search  
Register  Login
Board index php forum :: php coding PHP coding => General

Forgot Password: Is my code okay? Newbie

Ask about general coding issues or problems here.

Moderators: macek, egami, gesf

Forgot Password: Is my code okay? Newbie

Postby tristan5522 » Thu Apr 24, 2014 6:18 pm

Hey everyone, this is my first post. Currently this code resets the user's password and replaces it with some random code in the database. Not sure what I am doing wrong, any help would be greatly appreciated.

<?php
$heading = "Forgot Password";

if(isset($_GET['action']) && $_GET['action'] == "fpwd")
{
if(count($_POST) > 0)
{
if(isset($_POST['user_email']))
{
$email_address = $_POST['user_email'];

$sqlemail = "select user_email from ".TABLE_user." where user_email = '$email_address'";
$resemail = mysql_query($sqlemail);

$password = "user".rand(1000,50000);

$sql_update = "update ".TABLE_user." set 'password' = '".md5($password)."' where 'user_email' = '$email_address'";
$res = mysql_query($sql);


$to = $email_address;
$subject = 'Reset Password';
$message = 'Your new password: '.$password;
$headers = 'From: '.STORE_EMAIL.'' . "\r\n";

if(mail($to, $subject, $message, $headers))
{
fw_goto_page_header(fw_create_link(FILENAME_FORGOT_PWD,'msg=1'));
}

}
}
}

?>
tristan5522
New php-forum User
New php-forum User
 
Posts: 1
Joined: Thu Apr 24, 2014 6:12 pm

Re: Forgot Password: Is my code okay? Newbie

Postby Abdulwadood » Fri Apr 25, 2014 1:48 am

Hi,
as i am a newbie, i will share you what i know. MD5 is used to encrypt password using hash function. But you can use the same password that you gave. In my knowledge there is no solution to decrypt (to reveal) such a password.

Thanks
Abdulwadood
New php-forum User
New php-forum User
 
Posts: 1
Joined: Fri Apr 25, 2014 1:37 am

Re: Forgot Password: Is my code okay? Newbie

Postby seandisanti » Fri Apr 25, 2014 6:14 pm

google an MD5 hash. most of them will return a value instantly. md5 is not secure and should not be used for anything of any consequence.

Back to the problem at hand though. What error are you getting, or what is it not doing? Also, you should not allow someone without the password to reset the password. Only give them the option to request a password reset. When requested, email a reset link to the email address you have on file. If you search through this forum, there are good user classes that you can use that demonstrate logins, password resets, 'remember me checkboxes' etc. I know i've personally posted several. And don't save the password as an md5 hash. you need a 1 way salted hash, which md5 is not. what you can do is write a function to generate a salt of length X, then do a sha1 hash of the entered value and the random salt. tack the salt onto the end of the hash, and save it into your database like that. When someone tries to log in, grab the stored password, pull off the unencrypted salt (because you know the length and it's on the end of the hash generated with it) and run their entry and the hash through the generate code. Compare the result to the stored value and if they entered the same thing, it will match. Never store passwords in plaintext or md5, and do not save entered details on login attempts.
seandisanti
php-forum Fan User
php-forum Fan User
 
Posts: 838
Joined: Mon Oct 01, 2012 12:32 pm


Return to PHP coding => General

Who is online

Users browsing this forum: Bing [Bot] and 1 guest

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.