Forgot Password script problem

[megha_3000]

Hello everybody

I got a problem with the script. i.e. when i use this php script
then when it send mail to sender the randomly generated
password which is mentioned here by $newpass
doesn't give access the user to log in to account.
what is the problem. How can i resolve this.

Thanking You
Megha

The script is :

Code:

<?php
error_reporting(E_ALL & ~E_NOTICE);
session_start();
include_once('includes/queryfunctions.php');
include_once('includes/functions.php');
$conn=mysql_connect(HOST . ":" . PORT , USER, PASS);
if (!$conn) {
    die('Could not connect: ' . mysql_error());
}
mysql_select_db(DB);

    function make_seed()
{
    list($usec, $sec) = explode(' ', microtime());
    return (float) $sec + ((float) $usec * 100000);
}

if (isset($_POST["submit"]) && $_POST["submit"]=="Send Password"){
srand(make_seed());
$newpass = rand();		
$pass = md5($newpass);
		$loginname = "'" . $_POST[loginname] . "'";
		if (!get_magic_quotes_gpc()) {
			$pass = addslashes($pass);
			$loginname = "'" . addslashes($_POST['loginname']) . "'";
		}

		//The username you have specified does not match any user in our system.
		$sql = "SELECT loginname,email,name as usernames FROM users WHERE loginname = '$_POST[loginname]'";
		$results = query($sql,$conn);
		$user = fetch_object($results);
		$email = $user->email;
		$usernames = $user->usernames;
		if(num_rows($results)){
			$sql="UPDATE users SET pass='$pass' WHERE loginname=$loginname";
			$results=query($sql,$conn);
			$msg[0]="Sorry no such user found";
			$msg[1]="New password has been send to your email address.";
			AddSuccess($results,$conn,$msg);
			
			$commentinfo = "Dear $usernames,\n Your password has been changed to: $newpass.\n You can now login here http://www.erainfotechbd.com/test/login.php?member=A and use the system.";
			//send new password to user
			if ((int) $results==1) sendemail($commentinfo,erainfotech,bcc,$email,"Account changed"); 

		}else{ //else warn that user does not exist
			echo "<center><font color=\"#0033CC\"><b>Sorry, the loginname ".$_POST['loginname']." does not exist.</b></font></center>";
		}
}
?>

[dxter]

You are hashing the password that you save in the db which is correct. Make sure that your login script takes that under consideration.

[megha_3000]

This script works when i send the $pass value which is md5($newpass) value. but it is too large.
for this a short length and readable password is more preferable here. and i want to make this.

[traq]

This script works when i send the $pass value which is md5($newpass) value. but it is too large.
for this a short length and readable password is more preferable here. and i want to make this.

longer values are preferable: short values are easier to guess.

In most cases, a user will copy+paste the new password, so there is no need to memorize it anyway.

However, keep reading for some better options.


other comments...

... line 6 ($conn=mysql_connect ...):
# If at all possible, you should avoid using the mysql_* functions. #
Existing code should be updated to avoid performance and security problems.

Warning

This extension is deprecated as of PHP 5.5.0, and is not recommended for writing new code as it will be removed in the future.
Instead, either the mysqli or PDO_MySQL extension should be used.
See also the MySQL API Overview for further help while choosing a MySQL API.

... lines 12-16 (function make_seed() ...):
a timestamp is very not-random (further, PHP 4.2+ seeds the random number generator automatically - if you're running <4.2, you really need to turn everything OFF until you upgrade). It doesn't make a good seed (certainly not a better seed than rand()'s default method).

You might want to read this regarding random number generation in PHP.

... line 23 (if (!get_magic_quotes_gpc() ...):
if your server has magic quotes enabled, you really need to turn them off.

... line 24 ($pass = addslashes($pass) ...):
same thing - don't use addslashes(). Use the appropriate escape function for your DB instead (mysql_real_escape_string, in your case - though, as I noted above, it would be better to use mysqli or PDO instead).

... lines 31 - 34 ($user = fetch_object($results) ...):
You try to fetch and use several values from your query before checking if the query was successful or not.

... line 35 (UPDATE users SET pass='$pass' ...):
you shouldn't update the user's original password - this allows me to lock a user out of their own account if I know (or can discover) their email address. At best, this is a major inconvenience.

Instead, a password recovery tool should create a "nonce" (number-used-once) token that will allow the user to set a new password if they so desire. Such tokens can also be logged and set to expire after a short time, limiting attack windows.

... line 41 ($commentinfo = "Dear $usernames, ... ):
Passwords (random or not) should never be recorded in plain text. The fact that your script even makes this possible is a serious flaw.

Instead, send the user a link with the token that they can follow to change their password, as described above.

[megha_3000]

Thank you for your suggestions. But when i tried to implement these. something happened i will describe these to you.

- when i use mysqli_connect() function then it gives an error. Then again i used mysql_connect().

- i used mt_srand() function and it works . it wasn't very much clear to me. if you told me not to use function make_seed() or anything else. However i used mt_srand() instead of rand().

- i used mysql_real_escape_string() instead of addslashes().

- and at the case of user email. one can know the email id. but the password is only known by the account holder.But your idea of "nonce" (number-used-once) token is really considerable. however i don't know how to do that. It will be very helpful for me if you give me any clue to do that. And help me.

- i also want to make token that the user can follow to change their password.

[traq]

- when i use mysqli_connect() function then it gives an error. Then again i used mysql_connect().

Switching from mysql to mysqli needs to be done "all at once." The two extensions have many similar functions, in an attempt to make the transition as easy as possible. You should, however, read up on the differences, and then set aside time to do that and only that.

- i used mt_srand() function and it works . it wasn't very much clear to me if you told me not to use function make_seed() or anything else. However i used mt_srand() instead of rand().

My main point there was that rand() does not require a seed since php 4.2. If you're using a more recent version (and I sincerely hope you are), then you don't need to seed the function at all, because it seeds itself automatically.

If you do seed the function, especially with a value based off of a timestamp, then you're probably weakening the randomness rather than strengthening it.

- i used mysql_real_escape_string() instead of addslashes().

good.

- and at the case of user email. one can know the email id. but the password is only known by the account holder.

hopefully.

But your idea of "nonce" (number-used-once) token is really considerable. however i don't know how to do that. It will be very helpful for me if you give me any clue to do that. And help me.

Here's the basic idea:

• User clicks [Forgot Password] link.
• Ask for user's email.
• If the email matches one in your records, start the password recovery process.
  (If it does not, ask the user to confirm it - they may have made a mistake in typing it.)*
  
  • Do not change the user's password.
  • Create a nonce token - for example, something like
    
    $nonce = base64_encode( openssl_random_pseudo_bytes( 128 ).$userEmail.time() );
  • Save the nonce in your database, along with the current time and the user's email address.
  • Send an email to the user with a link for them to click - something like
    
    Hello User,
    <a href="http://example.com/password-reset?nonce=$nonce">Click here</a> if you want to reset your password.
    If you do not, please <a href="http://example.com/password-reset?cancel=1&nonce=$nonce">click here</a> to cancel.
  • If the user clicks the "change password" link...
    
    • Get the nonce from the URL.
    • Check your database to see if there is a matching nonce:
      
      • If there is no match, reject the password reset attempt.
      • If there is a match:
        
        • Check how long ago you created it. Even an hour is plenty of time. If it's been too long, reject the password reset attempt.
        • Ask the user to provide their email address. If it doesn't match the one that they used to request the nonce, reject the password reset attempt.
        • { add your own user verification here as desired }
        • If everything checks out okay, allow the user to set a new password.
      • Whether the reset was successful or not, flag the nonce in your database as "used"
        (do not delete it - it should never be accepted again, no matter what).
  • If the user clicks the "cancel" link...
    
    • Get the nonce from the URL.
    • Check your database to see if there is a matching nonce:
      If there is a match, flag the nonce in your database as "used"
      (do not delete it - it should never be accepted again, no matter what).

*When an email doesn't match any in the database, I prefer not to let on. Some attackers will try to use password recovery tools as a way to find email addresses that are valid on certain sites. If someone confirms an email that is not in your records, I pretend everything is fine, but I don't start password recovery - instead, I send an email to that address saying that the email was not in our records. It may be a legitimate user who forgot which email account they used to sign up, or it may be a new user who is confused about how to register. Either way, this allows us to sort it out without letting the person on the site know that anything is wrong.