Advanced Search

Results 1 to 6 of 6

Thread: Forgot Password script problem

  1. #1
    Join Date
    Jan 2012
    Posts
    52
    Thanks
    17
    Thanked 0 Times in 0 Posts

    Exclamation Forgot Password script problem

    Hello everybody

    I got a problem with the script. i.e. when i use this php script
    then when it send mail to sender the randomly generated
    password which is mentioned here by $newpass
    doesn't give access the user to log in to account.
    what is the problem. How can i resolve this.

    Thanking You
    Megha

    The script is :

    Code:
    <?php
    error_reporting(E_ALL & ~E_NOTICE);
    session_start();
    include_once('includes/queryfunctions.php');
    include_once('includes/functions.php');
    $conn=mysql_connect(HOST . ":" . PORT , USER, PASS);
    if (!$conn) {
        die('Could not connect: ' . mysql_error());
    }
    mysql_select_db(DB);
    
        function make_seed()
    {
        list($usec, $sec) = explode(' ', microtime());
        return (float) $sec + ((float) $usec * 100000);
    }
    
    if (isset($_POST["submit"]) && $_POST["submit"]=="Send Password"){
    srand(make_seed());
    $newpass = rand();		
    $pass = md5($newpass);
    		$loginname = "'" . $_POST[loginname] . "'";
    		if (!get_magic_quotes_gpc()) {
    			$pass = addslashes($pass);
    			$loginname = "'" . addslashes($_POST['loginname']) . "'";
    		}
    
    		//The username you have specified does not match any user in our system.
    		$sql = "SELECT loginname,email,name as usernames FROM users WHERE loginname = '$_POST[loginname]'";
    		$results = query($sql,$conn);
    		$user = fetch_object($results);
    		$email = $user->email;
    		$usernames = $user->usernames;
    		if(num_rows($results)){
    			$sql="UPDATE users SET pass='$pass' WHERE loginname=$loginname";
    			$results=query($sql,$conn);
    			$msg[0]="Sorry no such user found";
    			$msg[1]="New password has been send to your email address.";
    			AddSuccess($results,$conn,$msg);
    			
    			$commentinfo = "Dear $usernames,\n Your password has been changed to: $newpass.\n You can now login here http://www.erainfotechbd.com/test/login.php?member=A and use the system.";
    			//send new password to user
    			if ((int) $results==1) sendemail($commentinfo,erainfotech,bcc,$email,"Account changed"); 
    
    		}else{ //else warn that user does not exist
    			echo "<center><font color=\"#0033CC\"><b>Sorry, the loginname ".$_POST['loginname']." does not exist.</b></font></center>";
    		}
    }
    ?>
    Last edited by james438; 04-18-2013 at 06:23 AM. Reason: format

  2. #2
    Join Date
    Apr 2013
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    You are hashing the password that you save in the db which is correct. Make sure that your login script takes that under consideration.

  3. #3
    Join Date
    Jan 2012
    Posts
    52
    Thanks
    17
    Thanked 0 Times in 0 Posts

    Default

    This script works when i send the $pass value which is md5($newpass) value. but it is too large.
    for this a short length and readable password is more preferable here. and i want to make this.

  4. #4
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,625
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    Quote Originally Posted by megha_3000
    This script works when i send the $pass value which is md5($newpass) value. but it is too large.
    for this a short length and readable password is more preferable here. and i want to make this.
    longer values are preferable: short values are easier to guess.

    In most cases, a user will copy+paste the new password, so there is no need to memorize it anyway.

    However, keep reading for some better options.


    other comments...

    ... line 6 ($conn=mysql_connect ...):
    # If at all possible, you should avoid using the mysql_* functions. #
    Existing code should be updated to avoid performance and security problems.
    Quote Originally Posted by php.net (official PHP website)
    Warning
    This extension is deprecated as of PHP 5.5.0, and is not recommended for writing new code as it will be removed in the future.
    Instead, either the mysqli or PDO_MySQL extension should be used.
    See also the MySQL API Overview for further help while choosing a MySQL API.
    ... lines 12-16 (function make_seed() ...):
    a timestamp is very not-random (further, PHP 4.2+ seeds the random number generator automatically - if you're running <4.2, you really need to turn everything OFF until you upgrade). It doesn't make a good seed (certainly not a better seed than rand()'s default method).

    You might want to read this regarding random number generation in PHP.

    ... line 23 (if (!get_magic_quotes_gpc() ...):
    if your server has magic quotes enabled, you really need to turn them off.

    ... line 24 ($pass = addslashes($pass) ...):
    same thing - don't use addslashes(). Use the appropriate escape function for your DB instead (mysql_real_escape_string, in your case - though, as I noted above, it would be better to use mysqli or PDO instead).

    ... lines 31 - 34 ($user = fetch_object($results) ...):
    You try to fetch and use several values from your query before checking if the query was successful or not.

    ... line 35 (UPDATE users SET pass='$pass' ...):
    you shouldn't update the user's original password - this allows me to lock a user out of their own account if I know (or can discover) their email address. At best, this is a major inconvenience.

    Instead, a password recovery tool should create a "nonce" (number-used-once) token that will allow the user to set a new password if they so desire. Such tokens can also be logged and set to expire after a short time, limiting attack windows.

    ... line 41 ($commentinfo = "Dear $usernames, ... ):
    Passwords (random or not) should never be recorded in plain text. The fact that your script even makes this possible is a serious flaw.

    Instead, send the user a link with the token that they can follow to change their password, as described above.
    We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
    It's a Party in the CIA

  5. #5
    Join Date
    Jan 2012
    Posts
    52
    Thanks
    17
    Thanked 0 Times in 0 Posts

    Default

    Thank you for your suggestions. But when i tried to implement these. something happened i will describe these to you.

    - when i use mysqli_connect() function then it gives an error. Then again i used mysql_connect().

    - i used mt_srand() function and it works . it wasn't very much clear to me. if you told me not to use function make_seed() or anything else. However i used mt_srand() instead of rand().

    - i used mysql_real_escape_string() instead of addslashes().

    - and at the case of user email. one can know the email id. but the password is only known by the account holder.But your idea of "nonce" (number-used-once) token is really considerable. however i don't know how to do that. It will be very helpful for me if you give me any clue to do that. And help me.

    - i also want to make token that the user can follow to change their password.
    Last edited by megha_3000; 05-14-2013 at 11:25 AM.

  6. #6
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,625
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    Quote Originally Posted by megha_3000 View Post
    - when i use mysqli_connect() function then it gives an error. Then again i used mysql_connect().
    Switching from mysql to mysqli needs to be done "all at once." The two extensions have many similar functions, in an attempt to make the transition as easy as possible. You should, however, read up on the differences, and then set aside time to do that and only that.

    Quote Originally Posted by megha_3000 View Post
    - i used mt_srand() function and it works . it wasn't very much clear to me if you told me not to use function make_seed() or anything else. However i used mt_srand() instead of rand().
    My main point there was that rand() does not require a seed since php 4.2. If you're using a more recent version (and I sincerely hope you are), then you don't need to seed the function at all, because it seeds itself automatically.

    If you do seed the function, especially with a value based off of a timestamp, then you're probably weakening the randomness rather than strengthening it.

    Quote Originally Posted by megha_3000 View Post
    - i used mysql_real_escape_string() instead of addslashes().
    good.

    Quote Originally Posted by megha_3000 View Post
    - and at the case of user email. one can know the email id. but the password is only known by the account holder.
    hopefully.

    Quote Originally Posted by megha_3000 View Post
    But your idea of "nonce" (number-used-once) token is really considerable. however i don't know how to do that. It will be very helpful for me if you give me any clue to do that. And help me.
    Here's the basic idea:

    • User clicks [Forgot Password] link.
    • Ask for user's email.
    • If the email matches one in your records, start the password recovery process.
      (If it does not, ask the user to confirm it - they may have made a mistake in typing it.)*
      • Do not change the user's password.
      • Create a nonce token - for example, something like
        $nonce = base64_encode( openssl_random_pseudo_bytes( 128 ).$userEmail.time() );
      • Save the nonce in your database, along with the current time and the user's email address.
      • Send an email to the user with a link for them to click - something like
        Hello User,
        <a href="http://example.com/password-reset?nonce=$nonce">Click here</a> if you want to reset your password.
        If you do not, please <a href="http://example.com/password-reset?cancel=1&nonce=$nonce">click here</a> to cancel.
      • If the user clicks the "change password" link...
        • Get the nonce from the URL.
        • Check your database to see if there is a matching nonce:
          • If there is no match, reject the password reset attempt.
          • If there is a match:
            • Check how long ago you created it. Even an hour is plenty of time. If it's been too long, reject the password reset attempt.
            • Ask the user to provide their email address. If it doesn't match the one that they used to request the nonce, reject the password reset attempt.
            • { add your own user verification here as desired }
            • If everything checks out okay, allow the user to set a new password.
          • Whether the reset was successful or not, flag the nonce in your database as "used"
            (do not delete it - it should never be accepted again, no matter what).
      • If the user clicks the "cancel" link...
        • Get the nonce from the URL.
        • Check your database to see if there is a matching nonce:
          If there is a match, flag the nonce in your database as "used"
          (do not delete it - it should never be accepted again, no matter what).


    *When an email doesn't match any in the database, I prefer not to let on. Some attackers will try to use password recovery tools as a way to find email addresses that are valid on certain sites. If someone confirms an email that is not in your records, I pretend everything is fine, but I don't start password recovery - instead, I send an email to that address saying that the email was not in our records. It may be a legitimate user who forgot which email account they used to sign up, or it may be a new user who is confused about how to register. Either way, this allows us to sort it out without letting the person on the site know that anything is wrong.
    Last edited by traq; 05-15-2013 at 02:01 AM.
    We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
    It's a Party in the CIA

  7. The Following User Says Thank You to traq For This Useful Post:

    megha_3000 (05-15-2013)

Similar Threads

  1. Need help with forgot login script (please!)
    By oldtimer in forum Looking for such a script or service
    Replies: 3
    Last Post: 12-19-2009, 05:57 AM
  2. Forgot Login Script
    By oldtimer in forum Looking for such a script or service
    Replies: 5
    Last Post: 12-16-2009, 07:42 PM
  3. Encrypted Password Script problem
    By tonic in forum Dynamic Drive scripts help
    Replies: 6
    Last Post: 11-19-2005, 02:48 PM
  4. Forgot my user id...
    By techan in forum Dynamic Drive scripts help
    Replies: 2
    Last Post: 06-10-2005, 10:08 AM
  5. Password script problem!
    By sunny in forum Dynamic Drive scripts help
    Replies: 6
    Last Post: 06-04-2005, 08:20 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •