Jump to content
Larry Ullman's Book Forums

Recommended Posts

Hi, i been working on a script that base on the information provided by the user, will send he password. Now the problem that i having is that i get the same password sent, even though i enter different email and user name.

If someone can check my code and point me out what i'm doing wrong, I'll appreciate.

 <?php
if(isset($_POST['submitted'])){

//connect to the database
require_once("../mysqli_conn/db_conn.php");
$errors = array();	
//validate the email
if(empty($_POST['username']) ){
$errors[] = "<p class='error'>Please enter your user name.</p>";
}else{
$un = mysqli_real_escape_string($dbc, trim($_POST['username']) );
}
///vlidate the email///
if(empty($_POST['email'])){
$errors[] = "<p class='error'>Please enter your email.</p>";
}else{
$e = mysqli_real_escape_string($dbc,trim( $_POST['email']) );
}
if(empty($errors) ){
$q =" SELECT member_id FROM members INNER JOIN username ON members.user_id= username.user_id AND members.email = members.email WHERE email= '$e' AND user_name='$un' ";
$r = mysqli_query($dbc, $q) or die("Error: " . mysqli_error($dbc) );
$num = mysqli_num_rows($r);
if($num == 1){ //match was made

//MAKE THE QUERY//
         $q = "SELECT password FROM members INNER JOIN username ON members.user_id = username.user_id WHERE user_name = '$un' AND password = SHA1('password')  ";
 	$r = mysqli_query($dbc, $q) or die("Error: " . mysqli_error($dbc) );


while($row = mysqli_fetch_array($r, MYSQLI_ASSOC)){
                $password = $row['password'];
}


 	if($r){ //it ran ok 



/*   
// Please specify your Mail Server - Example: mail.yourdomain.com.
        	ini_set("SMTP","outgoing.verizon.net");

// Please specify an SMTP Number 25 and 8889 are valid SMTP Ports.
        	ini_set("smtp_port","25");

// Please specify the return address to use
        	ini_set('sendmail_from', 'chuflasky@hotmail.com');
*/

    $to = $e;
    $subject ="Don't reply to this message.";
    $body = "This is a request to a forgotten password from THEEVENTSMASTER.COM. If you think you received this email
    by mistake, delete it. You current password is ' $password ' . Remember to put your password in a safe place.";
    $headers  = 'MIME-Version: 1.0' . "\r\n";
    	$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
    $header  .= 'From:theeventsmaster.com'.'<theeventsmaster.com>'. "\r\n";
    $header  .= "Cc: theevent@theeventsmaster.com"."\r\n";

$send_mail =  mail($to,$subject,$body, $header);

    	if($send_mail){
          	$url = "confirm.php";
          	header("Location: $url");
          	exit();

/* $today = time;
    ini_set($now, 'off');
    $now = date_default_timezone_set($today);
    */
     	}else{
                 	function sendEmail($errors){
              $errors [] = "<p class='error'> Your password could not be delivered, try again latter.</p";
           	echo "<div class='error_handler'>";
          echo "<h2 class='error_2'>Error!</h2>";
          echo "<p class='error'>The following error(s) ocurred.</p>";
                 	foreach($errors as $mgs){
                          echo "$mgs";
                 	}//end of for each
                 	echo "</div>";
              }//end of sendEmail 
                	}//end of send message

   	}// end of $r 

}else{
      function errorReport($errors){
      $errors [] ="<p class='error'> The user name and email could not be verify.</p><br/><h2 class='error_2'>Plase try again.</h2>"; 
     	echo "<div class='error_handler'>";
          echo "<h2 class='error_2'>Error!</h2>";
          echo "<p class='error'>The following error(s) ocurred.</p>";

       	foreach($errors as $mgs){
           	echo "$mgs";
       }//end of for each

   echo "</div>";   		
	} //end of error_report
}

}else{
function error_report1($errors){
    echo "<div class='error_handler'>";
echo "<h2 class='error_2'>Error!</h2>";
echo "<p class='error'>The following error(s) ocurred.</p>";

          foreach ($errors as $mgs){
               	echo " $mgs ";
          }

echo "</div>";

	} //end of error_report1

}//end of empty errors 

}//end if submitted



?>  

Link to comment
Share on other sites

You're making the following query:

 

$q = "SELECT password FROM members INNER JOIN username ON members.user_id = username.user_id WHERE user_name = '$un' AND password = SHA1('password')  ";

 

Basically, you're telling MySQL to make a hash for the string "password"; as in, not the user's password, but always the string "password". That is why it's always the same, as far as I can tell.

  • Upvote 1
Link to comment
Share on other sites

Thanks jonathon and HartleySan for you quick reply.

I'm getting the password from one of the registered user. And for that particular user, the password is right, but that same password is sent to others user even though their stored password is different. I guessing for some reason the SQL query is selecting the same password.

 

Thanks HartleySan. So how can i select a particular password for a particular user. I thought that by using the clause 'WHERE user_name = '$un' AND password = SHA1('password') ' , the query will select the password for that particular user. If i'm wrong correct me.

 

Once again, Thanks Guys.

Link to comment
Share on other sites

I would review Larry's discussion of handling passwords in the book, but when a user first registers and sets their password, you should be using a hash function (such as SHA-1) to make it indecipherable before putting it in the database. At that point though, you have no way of ever getting the original password again, and you can only verify whether passwords are the same by comparing their SHA-1 values.

 

With that said, if a user forgets their password, you pretty much need to send them a new (random) password, which they can use to log in, and then change the password as they see fit.

 

Anyway, I think the biggest thing you need to consider right now is the implementation. I would recommend re-reading the relative sections in the book, as Larry pretty much does it all for you.

 

Edit: As for comparing an entered password with a password in a database, you'd have to do something like the following:

 

$password = $_POST['password'];

$q = "SELECT password FROM ... WHERE password=SHA1('$password')";

  • Upvote 1
Link to comment
Share on other sites

Thanks guys for your response.

I did what you told me HartleySan. I created a random password, the new random generated password update the existing password and is sent to the user. Now the new random password is not an easy password to remember so a recommend the user to change the new password with something more appropriated. Thanks.

Link to comment
Share on other sites

Saw a large discussion about encryption of passwords some time ago. What you should do, is using a random string, and combine it with the password of the user. You then use SHA1 on this new string, and send it to the database. What's important, is that the same string is used when the user tries to log in. It's just a better way as it makes it harder to use rainbow tables and such.

 

The discussion was were interesting as the debates included math (waaay over my head) on the matter. They concluded, that if you included a string into the password itself, it was impossible to be 100% sure of the original password. You would have to know the included string aswell. The best method is apperantly to create a RANDOM string for each user into the password, and save this hash to a table. If you splitt the password at, let's say 3 characters, and use the hash in the middle, it would be almost impossible to KNOW the users password EVEN if you found a match with SHA1 or MD5.

 

NOTE: This is for the matter of discussion. Do not use this on a live project.

// must have at least 6 digits. Should include some checks.......
private function createHash($originalPassword) {
   $hash = "TheCoolHash123@.";                 // hash used in password
   $begin = substr($originalPassword, 0, 3); // 0 to 3rd char
   $end = substr($originalPassword, 4, 20);   // 4th up 20th char
   $password = sha1($begin$hash$end);
   return $password;
}

 

The reason why something like this is working, is that you only compare the SHA1'd users password with the SHA1'd in the database. No-one should ever know what the password ever is.

 

I'm no wiz on this matter, so correct me if I'm wrong. The discussion was very interesting though. :)

  • Upvote 1
Link to comment
Share on other sites

 Share

×
×
  • Create New...