chuflasky Posted May 10, 2011 Share Posted May 10, 2011 Hi, i been working on a script that base on the information provided by the user, will send he password. Now the problem that i having is that i get the same password sent, even though i enter different email and user name. If someone can check my code and point me out what i'm doing wrong, I'll appreciate. <?php if(isset($_POST['submitted'])){ //connect to the database require_once("../mysqli_conn/db_conn.php"); $errors = array(); //validate the email if(empty($_POST['username']) ){ $errors[] = "<p class='error'>Please enter your user name.</p>"; }else{ $un = mysqli_real_escape_string($dbc, trim($_POST['username']) ); } ///vlidate the email/// if(empty($_POST['email'])){ $errors[] = "<p class='error'>Please enter your email.</p>"; }else{ $e = mysqli_real_escape_string($dbc,trim( $_POST['email']) ); } if(empty($errors) ){ $q =" SELECT member_id FROM members INNER JOIN username ON members.user_id= username.user_id AND members.email = members.email WHERE email= '$e' AND user_name='$un' "; $r = mysqli_query($dbc, $q) or die("Error: " . mysqli_error($dbc) ); $num = mysqli_num_rows($r); if($num == 1){ //match was made //MAKE THE QUERY// $q = "SELECT password FROM members INNER JOIN username ON members.user_id = username.user_id WHERE user_name = '$un' AND password = SHA1('password') "; $r = mysqli_query($dbc, $q) or die("Error: " . mysqli_error($dbc) ); while($row = mysqli_fetch_array($r, MYSQLI_ASSOC)){ $password = $row['password']; } if($r){ //it ran ok /* // Please specify your Mail Server - Example: mail.yourdomain.com. ini_set("SMTP","outgoing.verizon.net"); // Please specify an SMTP Number 25 and 8889 are valid SMTP Ports. ini_set("smtp_port","25"); // Please specify the return address to use ini_set('sendmail_from', 'chuflasky@hotmail.com'); */ $to = $e; $subject ="Don't reply to this message."; $body = "This is a request to a forgotten password from THEEVENTSMASTER.COM. If you think you received this email by mistake, delete it. You current password is ' $password ' . Remember to put your password in a safe place."; $headers = 'MIME-Version: 1.0' . "\r\n"; $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; $header .= 'From:theeventsmaster.com'.'<theeventsmaster.com>'. "\r\n"; $header .= "Cc: theevent@theeventsmaster.com"."\r\n"; $send_mail = mail($to,$subject,$body, $header); if($send_mail){ $url = "confirm.php"; header("Location: $url"); exit(); /* $today = time; ini_set($now, 'off'); $now = date_default_timezone_set($today); */ }else{ function sendEmail($errors){ $errors [] = "<p class='error'> Your password could not be delivered, try again latter.</p"; echo "<div class='error_handler'>"; echo "<h2 class='error_2'>Error!</h2>"; echo "<p class='error'>The following error(s) ocurred.</p>"; foreach($errors as $mgs){ echo "$mgs"; }//end of for each echo "</div>"; }//end of sendEmail }//end of send message }// end of $r }else{ function errorReport($errors){ $errors [] ="<p class='error'> The user name and email could not be verify.</p><br/><h2 class='error_2'>Plase try again.</h2>"; echo "<div class='error_handler'>"; echo "<h2 class='error_2'>Error!</h2>"; echo "<p class='error'>The following error(s) ocurred.</p>"; foreach($errors as $mgs){ echo "$mgs"; }//end of for each echo "</div>"; } //end of error_report } }else{ function error_report1($errors){ echo "<div class='error_handler'>"; echo "<h2 class='error_2'>Error!</h2>"; echo "<p class='error'>The following error(s) ocurred.</p>"; foreach ($errors as $mgs){ echo " $mgs "; } echo "</div>"; } //end of error_report1 }//end of empty errors }//end if submitted ?> Link to comment Share on other sites More sharing options...
Jonathon Posted May 10, 2011 Share Posted May 10, 2011 What password is it returning. (I'm not sure you can do what your trying to do here due to the hash) 1 Link to comment Share on other sites More sharing options...
HartleySan Posted May 11, 2011 Share Posted May 11, 2011 You're making the following query: $q = "SELECT password FROM members INNER JOIN username ON members.user_id = username.user_id WHERE user_name = '$un' AND password = SHA1('password') "; Basically, you're telling MySQL to make a hash for the string "password"; as in, not the user's password, but always the string "password". That is why it's always the same, as far as I can tell. 1 Link to comment Share on other sites More sharing options...
chuflasky Posted May 11, 2011 Author Share Posted May 11, 2011 Thanks jonathon and HartleySan for you quick reply. I'm getting the password from one of the registered user. And for that particular user, the password is right, but that same password is sent to others user even though their stored password is different. I guessing for some reason the SQL query is selecting the same password. Thanks HartleySan. So how can i select a particular password for a particular user. I thought that by using the clause 'WHERE user_name = '$un' AND password = SHA1('password') ' , the query will select the password for that particular user. If i'm wrong correct me. Once again, Thanks Guys. Link to comment Share on other sites More sharing options...
HartleySan Posted May 11, 2011 Share Posted May 11, 2011 I would review Larry's discussion of handling passwords in the book, but when a user first registers and sets their password, you should be using a hash function (such as SHA-1) to make it indecipherable before putting it in the database. At that point though, you have no way of ever getting the original password again, and you can only verify whether passwords are the same by comparing their SHA-1 values. With that said, if a user forgets their password, you pretty much need to send them a new (random) password, which they can use to log in, and then change the password as they see fit. Anyway, I think the biggest thing you need to consider right now is the implementation. I would recommend re-reading the relative sections in the book, as Larry pretty much does it all for you. Edit: As for comparing an entered password with a password in a database, you'd have to do something like the following: $password = $_POST['password']; $q = "SELECT password FROM ... WHERE password=SHA1('$password')"; 1 Link to comment Share on other sites More sharing options...
chuflasky Posted May 11, 2011 Author Share Posted May 11, 2011 Thanks guys for your response. I did what you told me HartleySan. I created a random password, the new random generated password update the existing password and is sent to the user. Now the new random password is not an easy password to remember so a recommend the user to change the new password with something more appropriated. Thanks. Link to comment Share on other sites More sharing options...
HartleySan Posted May 11, 2011 Share Posted May 11, 2011 Good, good. Glad it all worked out. And really, I think that is the best method. Link to comment Share on other sites More sharing options...
Antonio Conte Posted May 13, 2011 Share Posted May 13, 2011 Saw a large discussion about encryption of passwords some time ago. What you should do, is using a random string, and combine it with the password of the user. You then use SHA1 on this new string, and send it to the database. What's important, is that the same string is used when the user tries to log in. It's just a better way as it makes it harder to use rainbow tables and such. The discussion was were interesting as the debates included math (waaay over my head) on the matter. They concluded, that if you included a string into the password itself, it was impossible to be 100% sure of the original password. You would have to know the included string aswell. The best method is apperantly to create a RANDOM string for each user into the password, and save this hash to a table. If you splitt the password at, let's say 3 characters, and use the hash in the middle, it would be almost impossible to KNOW the users password EVEN if you found a match with SHA1 or MD5. NOTE: This is for the matter of discussion. Do not use this on a live project. // must have at least 6 digits. Should include some checks....... private function createHash($originalPassword) { $hash = "TheCoolHash123@."; // hash used in password $begin = substr($originalPassword, 0, 3); // 0 to 3rd char $end = substr($originalPassword, 4, 20); // 4th up 20th char $password = sha1($begin$hash$end); return $password; } The reason why something like this is working, is that you only compare the SHA1'd users password with the SHA1'd in the database. No-one should ever know what the password ever is. I'm no wiz on this matter, so correct me if I'm wrong. The discussion was very interesting though. 1 Link to comment Share on other sites More sharing options...
HartleySan Posted May 13, 2011 Share Posted May 13, 2011 Antonio, I think you hit the nail right on the head. No one should ever be able to view user passwords, yes. Link to comment Share on other sites More sharing options...
Recommended Posts