user retrieve password from entering email

A

Anonymous

Guest
how would i go about creating a form for a user to input their password then php/sql sending the username and password back to them?
 
There are plenty of tutorials for this all over the net.

Try a search for "php mysql forgot your password tutorial"

But basically this is the process:

User enters email address
If found in database -> send mail via mail() containing username and password to email given
If not found -> Give error

Very simple. If the password in the DB is encoded, you will need to reset the password before it is sent out.
 
Very simple. If the password in the DB is encoded, you will need to reset the password before it is sent out.
Click to expand...

Make sure that you send only a code to the email that allows the password to be reset. Do not reset the password until the user visits a vertain page and enteres the correct code, otherwise, people will be able to reset the passwords of other users without permission.
 
however if you are using the more secure way of storing your pass: MD5 hash, then you willh ave to re-set the password instead and send the new one to the user
 
:) in that case the ONLY way is resetting the password to something auto-generated

This would take quite a while to brute-force it ;) hahaha, dont even try! this may take several years with a pretty good password
 
i've my code at what looks kinda right but now i get this?

Warning: mail(): Failed to connect to mailserver at "localhost" port 25, verify your "SMTP" and "smtp_port" setting in php.ini or use ini_set() in C:\Program Files\Apache Group\Apache2\htdocs\user\user_forgot.php on line 32
 
This means your script is working fine, but you have no mail server set up. I'm guessing your doing this on a home test server.

If you don'twant the hassle of setting up an smtp server - try uploading it somewhere for testing.
 
cool ive got it going on another server, just need to sort out the md5 stuff

any suggestions?
 
As Alexei said, since your passwords are stored as md5's, you will have to generate a new password for the user entirely. I found this link on google, might be useful: http://www.laughing-buddha.net/jon/php/password/ .
 
I've done the above ^^ how can i get the $password variable from the function into the rest of the page? i keep gettin undefined variable errors
 
you can make the variable global, try giving this a read: http://www.zend.com/manual/language.variables.scope.php
 
cool cheers got that going now, only problem i have now is that it saves the new password as the normal text not in md5 so i cant login in with the new password
 
lol whoops i dont appear to be using md5, i think im using PASSWORD()?

this is from my adduser form

"(PASSWORD('" . $_POST['password'] . "')), '"
 
From what I can tell, you are using the sql password() function.

PASSWORD(str)
Calculates a password string from the plaintext password str. This is the function that is used for encrypting MySQL passwords for storage in the Password column of the user grant table:

mysql> SELECT PASSWORD('badpwd');
-> '7f84554057dd964b'

PASSWORD() encryption is non-reversible. PASSWORD() does not perform password encryption in the same way that Unix passwords are encrypted. See ENCRYPT(). Note: The PASSWORD() function is used by the authentication system in MySQL Server, you should NOT use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC-2195 for more information about handling passwords and authentication securely in your application.
Click to expand...
 
so should i just switch to md5?
just change PASSWORD to md5 and it will work?
 
Well, if your system doesnt use md5 to begin with, it would require a bit of code change, as well as having to reset the password of all users, since mysql's password() function is non reversable, and non compatible with md5(). It looks like it is not recommended to use password(), but instead md5(), so if your community is small, it might be best to have all users reset their passwords, and start storing them as md5() hashes. Just make sure that you make the needed changes in your code if you decide to switch from password() to md5().
 
i've switched over and changed the accounts and all the login stuff seems to work, however i think theres still a problem with the account retrieval

the password it sends out doesnt work

not sure if ive assigned properly

Code: 
$name = $row['first_name'];
$username = $row['username'];

function generatePassword ($length = 8)
{

  global $password;
  $password = "";

  $possible = "0123456789abcdefghijklmnpqrstuvwxyz"; 
    
  $i = 0; 
    
  while ($i < $length) { 

   $char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
        
    if (!strstr($password, $char)) { 
      $password .= $char;
      $i++;
    }

  }

  return $password;

}

generatePassword();
echo $password;
$setpassword = md5($password);

$sqlstatement = "UPDATE user_info SET password = '$setpassword' WHERE email = '$email'";
 
Have you checked that what's in the database is really the MD5 of your password? If so, it's your login code.

If not, perhaps the field hasn't been configured for 32 characters (which is default in MD5).

I also noticed you're trying to prevent duplicate characters in the password. Note that your code will freeze if length is specified to be over 36 characters. Also it's less safe, if anyone finds out. The possible amount of passwords will be less.

eg:
10 positions with 10 possible characters (allow duplicates) has 10,000,000,000 possible values.
10 positions with 10 possible characters (disallow duplicates) has 3,628,800 possible values.

Coditor
 
You must log in or register to reply here.
Back
Top