Jump to content

best way to handle a lost username/password

webguync

By webguync
in PHP Coding Help

 Share

Recommended Posts

webguync Advanced Member

webguync

Posted
Posted

I need to come up with a better way to do this. Currently I have a script which is a form and the user enters their email address, and their password in the database is sent to the email address. Problem is the password is MD5 hashed, so it's hashed when sent to their email. I am sure there is a better way to do this. Also, I am capturing a Security Question and Answer in the initial profile form that the user fills out, so I need to incorporate this as an extra layer of security. Please let me know of the methods for doing this.

 

Thanks in advance!

Link to comment
Share on other sites
chronister Regular Member

chronister

Posted
Posted

Typically, passwords are hashed using a one way encryption. I don't use any "recover" lost passwords. I reset them. You generate a hash string and store it in the database with their user account after verifying their username and email address. Then you send an email to them with that string as a URL parameter. They click the link and it comes back to your site which validates the hash string and allows them to reset the password.

 

You can use the security question to validate them in the same steps as the username and email combination.

 

Nate

Link to comment
Share on other sites
chronister Regular Member

chronister

Posted
Posted

Yeah, to give you some code to get you started would be difficult because I have no idea what you have already. If you have done something similar for registration, meaning the generate a hash and email it and validate it on confirmation, then you have the process. Just do it again for this system.

Link to comment
Share on other sites
webguync Advanced Member

webguync

Posted
  • Author
Posted

well I know I need to do something like this, which is what I use to post the initial info after a passkey link is sent out to the email, and allow the membership. But can use some assistance as to what to change to send out temp password and then change password.

 

 

 

<?

// session_start(); 
//Print_r ($_SESSION);

include('config.php');

// Passkey t from link
$passkey=$_GET['passkey'];

$tbl_name1="Profile_temp";

// Retrieve data from table where row matches passkey
$sql1="SELECT * FROM $tbl_name1 WHERE confirm_code ='$passkey'";
$result1=mysql_query($sql1);


// If successfully queried
if($result1){

// Count how many row has this passkey
$count=mysql_num_rows($result1);

// if passkey is found retrieve info from temporary DB
if($count==1){

$rows=mysql_fetch_array($result1);
$FirstName=$rows['FirstName'];
$LastName=$rows['LastName'];
$UserName=$rows['UserName'];
$Password= md5($rows['Password']);
$Password2=md5($rows['Password2']);
$email=$rows['email'];
$Zip=$rows['Zip'];
$Birthday=$rows['Birthday'];
$Security=$rows['Security'];
$Security2=$rows['Security2'];

$tbl_name2="Profile";

// Insert data that retrieves from "temp_members_db" into table "registered_members"
$sql2="INSERT INTO $tbl_name2(`FirstName`,`LastName`,`Username`,`Password`,`Password2`,`email`,`Zip`,`Birthday`,`Security`,`Security2`) VALUES ('$FirstName','$LastName','$UserName','$Password','$Password2','$email','$Zip','$Birthday','$Security','$Security2')"; 
//echo $sql2;
$result2=mysql_query($sql2) or die(mysql_error());
}

// if passkey is not found, display message "Wrong Confirmation code"
else {
echo "<h2>Sorry, Your passkey was not found.</h2>";
}

$sql3="select * from $tbl_name2 where username = '$UserName'"; 
$result3=mysql_query($sql3) or die(mysql_error());
while ($row = mysql_fetch_assoc($result3)) {
    $_SESSION['id'] = $row['id'];
$_SESSION['FirstName']=$row['FirstName']; 
}



if($result3){

echo "<h3>Welcome $_SESSION['FirstName'] </h3>";


// Delete information of this user from table "temp_members_db" that has this passkey
$sql4="DELETE FROM $tbl_name1 WHERE confirm_code = '$passkey'";
$result4=mysql_query($sql4) or die(mysql_error());
$sql5="select * from $tbl_name2 where username = '$UserName'";
//echo $sql5;
$result5=mysql_query($sql5) or die(mysql_error());
if ($_REQUEST['error'] == 1){
     echo "Sorry, that user name already exist!";
 }
}
else {


}





?>

Link to comment
Share on other sites
jdavidbakr Newbie

jdavidbakr

Posted
Posted

I usually generate a random password by just putting together a random string of characters, or using a substr() of md5(uniqid(rand())) for the new password.  Then just set the password to this new value (obviously the hash of it) and send them the new password in an e-mail.

Link to comment
Share on other sites
jdavidbakr Newbie

jdavidbakr

Posted
Posted

Not much to it

// Generate a new 7-character password
$new_password = substr(md5(uniqid(rand())),0,7);
// Get the md5 hash for the database
$new_password_hash = md5($new_password);
// Insert into the db
$statement = "update user set password = '$new_password_hash' where user_id = '$user_id'";
mysql_query($statement);
// E-mail password to user
mail($user_email,"Your password has been reset","Here is your new password: $new_password");

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.