Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    New to the CF scene
    Join Date
    May 2013
    Posts
    7
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Successfully changed the password but can not login

    For months I was stuck in this problem. I do not know what to do. I had tried all ways but still failed.

    I have managed to change the password via the Forgot Password page. I use md5 to encrypt the password that stored into the database when change password and then unencrypted password sent to my email. But when I try to login, it says that the changed password was wrong. I use md5 to encrypt the password that stored into the database when someone request password reset and the unencrypted password sent to requester email.

    Please someone give me a solution..

    The code

    PHP Code:
    <?php
    require("includes/inc.php");

    $_SESSION['referral'] = $_GET['ref']; 
      if (
    $_SESSION['username'] != null) {
        
    //Redirect the user to the member area
        
    header('Location: member.php');
        exit();
      } else {
        
    //Check if the user is trying to login
        
    if ($_GET['do'] == "login") {
          
    //If they are, process the details they have provided. Else, continue with showing the form
          
    $username trim(sanitize($_POST['username']));
          
    $password trim(sanitize($_POST['password']));
          
    //Check if the username and password are empty
          
    if (($username == null) || ($password == null)){
            
    header('Location: login.php?error=details_wrong');
            exit();
          } else {
            
    $query_accounts mysql_query("SELECT * FROM users WHERE username = '$username' LIMIT 1");
            
    $query_count mysql_num_rows($query_accounts);
            if (
    $query_count == 0){ // User not found
              
    header('Location: login.php?error=details_wrong');
              exit();
            } else {
                while(
    $accounts mysql_fetch_array($query_accounts)) {
                if (
    $accounts['active'] == 0) { //Check if account is active
                    
    header('Location: login.php?error=activate');
                    exit();
                } else {
                    
    $reason $accounts['reason'];
                    if (
    $accounts['banned'] == 1) {
                    
    header('Location: login.php?error=banned');    
                    exit();
                } else {
                     if (
    $accounts['password'] == password($password)){ // Check if the password matches the user's password
                        
    $_SESSION['username'] = $username// The password is correct, start a session for the user
                        
    header('Location: member.php');
                        exit();
                    } else {
                    
    header('Location: login.php?error=details_wrong'); // Incorrect password
                    
    exit();
                }
              }
            }
          }
        }
      }
    } else {
    ?>

  • #2
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,044
    Thanks
    2
    Thanked 316 Times in 308 Posts
    If the login code you posted worked before you changed the password, there's nothing wrong with the login code.

    The problem is in the Forgot Password page. It is either not generating the hash and storing it into the table correctly or it is sending the wrong plain-text password in the email.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #3
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,327
    Thanks
    60
    Thanked 525 Times in 512 Posts
    Blog Entries
    4
    As above.

    Additionally, I notice you're using a password called password() to compare the stored password against the users inputted password.

    Are you sure that is doing the same as your password reset page when it updates the password?

    Also you mention decrypting the password and emailing it to the user. This is a disgraceful idea because if your server is hacked, the hacker will have access to your decryption code and thus they will be able to steal your user passwords.

    Always one-way encrypt them (using md5() or sha1()) and then simply compare the hashes instead. If you don't and someone gets their password by email its then very obvious that you are storing passwords and that will make you a target.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #4
    New to the CF scene
    Join Date
    May 2013
    Posts
    7
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    If the login code you posted worked before you changed the password, there's nothing wrong with the login code.

    The problem is in the Forgot Password page. It is either not generating the hash and storing it into the table correctly or it is sending the wrong plain-text password in the email.
    Here's the forgot password script
    PHP Code:
    <?php
    require("includes/inc.php");
      if (
    $_SESSION['username'] != null){
        
    //Redirect the user to the member area
        
    header('Location: member.php');
        exit();
      }
        if (
    $_GET['do'] == "reset") {
          
    //If they are, process the details they have provided. Else, continue with showing the form
          
    $username trim(sanitize($_POST['username']));
          
    $email trim(sanitize($_POST['email']));
          
    $email_test eregi("^([A-Za-z0-9_-]+)(\.[A-Za-z0-9_-]+)*@([A-Za-z0-9_-]\.)*([A-Za-z0-9_-]+)\.[A-Za-z]{2,}$"$email);
          
    //Check if the username and password are empty
          
    if (($username == null) || ($email == null)) {
            
    header('Location: forgotpass.php?error=field');
            exit();
          } else {
            
    $query_accounts mysql_query("SELECT * FROM users WHERE username = '$username' LIMIT 1");
            
    $query_count mysql_num_rows($query_accounts);
            if (
    $query_count == 0) { 
              
    header('Location: forgotpass.php?error=username');
              exit();
            } else {
                while(
    $cemail mysql_fetch_array($query_accounts)) {
                    if (
    $cemail['email'] != $email) {
                        
    header('Location: forgotpass.php?error=email');
                        exit();    
            } else {
    function 
    makeRandomPassword() {
    $salt "abchefghjkmnpqrstuvwxyz0123456789";
    srand((double)microtime()*1000000);
    $i 0;
    while (
    $i <= 7) {
    $num rand() % 33;
    $tmp substr($salt$num1);
    $pass $pass $tmp;
    $i++;
    }
    return 
    $pass;
    }
    $random_password makeRandomPassword();
    $db_password md5($random_password);

    $sql mysql_query("UPDATE users SET password='$db_password' WHERE username='$username'") or die(mysql_error());
                
    $to $email;
                
    $subject "Password Reset";
                
    $body "Hello $username,\r\n\r\nYou have requested your password to be reseted you can login with your new password below.\r\nNew Password: $random_password ";
                    
    mail($to$subject$body);
                
    header('Location: login.php?success=pass_sent');
                exit();
              }
            }
        }
    }
    } else {

    ?>
    <!DOCTYPE HTML>
    <html>
    <head>
    <title>Reset Password - FileFaith.com</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <link href="css/bootstrap/css/bootstrap.css" rel="stylesheet">
    <?php include "header.php"?>
    </head>
    <body>

    <div class="container">
        <?php
          
    //Messages
          
    if ($_GET['error'] == "username"){ echo "<div class='alert alert-error'>The username you provided could not be found.</div>"; }
          elseif (
    $_GET['error'] == "email"){ echo "<div class='alert alert-error'>The email you provided could not be found.</div>"; }
          elseif (
    $_GET['error'] == "field"){ echo "<div class='alert alert-error'>Please fill in all the fields.</div>"; }
        
    ?>
          
        <form class="form-horizontal" id="reset" method='post' action='?do=reset'>
          <fieldset>
            <legend>Password Reset</legend><br />
        <h5>You can reset your password by entering your username and email you registered with below.</h5><br />
            <div class="control-group">
              <label class="control-label" for="input01">Username</label>
              <div class="controls">
                <input type="text" class="input" id="username" name="username">
                
              </div>
        </div>
        
         <div class="control-group">
            <label class="control-label" for="input01">Email</label>
              <div class="controls">
                <input type="text" class="input" id="email" name="email">
              </div>
        </div>
        <div class="control-group">
            <label class="control-label" for="input01"></label>
              <div class="controls">
               <button type="submit" class="btn btn-primary">Reset</button>
               
              </div>
        </div>
    <?php 
        
    }
    include 
    "footer.php"
    ?>
    </div>

    </body>
    </html>
    People says this script has SQL injection vulnerabilities.

  • #5
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,327
    Thanks
    60
    Thanked 525 Times in 512 Posts
    Blog Entries
    4
    Quote Originally Posted by XiangLong View Post
    PHP Code:
                     if ($accounts['password'] == password($password)){ // Check if the password matches the user's password 
    What is the code in your password() function? - We need to know.

    It's all well and good showing us that you're running through md5 in your reset page but if your password function doesn't do exactly the same then you're in a fix - a fix we can't help you out of if you don't give us a chance!

    BTW, while md5 is still useful for file hashes, for passwords its not great as it was broken a few years back and can be cracked. You'd be better off using sha1 instead.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #6
    New to the CF scene
    Join Date
    May 2013
    Posts
    7
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by tangoforce View Post
    What is the code in your password() function? - We need to know.

    It's all well and good showing us that you're running through md5 in your reset page but if your password function doesn't do exactly the same then you're in a fix - a fix we can't help you out of if you don't give us a chance!

    BTW, while md5 is still useful for file hashes, for passwords its not great as it was broken a few years back and can be cracked. You'd be better off using sha1 instead.
    I'm sorry, you mean my function script? If so, here's the code
    PHP Code:
    <?php
      
    // Function to sanitize data wrapped in sanitize() -> Prevent SQLi attacks
      
    function sanitize($data) {
        if(
    is_array($data)) {
          foreach(
    $data as $key => $contents) {
          
    $data[$key] = sanitize($contents);
        }
        return 
    $data;
        } else {
          
    $data trim($data);
          if(
    get_magic_quotes_gpc()) {
          
    $data stripslashes($data);
        }
        
    $data mysql_real_escape_string(htmlspecialchars($data));
        return 
    $data;
        }
      }
      
      function 
    getUsername($userid) {
        
    $rs mysql_query("SELECT username FROM `users` WHERE id = '$userid'") or die(mysql_error());
            
    $row mysql_fetch_array($rs);
            
    $username $row['username'];
                return 
    $username;
      }
      
      
    // Function to encrypt passwords
      
    function password($password) {
        global 
    $key;
        return 
    md5($password$key);
      }
      
      function 
    format_bytes($a_bytes) {
        if (
    $a_bytes 1024) {
            return 
    $a_bytes .'bytes';
        } elseif (
    $a_bytes 1048576) {
            return 
    round($a_bytes 10242) .'kb';
        } else {
            return 
    round($a_bytes 10485762) . 'mb';
        }
    }

        function 
    contenttype($ext) {
            
    $mime_types = array();
            
    $mime_types['ai']    ='application/postscript';
            
    $mime_types['asx']   ='video/x-ms-asf';
            
    $mime_types['au']    ='audio/basic';
            
    $mime_types['avi']   ='video/x-msvideo';
            
    $mime_types['bmp']   ='image/bmp';
            
    $mime_types['css']   ='text/css';
            
    $mime_types['doc']   ='application/msword';
            
    $mime_types['eps']   ='application/postscript';
            
    $mime_types['exe']   ='application/octet-stream';
            
    $mime_types['gif']   ='image/gif';
            
    $mime_types['htm']   ='text/html';
            
    $mime_types['html']  ='text/html';
            
    $mime_types['ico']   ='image/x-icon';
            
    $mime_types['jpe']   ='image/jpeg';
            
    $mime_types['jpeg']  ='image/jpeg';
            
    $mime_types['jpg']   ='image/jpeg';
            
    $mime_types['js']    ='application/x-javascript';
            
    $mime_types['mid']   ='audio/mid';
            
    $mime_types['mov']   ='video/quicktime';
            
    $mime_types['mp3']   ='audio/mpeg';
            
    $mime_types['mpeg']  ='video/mpeg';
            
    $mime_types['mpg']   ='video/mpeg';
            
    $mime_types['pdf']   ='application/pdf';
            
    $mime_types['pps']   ='application/vnd.ms-powerpoint';
            
    $mime_types['ppt']   ='application/vnd.ms-powerpoint';
            
    $mime_types['ps']    ='application/postscript';
            
    $mime_types['pub']   ='application/x-mspublisher';
            
    $mime_types['qt']    ='video/quicktime';
            
    $mime_types['rtf']   ='application/rtf';
            
    $mime_types['svg']   ='image/svg+xml';
            
    $mime_types['swf']   ='application/x-shockwave-flash';
            
    $mime_types['tif']   ='image/tiff';
            
    $mime_types['tiff']  ='image/tiff';
            
    $mime_types['txt']   ='text/plain';
            
    $mime_types['wav']   ='audio/x-wav';
            
    $mime_types['wmf']   ='application/x-msmetafile';
            
    $mime_types['xls']   ='application/vnd.ms-excel';
            
    $mime_types['zip']   ='application/zip';
        if(
    array_key_exists($ext,$mime_types)) {
            
    $mimetype $mime_types[$ext];
        } else { 
            
    $mimetype 'application/force-download'
        }
        return 
    $mimetype;
    }
        
    //Get User Earnings Functions
        
        
    function getCurrentStats($userid) {
            
    $rs mysql_query("SELECT SUM(`amount`) AS `total_earnings` FROM `user_earnings` WHERE userid = '$userid' and status = '1' and pay = '0'") or die(mysql_error());
            
    $row mysql_fetch_assoc($rs);
            
    $earnings number_format($row['total_earnings'], 2'.'',');
            return 
    $earnings;
        }
        
        function 
    getTodayStats($userid) {
            
    $today date("Y:m:d 00:00:00");
            
    $rs mysql_query("SELECT SUM(`amount`) AS `total_earnings`, date(date) FROM `user_earnings` WHERE date >= '$today' and userid = '$userid' and status = '1' group by DAY(date)") or die(mysql_error());
            
    $row mysql_fetch_assoc($rs);
            
    $earnings number_format($row['total_earnings'], 2'.'',');
            return 
    $earnings;
        }
        
        function 
    getYesterdayStats($userid) {
            
    $today date("Y:m:d 00:00:00");
            
    $yesterday date("Y:m:d"mktime(000date("m"), date("d")-1date("Y")));
            
    $rs mysql_query("SELECT SUM(`amount`) AS `total_earnings`, date(date) FROM `user_earnings` WHERE date >= '$yesterday' and date <= '$today' and userid = '$userid' and status = '1' group by DAY(date)") or die(mysql_error());
            
    $row mysql_fetch_assoc($rs);
            
    $earnings number_format($row['total_earnings'], 2'.'',');
            return 
    $earnings;
        }

        function 
    getMonthStats($userid) {
            
    $first_day date("Y:m:01 00:00:00");
            
    $last_day date("Y:m:31 23:59:59");
            
    $rs mysql_query("SELECT SUM(`amount`) AS `total_earnings`, date(date) FROM `user_earnings` WHERE date >= '$first_day' and date <= '$last_day' and userid = '$userid' and status = '1' GROUP BY MONTH(date)");
            
    $row mysql_fetch_assoc($rs);
            
    $earnings number_format($row['total_earnings'], 2'.'',');
            return 
    $earnings;        
        }

        function 
    getLastMonthStats($userid) {
            
    $first_day date("Y:m:01 00:00:00"mktime(000date("m")-1date("d"), date("Y")));
            
    $last_day date("Y:m:31 23:59:59"mktime(000date("m")-1date("d"), date("Y")));
            
    $rs mysql_query("SELECT SUM(`amount`) AS `total_earnings`, date(date) FROM `user_earnings` WHERE date >= '$first_day' and date <= '$last_day' and userid = '$userid' and status = '1' GROUP BY MONTH(date)");
            
    $row mysql_fetch_assoc($rs);
            
    $earnings number_format($row['total_earnings'], 2'.'',');
            return 
    $earnings;        
        }
        
        function 
    getAllTimeStats($userid) {
            
    $rs mysql_query("SELECT SUM(`amount`) AS `total_earnings` FROM `user_earnings` WHERE userid = '$userid' and status = '1'");
            
    $row mysql_fetch_assoc($rs);
            
    $earnings number_format($row['total_earnings'], 2'.'',');
            return 
    $earnings;        
        }
        
        
    //Get Referral Earnings Functions
        
        
    function getCurrentRefStats($userid) {
            
    $rs mysql_query("SELECT SUM(`amount`) AS `total_earnings` FROM `ref_earnings` WHERE refid = '$userid' and status = '1' and pay = '0'") or die(mysql_error());
            
    $row mysql_fetch_assoc($rs);
            
    $earnings number_format($row['total_earnings'], 2'.'',');
            return 
    $earnings;
        }
        
        function 
    getTodayRefStats($userid) {
            
    $today date("Y:m:d 00:00:00");
            
    $rs mysql_query("SELECT SUM(`amount`) AS `total_earnings`, date(date) FROM `ref_earnings` WHERE date >= '$today' and refid = '$userid' and status = '1' group by DAY(date)") or die(mysql_error());
            
    $row mysql_fetch_assoc($rs);
            
    $earnings number_format($row['total_earnings'], 2'.'',');
            return 
    $earnings;
        }
        
        function 
    getYesterdayRefStats($userid) {
            
    $today date("Y:m:d 00:00:00");
            
    $yesterday date("Y:m:d"mktime(000date("m"), date("d")-1date("Y")));
            
    $rs mysql_query("SELECT SUM(`amount`) AS `total_earnings`, date(date) FROM `ref_earnings` WHERE date >= '$yesterday' and date <= '$today' and refid = '$userid' and status = '1' group by DAY(date)") or die(mysql_error());
            
    $row mysql_fetch_assoc($rs);
            
    $earnings number_format($row['total_earnings'], 2'.'',');
            return 
    $earnings;
        }

        function 
    getMonthRefStats($userid) {
            
    $first_day date("Y:m:01 00:00:00");
            
    $last_day date("Y:m:31 23:59:59");
            
    $rs mysql_query("SELECT SUM(`amount`) AS `total_earnings`, date(date) FROM `ref_earnings` WHERE date >= '$first_day' and date <= '$last_day' and refid = '$userid' and status = '1' GROUP BY MONTH(date)");
            
    $row mysql_fetch_assoc($rs);
            
    $earnings number_format($row['total_earnings'], 2'.'',');
            return 
    $earnings;        
        }

        function 
    getLastMonthRefStats($userid) {
            
    $first_day date("Y:m:01 00:00:00"mktime(000date("m")-1date("d"), date("Y")));
            
    $last_day date("Y:m:31 23:59:59"mktime(000date("m")-1date("d"), date("Y")));
            
    $rs mysql_query("SELECT SUM(`amount`) AS `total_earnings`, date(date) FROM `ref_earnings` WHERE date >= '$first_day' and date <= '$last_day' and refid = '$userid' and status = '1' GROUP BY MONTH(date)");
            
    $row mysql_fetch_assoc($rs);
            
    $earnings number_format($row['total_earnings'], 2'.'',');
            return 
    $earnings;        
        }
        
        function 
    getAllTimeRefStats($userid) {
            
    $rs mysql_query("SELECT SUM(`amount`) AS `total_earnings` FROM `ref_earnings` WHERE refid = '$userid' and status = '1'");
            
    $row mysql_fetch_assoc($rs);
            
    $earnings number_format($row['total_earnings'], 2'.'',');
            return 
    $earnings;        
        }
        
        
    //Get Download Stats
        
        
    function getTodayDownStats($userid) {
            
    $today date("Y:m:d 00:00:00");
            
    $query mysql_query("SELECT date(date) FROM `user_earnings` WHERE date >= '$today' and userid = '$userid' and status = '1'") or die(mysql_error());
            
    $rs mysql_num_rows($query);
            return 
    $rs;
        }
        
        function 
    getYesterdayDownStats($userid) {
            
    $today date("Y:m:d 00:00:00");
            
    $yesterday date("Y:m:d"mktime(000date("m"), date("d")-1date("Y")));
            
    $query mysql_query("SELECT date(date) FROM `user_earnings` WHERE date >= '$yesterday' and date <= '$today' and userid = '$userid' and status = '1'") or die(mysql_error());
            
    $rs mysql_num_rows($query);
            return 
    $rs;
        }

        function 
    getMonthDownStats($userid) {
            
    $first_day date("Y:m:01 00:00:00");
            
    $last_day date("Y:m:31 23:59:59");
            
    $query mysql_query("SELECT date(date) FROM `user_earnings` WHERE date >= '$first_day' and date <= '$last_day' and userid = '$userid' and status = '1'");
            
    $rs mysql_num_rows($query);
            return 
    $rs;        
        }

        function 
    getLastMonthDownStats($userid) {
            
    $first_day date("Y:m:01 00:00:00"mktime(000date("m")-1date("d"), date("Y")));
            
    $last_day date("Y:m:31 23:59:59"mktime(000date("m")-1date("d"), date("Y")));
            
    $query mysql_query("SELECT date(date) FROM `user_earnings` WHERE date >= '$first_day' and date <= '$last_day' and userid = '$userid' and status = '1' GROUP BY MONTH(date)");
            
    $rs mysql_num_rows($query);
            return 
    $rs;        
        }
        
        function 
    getAllTimeDownStats($userid) {
            
    $query mysql_query("SELECT * FROM `user_earnings` WHERE userid = '$userid' and status = '1'");
            
    $rs mysql_num_rows($query);
            return 
    $rs;        
        }
    ?>

  • #7
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,327
    Thanks
    60
    Thanked 525 Times in 512 Posts
    Blog Entries
    4
    Quote Originally Posted by XiangLong View Post
    PHP Code:
    $random_password makeRandomPassword();
    $db_password md5($random_password);

    $sql mysql_query("UPDATE users SET password='$db_password' WHERE username='$username'") or die(mysql_error()); 
    Quote Originally Posted by XiangLong View Post
    PHP Code:
      // Function to encrypt passwords
      
    function password($password) {
        global 
    $key;
        return 
    md5($password$key);
      } 
    The first thing I've noticed is your call to md5(). One (the password reset) uses no second parameter. The other uses the second parameter presumably to return bunary format instead of hex. Assuming that $key is true and not false, that is your problem right there.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • Users who have thanked tangoforce for this post:

    XiangLong (05-12-2013)


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •