PHP - Password Storage

Hello PhP Freaks forum
In the past weeks ive been trying to make a website, where you can register. Everything seems to work except my cherished Change password feature. Everytime you try to change the password, it just resets it to nothing.

Here is the code below.

<?php
         if(isset($_SESSION['username']))
         {
            $username = $_SESSION['username'];
            $lastname = $_SESSION['lastname'];
            $firstname = $_SESSION['firstname'];
            $email = $_SESSION['email'];
               
            echo "
            
               <h4>Options for:</h4> &nbsp; $username
               <br />
               <br />
               First name: &nbsp; $firstname
            
               <br />Last name: &nbsp; $lastname       
   
   <br /><br /><h3>Want to change your password:</h3><br />
   
      <form action='?do=option' method='post'>
   
      Old password <input type='password' placeholder='Has to be between 5-15 digits' name='password' size='30' value='' /><br />
                  <br />
      New Password<input type='password' placeholder='Has to be between 5-15 digits' name='newpass' size='30' value='' /><br />
                  <br />
      Confirm new password <input type='password' placeholder='Has to be between 5-15 digits' name='passconf' size='30' value='' /><br />
                  
      <center></div><input type='submit' value='Submit'/></center></form>";   
      
            
         }else{
            echo 'Please login to view your options!';
         }
      
      $password = $_REQUEST['password'];
      $pass_conf = $_REQUEST['newpass'];
      $email = $_REQUEST['passconf'];
      
      $connect = mysql_connect("Host", "User", "Password");
      if(!$connect){
      die(mysql_error());
      }
      
      //Selecting database
      $select_db = mysql_select_db("My Database", $connect);
      if(!$select_db){
      die(mysql_error());
      }
      
      //Find if entered data is correct
      
      $result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
      $row = mysql_fetch_array($result);
      $id = $row['id'];

            
         mysql_query("UPDATE users SET password='$newpass' WHERE username='$user'")
      
      ?>          

And i do know that i dont have a

if(Empty($newpass)){
Die(Please fill out the new password)                                                 
}

Or any security on the others, but the problem just seems that it resets the password into nothing

Hope i can get this fixed

Best Regards

William Pfaffe

after authenticating username and password,i have a parameter like:
$_SESSION['logged']=1

should i be storing this as a cookie?..if yes, then can anyone modify cookie, to have this parameter as "1", and gain access?

Hey guys,

I'm trying to build a simple 'blogging engine' as a fun side project. At the moment i'm mainly having trouble with 2 things -

1. What is the best way that the administrator can input the data (with linebreaks, etc) and then have it stored in the database with this formatting so that when it is called from the database, it shows up the same on the page?

2. How do i go about selecting only certain posts from the database? I have tried doing a /post.php?id=12 and then an SQL statement "WHERE post_id=" . $id (in the correct formatting, of course) but this didnt seem to work.


Any help would be appreciated.

-CynePhoba

This topic has been moved to Application Design.

http://www.phpfreaks.com/forums/index.php?topic=353345.0

<?php
require_once('upper.php');
require_once('database.php');
echo $error_msg='';
if(isset($_POST['submit']))
{
$LoginId=mysqli_real_escape_string($dbc,trim($_POST['LoginId']));
$Password1=mysqli_real_escape_string($dbc,trim($_POST['Password1']));
$Password2=mysqli_real_escape_string($dbc,trim($_POST['Password2']));
$Name=mysqli_real_escape_string($dbc,trim($_POST['Name']));
$Age=mysqli_real_escape_string($dbc,trim($_POST['Age']));
$BloodGroup=mysqli_real_escape_string($dbc,trim($_POST['BloodGroup']));
if(!isset($_POST['Sex']))
{
echo 'Please enter Sex<br>';
}
else{
$Sex= mysqli_real_escape_string($dbc,trim($_POST['Sex']));
}
$Qualification=mysqli_real_escape_string($dbc,trim($_POST['Qualification']));
$ContactNumber=mysqli_real_escape_string($dbc,trim($_POST['ContactNumber']));
$Email=mysqli_real_escape_string($dbc,trim($_POST['Email']));
$Address=mysqli_real_escape_string($dbc,trim($_POST['Address']));
$AboutYourself=mysqli_real_escape_string($dbc,trim($_POST['AboutYourself']));
//$countCheck=count($_POST['checkbox']);
//echo $countCheck;
//$checkbox=$_POST['checkbox'];
//$countCheck=count($checkbox);
if(empty($LoginId)){echo 'Please enter Login Id';}
elseif(empty($Password1)){echo 'Please enter Password';}
elseif(empty($Password2)){echo 'Please confirm Password';}
elseif($Password1!==$Password2){echo 'Password didn\'t match';}
elseif(empty($Name)){echo 'Please enter Name';}
elseif(empty($Age)){echo 'Please enter Age';}
elseif(!isset($_POST['Sex'])){}
elseif(empty($Qualification)){echo 'Please enter Qualification';}
elseif(empty($ContactNumber)){echo 'Please enter Contact Number';}
elseif(empty($Email)){echo 'Please enter Email';}
elseif(empty($Address)){echo 'Please enter Address';}
elseif(empty($AboutYourself)){echo 'Please enter About Yourself';}
elseif(!isset($_POST['checkbox'])){ echo 'You have to register at least one activity.';}
elseif(!isset($_POST['TermsAndConditions'])){ echo 'You have to agree all Terms and Conditions of Elite Brigade.';}
else
{
require_once('database.php');
$query="select * from registration where LoginId='$LoginId'";
$result=mysqli_query($dbc,$query);
if(mysqli_num_rows($result)==0)
{
$checkbox=$_POST['checkbox'];
$countCheck=count($_POST['checkbox']);
$reg_id=' ';
for($i=0;$i<$countCheck;$i++)
{
$reg_id=$reg_id.$checkbox[$i].',';
$query="insert into activity_participation (LoginId,Title,Date) values ('$LoginId','$checkbox[$i]',CURDATE())";
$result=mysqli_query($dbc,$query) or die("Not Connected");
}
$query="insert into registration (LoginId,Password,Name,Age,BloodGroup,Sex,Qualification,ContactNumber,Email,Address,AboutYourself,Activity)values ('$LoginId'[B],SHA('$Password1'),[/B]'$Name','$Age','$BloodGroup','$Sex','$Qualification','$ContactNumber','$Email','$Address','$AboutYourself',',$reg_id')";
$result=mysqli_query($dbc,$query) or die("Not Connect");

echo ' Dear '.$Name.'.<br>Your request has been mailed to admin.<br>Your account is waiting for approval<br>';
$from= 'Elite Brigade';
$to='ankitp@rsquareonline.com';
$subject='New User Registration';
$message="Dear admin,\n\nA new user request for registration. Please check it out.\n\nRegards\nMicro";
mail($to,$subject,$message,'From:'.$from);
//header('Location: index.php');
// header('Location: Registration.php');
}
else
{
echo 'Dear '.$Name. ', <br> An account already exist with login-id<b> '.$LoginId.'</b> <br>Please try another login-id';
}}
}
?>

<html>
<head>
<script src="jquery-latest.js"></script>
  <script type="text/javascript" src="jquery-validate.js"></script>
<style type="text/css">
* { font-family: Verdana;  }

label.error {  color: white;  padding-left: .5em; }
p { clear: both; }
.submit { margin-left: 12em; }
em { font-weight: bold; padding-right: 1em; vertical-align: top; }
</style>
  <script>
  $(document).ready(function(){
    $("#commentForm").validate();
  });
  </script>
  
</head>

<body>

<?php
echo $error_msg; ?>

<form action='<?php echo $_SERVER['PHP_SELF'];?>' id="commentForm" method='post'>
<div class="registration_and_activity">

<table border="0" width="380">
<tr><td colspan="2">
<h3>New User?</h3></td></tr>
<tr><td width="120">

<em>*</em>Enter Login id</td><td width="150"><input type='text' name='LoginId'  minlength="4" value='<?php if(!empty($LoginId))echo $LoginId;?>' /></td></tr>
<tr><td>
<em>*</em>Enter Password</td> <td><head>
   <div id="divMayus" style="visibility:hidden">Caps Lock is on.</div>
   <SCRIPT language=Javascript>

function capLock(e){
 kc = e.keyCode?e.keyCode:e.which;
 sk = e.shiftKey?e.shiftKey:((kc == 16)?true:false);
 if(((kc >= 65 && kc <= 90) && !sk)||((kc >= 97 && kc <= 122) && sk))
  document.getElementById('divMayus').style.visibility = 'visible';
 else
  document.getElementById('divMayus').style.visibility = 'hidden';
}

</SCRIPT>
   </HEAD>
<input onkeypress='return capLock(event)' type='password' name='Password1' value='<?php if(!empty($Password1))echo $Password1;?>' /></td></tr>

<tr><td>
<em>*</em>Confirm Password</td><td><input type='password' name='Password2' value='<?php if(!empty($Password2))echo $Password2;?>' /></td></tr>
<tr><td width="120">
<em>*</em>Enter Name</td> <td><input type='text'  name='Name' value='<?php if(!empty($Name))echo $Name;?>' /></td></tr>
<tr><td>
<em>*</em>Enter Age</td><HEAD>
   <SCRIPT language=Javascript>
      
      function isNumberKey(evt)
      {
         var charCode = (evt.which) ? evt.which : event.keyCode
         if (charCode > 31 && (charCode < 48 || charCode > 57))
            return false;

         return true;
      }
  
  
     
   </SCRIPT>
   </HEAD>
<td><INPUT onkeypress='return isNumberKey(event)'  type='text' name='Age' value='<?php if(!empty($Age))echo $Age;?>'/></td></tr>

<tr><td>
<em>*</em>Enter Blood</td><td><input type='text' name='BloodGroup' value='<?php if(!empty($BloodGroup))echo $BloodGroup;?>' /></td></tr>

<tr><td>
<em>*</em>Enter Sex</td><td><input type='radio' name='Sex'  style='width:16px; border:0;' 'value='Male' />Male   <input type='radio' name='Sex' style='width:16px; border:0;' 'value='Female' />Female</td></tr>

<tr><td>
<em>*</em>Enter Qualification</td><td><input type='text' name='Qualification'  value='<?php if(!empty($Qualification))echo $Qualification;?>' /></td></tr>

<tr><td>
<em>*</em>Contact Number </td><td><input onkeypress='return isNumberKey(event)'type='text'  name='ContactNumber' value='<?php if(!empty($ContactNumber))echo $ContactNumber;?>' /></td></tr>

<tr><td>
<em>*</em>Enter Email</td><td><input type='text' name='Email'class="email" value='<?php if(!empty($Email))echo $Email;?>' /></td></tr>

<tr><td>
<em>*</em>Enter Address</td><td><input type='text'   name='Address' value='<?php if(!empty($Address))echo $Address;?>' /></td></tr>


<tr ><td >
<em>*</em>About Yourself </td></tr>
<tr><td colspan="2"><textarea rows='10' cols='40'  name='AboutYourself'  /><?php if(!empty($Address))echo $Address;?></textarea></td></tr>
<tr><td>

<?php echo"
<tr><td colspan='2'><em>*</em><b>Select fields for which you want to register</b></td></tr>";

require_once('database.php');
$query="select * from activity";
$result=mysqli_query($dbc,$query);
while($row=mysqli_fetch_array($result)){
$Title=$row['Title'];
$ActivityId=$row['ActivityId'];
echo "<tr><td>$Title</td>";
echo "<td><input type='checkbox' name='checkbox[]' value='$Title' style='width:14px; text-align:right;'/></td></tr>";//value=$ActivityId tells ActivityId variable extracts with name="checkbox"
echo "<br/>";
}
echo "<td><em>*</em><input type='checkbox' name='TermsAndConditions'  style='width:14px; text-align:right;'/></td><td> I agree all <a href='TermsAndConditions.php'>Terms and conditions </a>of Elite Brigade</td></tr>";
echo "<tr><td colspan='2' align='center'><input type='submit' value='Register' name='submit' style='background:url(./images/button_img2.png) no-repeat 10px 0px; width:100px; padding:3px 0 10px 0; color:#FEFBC4; border:0;'/></td></tr><br>";

echo " </td></tr></table>

</div>

</form>
</body>
</html>";
require_once('lower.php');

?>


Hi Friends ....
I encrypt user password by SHA('$Password') method but now i want to add "Forget Password Module" for which I need to decrypt it first before tell my user but I don't Know how to decrypt it.
Please help me........

I am having some trouble getting this to pull the password correctly from the database.
I believe the problem is from the password being in md5 format.
I am not sure how to fix the issue.

Much thanks

Code: [Select]
<?php
//signin.php
include 'connect.php';
include 'header.php';

echo '<h3>Sign in</h3><br />';

//first, check if the user is already signed in. If that is the case, there is no need to display this page
if(isset($_SESSION['signed_in']) && $_SESSION['signed_in'] == true)
{
   echo 'You are already signed in, you can <a href="signout.php">sign out</a> if you want.';
}
else
{
   if($_SERVER['REQUEST_METHOD'] != 'POST')
   {
      /*the form hasn't been posted yet, display it
        note that the action="" will cause the form to post to the same page it is on */
      echo '<form method="post" action="">
         Username: <input type="text" name="username" /><br />
         Password: <input type="password" name="password"><br />
         <input type="submit" value="Sign in" />
       </form>';
   }
   else
   {
      /* so, the form has been posted, we'll process the data in three steps:
         1.   Check the data
         2.   Let the user refill the wrong fields (if necessary)
         3.   Varify if the data is correct and return the correct response
      */
      $errors = array(); /* declare the array for later use */
      
      if(!isset($_POST['username']))
      {
         $errors[] = 'The username field must not be empty.';
      }
      
      if(!isset($_POST['password']))
      {
         $errors[] = 'The password field must not be empty.';
      }
      
      if(!empty($errors)) /*check for an empty array, if there are errors, they're in this array (note the ! operator)*/
      {
         echo 'Uh-oh.. a couple of fields are not filled in correctly..<br /><br />';
         echo '<ul>';
         foreach($errors as $key => $value) /* walk through the array so all the errors get displayed */
         {
            echo '<li>' . $value . '</li>'; /* this generates a nice error list */
         }
         echo '</ul>';
      }
      else
      {
         //the form has been posted without errors, so save it
         //notice the use of mysql_real_escape_string, keep everything safe!
         //also notice the sha1 function which hashes the password
         $sql = "SELECT 
                  userid,
                  username,
                  userlevel
               FROM
                  users
               WHERE
                  username = '" . mysql_real_escape_string($_POST['username']) . "'
               AND
                  password = '" . sha1($_POST['password']) . "'";
                  
         $result = mysql_query($sql);
         if(!$result)
         {
            //something went wrong, display the error
            echo 'Something went wrong while signing in. Please try again later.';
            //echo mysql_error(); //debugging purposes, uncomment when needed
         }
         else
         {
            //the query was successfully executed, there are 2 possibilities
            //1. the query returned data, the user can be signed in
            //2. the query returned an empty result set, the credentials were wrong
            if(mysql_num_rows($result) == 0)
            {
               echo 'You have supplied a wrong user/password combination. Please try again.';
            }
            else
            {
               //set the $_SESSION['signed_in'] variable to TRUE
               $_SESSION['signed_in'] = true;
               
               //we also put the user_id and user_name values in the $_SESSION, so we can use it at various pages
               while($row = mysql_fetch_assoc($result))
               {
                  $_SESSION['userid']    = $row['userid'];
                  $_SESSION['username']    = $row['username'];
                  $_SESSION['userlevel'] = $row['userlevel'];
               }
               
               echo 'Welcome, ' . $_SESSION['username'] . '. <br /><a href="index.php">Proceed to the forum overview</a>.';
            }
         }
      }
   }
}

include 'footer.php';
?>

Hi all,

I am trying to make a 'forgot password' script.

The passwords in the database are md5 encrypted.

Is there a way to reverse this md5 password and send the forgotten password in its orginal for to the user through email?

Thanks.


<?PHP 
include("cxn.php");

$sql = "SELECT password FROM Members WHERE email='$_POST[email]'";
$result = mysqli_query($cxn,$sql)
or die ("Couldn't execute query");

$num = mysqli_num_rows($result);

if ($num >0) // Email Address Found 
{
$password = md5($_POST['password']); // Trying to take the md5 off the password here.

$to = "$_POST[email]";
$subj = "Password for website.co.uk";
$mess = "Your password for www.website.co.uk is: \n
$_POST['password'] \n
Please login with your email address and this password. Thank you.";
$mailsend = mail($to,$subj,$mess,$headers);

$update= "An email containing your password has been sent to". $_POST['email'].".";
include("signin-redirect.php");
}
else // Email Address Not Found
{
$registrationerror = "The email address '$_POST[email]' is already registered!";
include("signin-redirect.php");
}

?>

Dear All,
Below is a php file for my website invitacoach.com

I need to issue passwords myself to members who have already paid up for my services...of which they will then be able to access the advantages of a members area which include Videos, Audios and other publications.

Which part of my code am i to edit

Below is the SQL and register.php code.

SQL

CREATE TABLE users (
  userid int(25) NOT NULL auto_increment,
  first_name varchar(25) NOT NULL default '',
  last_name varchar(25) NOT NULL default '',
  email_address varchar(25) NOT NULL default '',
  username varchar(25) NOT NULL default '',
  password varchar(255) NOT NULL default '',
  info text NOT NULL,
  user_level enum('0','1','2','3') NOT NULL default '0',
  signup_date datetime NOT NULL default '0000-00-00 00:00:00',
  last_login datetime NOT NULL default '0000-00-00 00:00:00',
  activated enum('0','1') NOT NULL default '0',
  PRIMARY KEY  (userid)
) TYPE=MyISAM COMMENT='Membership Information';



REGISTER.PHP


<?

include 'db.php';

// Define post fields into simple variables
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$email_address = $_POST['email_address'];
$username = $_POST['username'];
$info = $_POST['info'];

/* Let's strip some slashes in case the user entered
any escaped characters. */

$first_name = stripslashes($first_name);
$last_name = stripslashes($last_name);
$email_address = stripslashes($email_address);
$username = stripslashes($username);
$info = stripslashes($info);


/* Do some error checking on the form posted fields */

if((!$first_name) || (!$last_name) || (!$email_address) || (!$username)){
   echo 'You did not submit the following required information! <br />';
   if(!$first_name){
      echo "First Name is a required field. Please enter it below.<br />";
   }
   if(!$last_name){
      echo "Last Name is a required field. Please enter it below.<br />";
   }
   if(!$email_address){
      echo "Email Address is a required field. Please enter it below.<br />";
   }
   if(!$username){
      echo "Desired Username is a required field. Please enter it below.<br />";
   }
   include 'join_form.html'; // Show the form again!
   /* End the error checking and if everything is ok, we'll move on to
    creating the user account */
   exit(); // if the error checking has failed, we'll exit the script!
}
   
/* Let's do some checking and ensure that the user's email address or username
 does not exist in the database */
 
 $sql_email_check = mysql_query("SELECT email_address FROM users WHERE email_address='$email_address'");
 $sql_username_check = mysql_query("SELECT username FROM users WHERE username='$username'");
 
 $email_check = mysql_num_rows($sql_email_check);
 $username_check = mysql_num_rows($sql_username_check);
 
 if(($email_check > 0) || ($username_check > 0)){
    echo "Please fix the following errors: <br />";
    if($email_check > 0){
       echo "<strong>Your email address has already been used by another member in our database. Please submit a different Email address!<br />";
       unset($email_address);
    }
    if($username_check > 0){
       echo "The username you have selected has already been used by another member in our database. Please choose a different Username!<br />";
       unset($username);
    }
    include 'join_form.html'; // Show the form again!
    exit();  // exit the script so that we do not create this account!
 }
 
/* Everything has passed both error checks that we have done.
It's time to create the account! */

/* Random Password generator.
http://www.phpfreaks.com/quickcode/Random_Password_Generator/56.php

We'll generate a random password for the
user and encrypt it, email it and then enter it into the db.
*/

function makeRandomPassword() {
  $salt = "abchefghjkmnpqrstuvwxyz0123456789";
  srand((double)microtime()*1000000);
     $i = 0;
     while ($i <= 7) {
          $num = rand() % 33;
          $tmp = substr($salt, $num, 1);
          $pass = $pass . $tmp;
          $i++;
     }
     return $pass;
}

$random_password = makeRandomPassword();

$db_password = md5($random_password);

// Enter info into the Database.
$info2 = htmlspecialchars($info);
$sql = mysql_query("INSERT INTO users (first_name, last_name, email_address, username, password, info, signup_date)
      VALUES('$first_name', '$last_name', '$email_address', '$username', '$db_password', '$info2', now())") or die (mysql_error());

if(!$sql){
   echo 'There has been an error creating your account. Please contact the webmaster.';
} else {
   $userid = mysql_insert_id();
   // Let's mail the user!
   $subject = "Your Membership at invitacoach.com!";
   $message = "Dear $first_name,
   Thank you for registering at our website, http://www.invitacoach.com
   
   You are two steps away from logging in and accessing our exclusive members area.
   
   To activate your membership, please click he http://www.invitacoach.com/test/activate.php?id=$userid&code=$db_password
   
   Once you activate your membership, you will be able to login with the following information:
   Username: $username
   Password: $random_password
   
   Thanks!
   Invita Coach

When I set up MS SQL on my machine, for whatever reason I did not set up a UID or password.  I can not get the php to connect with SQL because I do not have a UID and password on the db (which I know is not smart).  I don't understand code enough to know how to manipulate this string below to remove the requirement.  

I'm making the password field have these restrictions:

Length >= 8

That's it. I then use javascript to md5 the value of that text field, then I send it using ajax to the php script to process the signup. Is it bad not to have a max length, or does this way work. Any suggestions?

I'm still trying to figure out why I should use salt.

If the bad guy knows a name and tries something like brute force shoving passwords into the log-in form until one worked how would salt help stop that?

If a bad guy, God forbid, gets hold of the user names and passwords like they did phpbb(?) forums several years ago how would salt stop that?

I know I may be beating this issue to death but if I have salt in the users table assigned to a user and his password now equals $stored_password = sha1($salt.$password) does this really doesn't matter? Because if the bad guy knows the user name and uses brute force or has a list of passwords from the users table that he has gotten some way. All he has to do is type in the user name and password and salt will be added automatically.

The password ARE correct. My code keeps saying that the password is INCORRECT. The password is MD5'ed once a user registers, and when they type in a password at the login (as shown), the password is also MD5'ed.

Why is it that it's output is incorrect password?


<?php
session_start();
include("includes/mysql.php");
include("includes/config.php");

?>


<title><?php echo $title; ?></title>

<?php
if(!$_SESSION['user'])
{

$username = $_POST['username'];
$password = $_POST['password'];

$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

if(!$password || !$username)
{

echo
'
<h1>Login</h1>

<center><p><form action="login.php" method="POST">
<table border="0">
<tr><th>Username:</th> <td><input type="text" name="username" maxlength="20"><br/></td></tr>
<tr><th>Password:</th> <td><input type="password" name="password" maxlength="30"><br/></td></tr>
<tr><th></th><td><input type="submit" value="Login"></td></tr>
</table></form></p></center>
</div>
';

}
else
{
 $query = mysql_query("SELECT COUNT(username),password,username FROM users WHERE username='$username'");
 $check = mysql_fetch_assoc($query);
 
 $db_username = $check['username'];
 
 $password = md5($password);

 if($check['COUNT(username)'] < 1)
 {
echo
'
 <p>No account exists with this username. Please go back.</p>
';
 }
 elseif($check['password']==$password && $db_username==$username)
 {
echo
'
<h1>Login Successful</h1>

 <p>You have successfully logged in! Return home.</p>

';
$_SESSION['user']=$username;
 }
 else
 {
echo
'
 <p>The password you have enetered in is incorrect. Please go back.</p>

';
 }
}
}
else
{
echo
'
 <p>Your already logged in!</p>
';
}
?>

I want to add password validation to this code so that it displays "Incorrect Password" if the email and password doesn't match...Need some help..

<?php 
    include('dbconnect.php');
    session_start();

    if(isset($_POST['userLogin'])){

        $email=mysqli_real_escape_string($conn,$_POST['email']);
        $pwd=md5($_POST['pwd']);
        $sql="SELECT * FROM user_info WHERE email='$email' AND password='$pwd'";
        $run_query=mysqli_query($conn,$sql);
        $count=mysqli_num_rows($run_query);

        if($count==1){
                $row=mysqli_fetch_array($run_query);
                $_SESSION['uid']=$row['user_id'];
                $_SESSION['uname']=$row['first_name'];
                echo "true";
        }
    }
    
 ?>

 

when a user forgets his or her password they can retreive it by sending an email to their account and the password is given to them.  unfortunatly the password they recieve is in md5:

for example the password 'the' is given in an email like so:

Password:6e9b31333e61aad015fa16a3a5fe8e0d
Username:the
Please change your password as soon as you logon

could someone please advise me what i am doing wrong so the password would be converted back to plain text.

here is the code for the email:

$query="Select pw from user where uname='$name'" or die(mysql_error());
$result= mysql_query($query); 

if(mysql_num_rows($result)>0){
for ($i=0; $i<mysql_num_rows($result); $i++) {
$row = mysql_fetch_assoc($result);

$pass= md5($row['pw']);
$to="$em\r\n";
$from="From: Admin@asdesigns.co.uk\r\n";
$msg="Password:$pass\r\n";
$msg .="Username:$name\r\n";
$msg .="Please change your password as soon as you logon\r\n";
$subject="From Admin  Your Login Password\r\n";

thanks in advance

i know im doing something really silly by missing something out but i cant see where it is

Hy 2 all,

I have some questions about password security that I haven't been able to find an answer yet.   
Hopefully you guys know.

Here it goes:

1. Is it better to hash(sha2) the password and then salt it or salt it and than hash it ?
2. I'm guessing that using a random salt is better than the same salt used for every password.
3. How can you generate a different random salt for each password ? I mean how will the login page know which random salt to mix with the hashed user inserted password and then to compare it with the password stored in the db. (an example would be great(for both: generating and authentication)
4. I saw some codes in which the salt and/or hash and/or password was split into two (ex: hash.salt1a.password.salt1b  or  password1a.salt.password1b  or  salt.hash1a.password.hash1b  etc.) Is this a good idea ? Is it really more secure ? If so which would be more secure (splitting the password, the hash or the salt) ?
5. Is double hashing (ex: (sha1(md5($password))) any good ?
6. I've been reading something about password salt and pepper ?? What exactly is pepper ? Is it some sort of second salt ?

If somebody could enlighten me about these questions, that would be great.

Thanks in advance!