|
PHP - Should I Use A Hashed Password For A Confirmation Code On New User Accounts
I'm working on a new user submission form and I was wondering whether it's safe to send a confirmation letter to the user using their hashed password as their confirmation code? Since this is a hashed password it can't be decrypted (I believe), the password is useless because it's always hashed before login so it can't be used to login to the system, it's only being emailed to the user who's account is tied to the account, and it would save me the option of having to store a confirmation code field in my DB. Is this safe?
Similar Tutorials
Query About How To Retrieve A Password From The Database And Compare To The One The User Has Entered
Hey everybody,
I'm a noob when it comes to PHP so I have a few questions.
I'm in the planning stages for a new website and I need it to do something but I'm not sure how. People would have to log into my website in order to make a purchase and I need to be able to link their account with the software they bought. Think of it like a bit like Steam, you buy the game and its right there in your library.
The way I see it working is they buy their software and when they look in their profile they see a list of the stuff they've bought and have the ability to open it.
The Ecommerce company I'm looking to sign up with to make the transactions and keep the money side of it in order (FastSpring) don't have a way of tracking user purchases so I have to come up with a way of doing my end.
What I would like to know is what language is best to do this? I assume PHP would be the best especially considering the website itself is likely to be built in WordPress.
Secondly does anybody have any links to articles, videos or tutorials on this as I have not been able to find any all afternoon. I know they're going to be out there but I'm not having any luck finding them
Thanks for your time
I would like my website to show which users are logged in. Is there a simple way of retrieving all session ids from the server that have been allocated and are active in order to do this? I know this could lead to faulty information, but would appear to be the simplest and reliable. Thanks. Got this working script that sends email via a form:
<?php
$name = $_POST['name'];
} else { }
{ } ?>
Problem is, I want a bar to appear saying 'Message Sent. We Will Contact You Shortly'. I'm brand new to php and followed a tutorial for the above. It's a simple form that I understand, apart from the code needed for confirmation! Please can someone offer any assistance. Thanks in advance......
Hello, Below is my existing code for my web site visitor to fill out the form... they see a thank you html page.... and I get the info inserted into my database.... and I get an e-mail with all their details, even their date of registration. From what I have seen so far, EVERYTHING WORKS SUCCESSFULLY. HOWEVER, I would like to have the web site visitors details that they filled out ALSO SENT BACK to the web site visitor as a confirmation... say that this is a confirmation of the form they previously filled out. How do I accomplish this based off of my existing code here? I also would like my thank you.html code at the bottom of my current php code to be called in from a SEPARATE REDIRECT thankyou.php page after a successful form entry. I know that ALL headers must be IMMEDIATELY taken cared of upon entering any php page. This is what i used ***** header("Location: thankyou.php");******* Now I know that this is the correct code to make this happen but i do not know how to get this to work with my present code here. How do put the header location: thank you.php code in my EXISTING PHP page to make this all work right? thanks mrjap1 Code: [Select] ====================== HTML ========================== <?php require_once("db_connection.php");?> <!DOCTYPE HTML> <html lang="en"> <head> <meta charset="UTF-8"> <title>HTML form for insert users</title> <style type="text/css"> p { margin:0; padding:0; font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#633; font-weight:bold; } legend { font-family:Arial, Helvetica, sans-serif; font-size:15px; color:#3F6; font-weight:bold; } #form_container { background:#F7F; margin: 50px auto 50px auto; border: 1px solid #F00; padding:10px; width:285px; height:150px; } input { margin-bottom:5px; } body { background-color: #033; } </style> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> </head> <body> <?php if (isset($_POST['submit'])) { // Handle the form. $message = NULL; // Create an empty new variable. // Check for a first name. if (empty($_POST['first_name'])) { $first_name = FALSE; $message .= '<p>You forgot to enter your first name... its Required!</p>'; } else { $first_name = ($_POST['first_name']); } // Check for a last name. if (empty($_POST['last_name'])) { $last_name = FALSE; $message .= '<p>You forgot to enter your last name... its Required!</p>'; } else { $last_name = ($_POST['last_name']); } // Check for an email address. if (empty($_POST['email'])) { $email = FALSE; $message .= '<p>You forgot to enter your email address... its Required!</p>'; } else { $email = ($_POST['email']); } } ?> <div id="form_container"> <form action="form_proceessed201XXX.php" method="post"> <input type="hidden" name="submit" value="true" /> <fieldset> <legend>My Data Feilds</legend> <!-- ### FIRST NAME ### --> <p> <label>First Name:</label><input name="first_name" type="text" value="<?php if(isset($_POST['first_name'])) echo $_POST['first_name']; ?>" id="first_name" size="15" maxlength="30"> </p> <!-- ### LAST NAME ### --> <p> <label>Last Name:</label><input name="last_name" type="text" value="<?php if(isset($_POST['last_name'])) echo $_POST['last_name']; ?>" id="last_name" size="15" maxlength="30"> </p> <!-- ### EMAIL ### --> <p> <label>E-mail:</label><input name="email" type="text" value="<?php if(isset($_POST['email'])) echo $_POST['email']; ?>" id="email" size="15" maxlength="30"> </p> <!-- ### SUBMIT BUTTON ### --> <p style="text-align:center"> <input type="submit" name="submit" value="SEND MY INFO PLEASE" /> </p> </fieldset> </form> </div> </body> </html> ====================== PHP ========================== <?php // ALL THE SUBJECT and EMAIL VARIABLES $emailSubject = 'MY TEST EMAIL SCRIPTING!!! '; $webMaster = 'myemail@gmail.com'; // GATHERING the FORM DATA VARIABLES $first_name = $_POST['first_name']; $last_name = $_POST['last_name']; $email = $_POST['email']; $registration_date = $_POST['registration_date']; $date = date ("l, F jS, Y"); $time = date ("h:i A"); $body = <<<EOD <br /><hr><br /> <strong>First Name:</strong> $first_name <br /> <strong>Last Name: </strong>$last_name <br /> <strong>Email:</strong> $email <br /> <strong>Registration Date:</strong> $date at $time <br /> EOD; // THIS SHOW ALL E-MAILED DATA, ONCE IN THE E-MAILBOX AS READABLE HTML $headers = "From: $email\r\n"; $headers .= "Content-type: text/html\r\n"; $success = mail($webMaster, $emailSubject, $body, $headers); // THE RESULTS OF THE FORM RENDERED AS PURE HTML $theResults = <<<EOD <!DOCTYPE HTML> <html lang="en"> <head> <style type="text/css"> body { font-family:Arial, Helvetica, sans-serif; font-size:11px; font-weight:bold; } #thankyou_block { width: 400px; height: 250px; text-align:center; border: 1px solid #666; padding: 5px; background-color: #0CF; border-radius:8px; -webkit-border-radius:8px; -moz-border-radius:8px; -opera-border-radius:8px; -khtml-border-radius:8px; box-shadow:0px 0px 10px #000; -webkit-box-shadow: 0px 0px 10px #000; -moz-box-shadow: 0px 0px 10px #000; -o-box-shadow: 0px 0px 10px #000; margin: 25px auto; } p { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 18px; letter-spacing:1px; color: #333; } </style> <meta charset="UTF-8"> <title>THANK YOU!!!</title> </head> <body> <div id="thankyou_block"> <br><br><br> <h1>CONGRATULATIONS!!</h1> <h2>YOUR FORM HAS BEEN PROCESSED!!!</h2> <p>You are now registered in our Database...<br> we will get back to you very shortly.<br> Please have a very wondeful day.</p> </div> </body> </html> EOD; echo "$theResults"; ?> Having trouble trying to validate a user name and password. This is my code: Code: [Select] //check username/password $user_name_check = mysql_query("SELECT * FROM users WHERE user_name=" . $_POST["user_name"] . "\" AND password=" . $_POST["password"] . "\""); if(mysql_num_rows($user_name_check)) { //Do stuff here... } But I get the following error: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /xxxx/xxxxxxxx/xxxxx/xxxxxxxxxxxxx/xxxx.php on line 32 Any ideas as to why? $user_name_check is a result set right (which is what the mysql_num_rows() requires)?? I'm trying to write a script that changes my user passwords. I store the passwords in the DB as a md5 hash. My code is below, I keep getting error that the original username and password do not match. I require that the original credentials match so I can verify that I'm changing the password for the correct user. I suspect my problem is here but I'm not su Code: [Select] $result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username' and password = '".md5($pass)."'"); Code: [Select] <?php $username = check_input($_POST['username']); $password = check_input($_POST['password']); $newpassword = check_input($_POST['newpassword']); $confirmpassword = check_input($_POST['confirmpassword']); if (!isset($_POST['submit'])) { // if page is not submitted to itself echo the form } else { $result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username' and password = '".md5($pass)."'"); if(mysql_num_rows($result)){ if($newpassword==$confirmpassword){ $sql=mysql_query("UPDATE $tbl_name SET password='$newpassword' where username='$username'"); if($sql) { echo "Password Changed"; } else { // In case when problem while updating your new password echo "Error changing password, please email webmaster@mydomain.com"; } } else { // In case when new-password and retype-password do not match echo "New and confirmed password do not match please try again."; } } else { // In case of you have not correct User name and password echo "Current username and password do no match."; } } ?> <div class="pageContent"> <div id="main"> <div class="container"> <h1></h1> <h2>More text goes here.</h2> </div> <div class="container"> <!-- All protected data goes in here --> <?php if($_SESSION['id']){ echo '<form action="" method="post">'; echo '<h2>Username: </h2><input type="text" name="username" size="50" maxlength="255"><br/>'; echo '<h2>Password: </h2><input type="text" name="password" size="50" maxlength="255"><br/>'; echo '<h2>New Password: </h2><input type="text" name="newpassword" size="50" maxlength="255"><br/>'; echo '<h2>Confirm Password: </h2><input type="text" name="confirmpassword" size="50" maxlength="255"><br/>'; echo '<input type="submit" name="submit" value="Change Password">'; echo '</form>'; } else { echo '<h1>Please, <a href="index.php">login</a> and come back later!</h1>'; } ?> <!-- End: All protected data goes in here --> </div> <div class="container tutorial-info"> Footer goes here. </div> </div> </div> Any ideas? Hi, I want to create a forgotten password page, where the user enters in their email address, the script queries the database for that email address, creates a unique ID, stores that unique ID in the database, then emails the unique ID and the User ID off to the user in an HTML link e.g. http://somesite.com/reset-password.php?userId=2&uniqueId=132832189312978312. The reset page would then match the unique ID to the one in the database and let them enter in a new password into the form. Ok so I can do most of that so far except from the emailing to the user. I'm running an Ubuntu Server 10 at the moment as my test server which is on my local network. Do I need to set up a mail server on that for php mailing to work, or can I use some external SMTP for sending? I've had a play round with the PHP mail() function but it won't send anything at the moment. I'll also need some code for when the site is running in the hosted live environment as it will likely use their mail servers. What's the best way to go about doing this? Many thanks! Hi! I'm attempting to do this and feel that I'm fairly close. Would you take a look and throw me any bones? PHP Code: Code: [Select] <?php if (isset($_POST['ppassword']) && (stristr($string,'') === TRUE)) { switch($_POST['ppassword']) { case "Google": header("Location: http://www.google.com"); exit(); case "Yahoo": header("Location: http://www.yahoo.com"); exit(); case "Bing": header("Location: http://www.bing.com"); exit(); } } ?> The Form: Code: [Select] <form name="portal" id="portal" method="post" action=""> <input name="ppassword" type="text" id="ppassword" maxlength="25" onfocus="this.select()" onblur="this.value=!this.value?'company name':this.value;" value="company name" onclick="this.value=''" /> <input name="login" type="submit" id="login" value="Continue" /> </form> I appreciate any of your help. I feel close and this part Code: [Select] (stristr($string,'') feels like the missing piece of the puzzle. Hi all, I've got a website for an event, each team have their details on a page which are recalled from a SQl database. But I'm wanting to create a password input box for each team, so when they enter the correct password they are taken to a page containing forms where they can edit the team details. Here is the page with the users details on where they anter the password: http://www.wharncliffenetwork.co.uk/wrc/entered/team.php?id=8 I'm not sure how to code it, Can an IF statement be used? Anyone got any pointers? I'f been unsuccessful in finding a tutorial or something similar. Hope that makes sense :S Cheers. When users register for the site, it posts the form to an https version of the site. If there's any errors, it'll stay on the https and I show the form with the fields prefilled in with their inputs and the errors shown. My question is: is it safe to also refill the password field? Anyone here know the answer for sure? Hi, after following lots of advice and changing to MySqli I am running into a few probs. This is me just probably missing something stupid, I know what I want, but can't figure out what query I should use and where I should place it. All the queries I have tried have failed.
I just need a query that gets the $current_stored_password from the password field on the database, to confirm the last check
elseif
($current_password !== $current_stored_password) {
include 'includes/overall/header.php';
echo $current_password . ' AND ' . $_POST['current_password'] . ' Password and password again do not match';
include 'includes/overall/header.php';
}
Here is the whole script.
<?php
session_start();
error_reporting(0);
//ini_set('display_errors', '1');
require( 'database.php' );
$username = $_SESSION['loggedinuser'];
$current_stored_password = $_SESSION['password'];
$current_password = $_POST['current_password'];
$password = mysqli_real_escape_string($con, md5( $_POST['password']));
$password_again = mysqli_real_escape_string($con, md5( $_POST['password_again']));
// Run checks
if (isset($_POST['current_password'], $_POST['password'], $_POST['password_again'])) {
if( strlen( $_POST['current_password'] ) < 8 )
{
include('includes/overall/header.php');
echo "Password Must Be 8 or More Characters.";
include('includes/overall/footer.php');
}
elseif( strlen( $_POST['password'] ) < 8 )
{
include('includes/overall/header.php');
echo "Password Must Be 8 or More Characters.";
include('includes/overall/footer.php');
}
elseif
( strlen( $_POST['password_again'] ) < 8 )
{
include('includes/overall/header.php');
echo "Password Must Be 8 or More Characters.";
include('includes/overall/footer.php');
}
elseif
($password !== $password_again) {
include 'includes/overall/header.php';
echo ' Password and password again do not match';
include 'includes/overall/header.php';
}
elseif
($current_password !== $current_stored_password) {
include 'includes/overall/header.php';
echo $current_password . ' AND ' . $_POST['current_password'] . ' Password and password again do not match';
include 'includes/overall/header.php';
} else {
// Define a query to run
$query = "UPDATE `user` SET `password` = '$password' WHERE `username` = '$username'";
// Query the database
$result = mysqli_query($con,$query);
// Check if the query failed
if( !$result )
{
die('There was a problem executing the query ('.$query.'):<br>('.mysqli_errno($con).') '.mysqli_error($con));
}
else {
include 'includes/overall/header.php';
echo 'Password has been changed';
include 'includes/overall/footer.php';
}
}
}
// Close the connection
mysqli_close($con);
?>
At the moment the message displayed when the form is submitted is
echo $current_password . ' AND ' . $_POST['current_password'] . ' Password and password again do not match';How do I retrieve the password from the database to compare against the current password entered by the user? Any help is much appreciated. PS. Yes I know I have repeated code and that md5 is not secure, but I am just building onto a template I got and will be making changes to shorten the code and secure the password soon Hi, I'm trying to change the password after logging in to web site. Following is the code that change the password. However, the password is not changing in the table. Please let me know if I'm making any error in below code. Thanks. Code: [Select] <?php $password=mysql_real_escape_string($_POST['newpassword']); $password2=mysql_real_escape_string($_POST['confirmnewpassword']); if ( strlen($password) < 5 or strlen($password) > 12 ){ echo "Password must be more than 5 char legth and maximum 12 char lenght<BR>"; } if ( $password <> $password2 ){ echo "Both passwords are not matching"; } if($password == $password2){ if(mysql_query("update users set password='$password' where empid='$_SESSION[login]'")){ echo "<font face='Verdana' size='2' ><center>Thanks <br> Your password changed successfully. Please keep changing your password every 2 monthsfor better security</font></center>"; } } Hey all. I am new to this forum and to PHP as a whole. I though I would try to make a login system using php and mysql. The login and register forms work great but I cannot seem to fully figure out how to let a user change their password. My code partially works. When the user types the correct old password and when the two new password forms confirm, the password changes and the database is updated and the user is taken to a page that tells him that his password was successfully changed. However, the problem is when the old password he types is different than the one in the database, the page that states password successfully changed also appears but the password is not changed in the database. The problem is thus with the SELECT statement. Can anyone please help me find whats wrong. It has been tormenting for a few hours now. Thank you in advance. . I used md5 encryption for the passwords. Here is the section of code that comes after the script makes sure that none of the forms are empty and that the passwords confirm . //Create SELECT query to verify that the old password is correct $qry="SELECT * FROM members WHERE login='" . $_SESSION['SESS_USERNAME'] . "' AND passwd='".md5($_POST['opassword'])."'"; $result = mysql_query($qry); if($result) { //Create UPDATE query to replace old password with new password $updatepasswd="Update members set passwd='".md5($_POST['npassword'])."' where login='" . $_SESSION['SESS_USERNAME'] . "' AND passwd='".md5($_POST['opassword'])."'"; $update = mysql_query($updatepasswd); //Check whether the query was successful or not if($update) { header("location: changepasswordsuccess.php"); exit(); } else { die("Query failed"); } } else { header("location: passwordchange-failed.php"); } hi folks I have a problem with the code to change the password, it shows the message all time when I send the form: old password dont match! <?php session_start(); $user = $_SESSION['first_name']; if ($user) { //user is logged in if ($_POST['submit']) { //check fields $oldpassword = md5($_POST['oldpassword']); $newpassword = md5($_POST['newpassword']); $repeatnewpassword = md5($_POST['repeatnewpassword']); //check password against db //connect db $connect = mysql_connect("*******","****","****") or die(""); mysql_select_db("****") or die(""); $queryget = mysql_query("SELECT password FROM users WHERE username='$user'") or die("Query didnt work !!!"); $row = mysql_fetch_assoc($queryget); $oldpassworddb = $row['password']; //check password if ($oldpassword==$oldpassworddb) { //check to new password if ($newpassword==$repeatnewpassword) { //success //change password in db $querychange = mysql_query("UPDATE users SET password='$newpassword' WHERE username='$user'") or die (""); session_destroy(); die("YOUR PASSWORD HAS BEEN CHANGED.<a href='login_form.html'>RETURN</a> TO THE LOGIN PAGE"); } else die("new password dont match"); } else die("old password dont match"); } else { echo" <form action='changepassword.php' method='POST'> Old password: <input type='text' name='oldpassword'><br/> New password: <input type='password' name='newpassword'><br/> Repeat new password: <input type='password' name='repeatnewpassword'><br/> <input type='submit' name='submit' value='change password'> </form>"; } } else echo("YOU MUST BE LOGGED IN!!!!.<br><a href='login_form.html'>RETURN</a> TO THE LOGIN PAGE"); ?> please help thanks! hello everyone, i try to make a registration script and change password script with PIN as security code, registration script was working perfect, but change password script didn't work. here i give a full code for you to review. here link to file Test.7z I hope someone can help and give me information what i'am missing. I have a problem w/ a widely used password protect php code. I use a business directory program that allows custom input fields. I'm using this code to password protect a business listing page in my directory code. I created custom fields for the username & password so a listing can enter their own user/pass but when I test it it won't work when I'm calling/echoing the fields. When I hardcode it w/ a user/pass it works. Any ideas on how I should recode this?: Quote <?php // Define your username and password $username = "<?php echo $custom_74; ?>"; $password = "<?php echo $custom_16; ?>"; if ($_POST['txtUsername'] != $username || $_POST['txtPassword'] != $password) { ?> <h1>Login</h1> <form name="form" method="post" action="<?php echo $_SERVER['REQUEST_URI']; ?>"> <p><label for="txtUsername">Username:</label> <br /><input type="text" title="Enter your Username" name="txtUsername" /></p> <p><label for="txtpassword">Password:</label> <br /><input type="password" title="Enter your password" name="txtPassword" /></p> <p><input type="submit" name="Submit" value="Login" /></p> </form> <?php } else { ?> I close the code correctly. <?php echo $custom_74; ?> & <?php echo $custom_16; ?> are just incidently my custom field echo codes. I have over 150 custom fields working fine for user/listee options. The password protect code won't accept echos it seems as coded above. Thanks, Gene hi all, i have a page which lists all of my registered users from the mysql database but i want the ability to edit an account, here is my list users code (just shown the appropiate code and not the rest): Code: [Select] <?php require ('../secure/connect.php'); $sql = "SELECT * FROM users ORDER BY user_level ASC"; $result=mysql_query($sql); echo '<table width="80%" border="0" cellspacing="5" cellpadding="0">'; echo ' <tr> <th><p align="left">User ID:</th> <th><p align="left">User Level:</th> <th><p align="left">Username:</th> <th><p align="left">User Title:</th> <th><p align="left">Email:</th> <th><p align="left">Actions:</th> </tr>'; while($rows=mysql_fetch_array($result)){ ?> <tr> <td><?php echo $rows['userid']; ?></td> <td><?php echo $rows['user_level']; ?></td> <td><?php echo $rows['username']; ?></td> <td><?php echo $rows['user_title']; ?></td> <td><?php echo $rows['email']; ?></td> <td><a href="edit_account.php?id=">Edit Account</a></td> </tr> <?php } ?> this lists my users nicely, as you can see i put it a edit account action at the end with a empty id= because that may be a way of doing it but im not sure what else to do or if there is a better way of doing it. any help would be great! I am having a problem with my User Log-In... When a User creates an account on my website, an e-mail is sent that looks like this... Quote Congratulations! Your account has been created, and a confirmation e-mail sent to: "john.doe@mail.com" Please click on the link in that e-mail to activate your account. Then when they click on the link, it takes them to my 'activate.php" page which updates the User's record by removing the Activation Code. The "Activation" seems to work fine. However, the problem that I just realized is that I am doing nothing to prevent someone from Registering, NOT Activating his/her account, but still being able to Log In?! I guess what I need to do when a User logs in is check to be sure that the "activation_code" column is NULL, right? Here is a snippet of my Log In script... if (empty($errors)){ // Valid form data. // ************************ // Find Member Record. * // ************************ // Connect to the database. require_once(WEB_ROOT . 'private/mysqli_connect.php'); // Build query. $q = 'SELECT id, first_name FROM member WHERE email=? AND pass=?'; // Prepare statement. $stmt = mysqli_prepare($dbc, $q); // Bind variables to query. mysqli_stmt_bind_param($stmt, 'ss', $email, $pass); // Execute query. mysqli_stmt_execute($stmt); // Store results. mysqli_stmt_store_result($stmt); // Check # of Records Returned. if (mysqli_stmt_num_rows($stmt)==1){ // Member was Found. // Bind result-set to variables. mysqli_stmt_bind_result($stmt, $memberID, $memberFirstName); // Fetch record. mysqli_stmt_fetch($stmt); // Set Session variables. $_SESSION['memberID'] = $memberID; $_SESSION['memberFirstName'] = $memberFirstName; $_SESSION['loggedIn'] = TRUE; What would be the best way to fix this? Thanks, Debbie I am looking to see if I could use one of the paypal features to pay two diffierent account from a single transaction and does paypal does that automatically?.. I was checking the immediate payment for a third party from the express checkout but I don't know that much about it. Does anyone knows how to achieve this? How can i detect someone who is using proxy and has 2 or more accounts on my website?Or anyway, the important thing for me it is that they dont cheat because i have a competition and its forbidden to have 2 or more accounts.
|
|||||||