Reset password - can't login after reset

hbradshaw

Hello:

I have a script which resets a password for a user. The user receives an email with the new password. The script works correctly because I receive an email with the new password. To verify that the password values changed, I compared the previous value to the new and they are different.

So I then attempted to login using the new password and I receive login fails.

I then tested my login using the old password and the login fails as well. So now the user can't login with the old or new password.

I do not understand what is going wrong Can someone help me out?

Thank you in advance.

Here is the lost password script:

<?php

include "conn.inc.php";
switch($_REQUEST['req'])
{
case "recover":

$sql = mysql_query("SELECT * FROM member
WHERE
memberid = '{$_POST['memberid']}'
");

if(mysql_num_rows($sql) == 1)
{
while($row = mysql_fetch_assoc($sql))
{
$alphanum = "abchefghjkmnpqrstuvwxyz0123456789";
for ($i=0; $i <= 10; $i++) {
$num = rand() % 33;
$tmp = substr($alphanum, $num, 1);
$newpass = $newpass . $tmp;
$i++;
}
$update = mysql_query("UPDATE member
SET password = '".md5($newpass)."'
WHERE memberid='{$row['memberid']}'");
stripslashes(extract($row));
}
if(!$update)
{
header("Location: http://www.bridgemilltennis.com/login_form.php");
}
else
{
echo '<p align="center">Password Reset! '.
'Please check your email for your new '.
'password.</p>';

include ('clsEmailpw.php');

	   $mailer = &new Email;
	   $mailer->ToMail = $email;
     $mailer->FromMail = "support@summitwebcrafters.com";
     $mailer->FromName = "Technical Support";
     $mailer->Subject = "New Password";
     $mailer->Message = "Dear $first_name,\n\n".
                        "You have requested a new ".
                        "password.".
                        "Below is your new login ".
                        "informaiton:\n\n".
                        "=====================\n".
                        "Username: $username\n".
                        "New Password: $newpass\n".
                        "=====================\n\n".
                        "You may login at any time ".
                        "at [url]http://www.bridgemilltennis.com/login_form.php\n\n[/url]".
                        "Thank You!\n".
                        "Site Administrator";
    $mailer->SendMail();


	}

} else
{
header("Location: http://www.bridgemilltennis.com/lost_password.php");
exit;
}
break;
}
?>

=======

Here is the login script:

<?php
include "conn.inc.php";
switch($_REQUEST['req'])
{
case "validate":

$validate = mysql_query("SELECT * FROM member WHERE
username = '$POST[username]' AND password = password('$POST[password]')") or
die (mysql_error());

if (mysql_num_rows($validate) == 1)
{
while($row = mysql_fetch_assoc($validate))
{
$SESSION['login'] = true;
$SESSION['memberid'] = $row['memberid'];
$SESSION['first_name'] = $row['first_name'];
$SESSION['last_name'] = $row['last_name'];
$SESSION['email'] = $row['email'];
$SESSION['phone1'] = $row['phone1'];
$_SESSION['phone2'] = $row['phone2'];
}
header("Location: http://www.bridgemilltennis.com/member-area.htm");
}
else
{
header("Location: http://www.bridgemilltennis.com/login_form.php");
exit;
}
break;
}
?>

bradgrafelman

A few things:

Echo your $update SQL query to the screen; make sure it looks correct and post it if your not sure.
Echo your $validate SQL query (in the login screen); same reasons as above.
Are you sure your 'password' field is long enough to accomodate the MD5 string? What's the column length/type of 'password' in your table?
Change password('$POST[password]') to MD5('" . $POST[password]. "') and see if that makes a difference.

EDIT: Did this problem resolve itself? Did you make an error? I registered a test username, submitted a PW request, and logged in sucessfully with the new password that was mailed to me...

hbradshaw

Hello:

Yes, I checked everything. My field is long enough. It's set to 255. Also changed from password to md5 and that didn't work either.

The password goes to the database encrypted but I can't decrypt it coming back.

The password is entered via a form using input type="password". I think the encryption begins here.

Not sure what to do.

bradgrafelman

type="password" in no way encrypts data.

Also, read my EDIT from above post...

hbradshaw

In regard to your edit, I made the following changes:
- input type=text instead of password
- for $_POST[password] - there is no MD5 or anything.

When you register, the password which is stored is the actual password. That's why the script is working.

My next step was to back track and modify my form again and use input type=password.

EDIT:
if you go to this URL:
http://www.bridgemilltennis.com/view.php;
you can actually see the data in the table. The first few records are the ones with the encrypted password. Then as you scroll you can tell which ones were reset and encrypted and finally which ones were reset and stored the way they were posted.

bradgrafelman

Don't worry about using "input type='password'"; that does not disturb the data in any way, shape, or form.

It's just a matter of using MD5() when inserting into the DB, and MD5() on the POST'd data in PHP when comparing it to the DB (don't use md5() on the DB supplied password, obviously).

If you can't get it, post a fresh copy of your code (USE

 tags this time!!) and I'll try to sort it out for you.

hbradshaw

Hi,

I apologize for not responding earlier. I'm trying to solve a ton of issues.

I back tracked my work and my scripts are working. I'm able to reset a password and then login with the new password. In addition, I'm using MD5 for the password.

Thank you for all your help.

bradgrafelman

Please mark this thread RESOLVED if it is.