Error shows variable undefined... yet it is

iblackedout

Hi,

I've been working on debugging this "forgot password" script for a few days now yet I still can't get passed the error that comes up.

The way the script works is the user enters his email and clicks submit. The script then generates a random password, sends it to the email address along with the username, encrypts it and stores it in the database.

Now everything works except the actual generation of a random password. My script looks fine to me but what do i know?

Here is the code:

<?php
	ini_set ("display_errors", "1");
	error_reporting(E_ALL);

//Start session
session_start();

//Include database connection details
require_once('config.php');

//Array to store validation errors
$errmsg_arr = array();

//Validation error flag
$errflag = false;

//Connect to mysql server
$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if(!$link) {
	die('Failed to connect to server: ' . mysql_error());
}

//Select database
$db = mysql_select_db(DB_DATABASE);
if(!$db) {
	die("Unable to select database");
}

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
	$str = @trim($str);
	if(get_magic_quotes_gpc()) {
		$str = stripslashes($str);
	}
	return mysql_real_escape_string($str);
}

//Sanitize the POST values
$email = clean($_POST['email']);

$valmail = "^([_a-z0-9-]+)(\.[_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$";

//Input Validations
if (eregi($valmail, $email))
{
	if($email == '') {
		$errmsg_arr[] = 'Email address missing';
		$errflag = true;
	}	
} else {
	$errmsg_arr[] = 'Email address is not valid';
	$errflag = true;
}		
//Check to see if email is linked to an account
if($email != '') {
	$qry = "SELECT * FROM members WHERE email='$email'";
	$result = mysql_query($qry);
	if($result) {
		if(mysql_num_rows($result) < 1) {
			$errmsg_arr[] = 'Email address entered is not linked to an account';
			$errflag = true;
		}
		@mysql_free_result($result);
	}
	else {
		die("Query failed");
	}
}

//If there are input validations, redirect back to the registration form
if($errflag) {
	$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
	session_write_close();
	header("location: forgot.php");
	exit();
}

//Get username linked to email so it can be emailed along with password
	$qry = "SELECT username FROM members WHERE email='$email'";
	$result = mysql_query($qry);
//Checks success of query, if successful define $username
if($result) {
	$row = mysql_fetch_assoc($result);
	$username = $row["username"];
} else {
	die("Error. Cannot get username from database. Please Contact Webmaster");
}

function randomPassword ($length = 8)
{

  // start with a blank password
  $randpw = "";

  // define possible characters
  $charlist = "0123456789bcdfghjkmnpqrstvwxyz"; 

  // set up a counter
  $i = 0; 

  // add random characters to $randpw until $length is reached
  while ($i < $length) { 

// pick a random character from the possible ones
$char = substr($charlist, mt_rand(0, strlen($charlist)-1), 1);

// we don't want this character if it's already in the password
if (!strstr($randpw, $char)) { 
  $randpw .= $char;
  $i++;
}
  }
}	
  		// email the random password to the email address the user entered
		mail($email,"Account Login Details","Your username is $username and your new password is $randpw","From: noreply@jammontreal.com");
		// use md5 to encrypt the random password and store it in database
		$encpw = md5($randpw);
		$qry = "UPDATE members SET password ='$encpw' WHERE email ='$email'";
		$result = @mysql_query($qry);
		//Check whether the query was successful or not
		if($result) {
			header("location: sentpw.php");
			exit();
		} else {
			die("Error. Cannot set new password. Please Contact Webmaster");
		}
?>

I get the following error messages:


Notice: Undefined variable: randpw in /home/noel695/domains/noeljourneaux.com/public_html/login/doreset.php on line 116

Notice: Undefined variable: randpw in /home/noel695/domains/noeljourneaux.com/public_html/login/doreset.php on line 118

Warning: Cannot modify header information - headers already sent by (output started at /home/noel695/domains/noeljourneaux.com/public_html/login/doreset.php:116) in /home/noel695/domains/noeljourneaux.com/public_html/login/doreset.php on line 123

Did I not define $randpw? I'm pretty sure I did.

laserlight

Firstly, you need to format your code properly, e.g.,

<?php
ini_set ("display_errors", "1");
error_reporting(E_ALL);

//Start session
session_start();

//Include database connection details
require_once('config.php');

//Array to store validation errors
$errmsg_arr = array();

//Validation error flag
$errflag = false;

//Connect to mysql server
$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if(!$link) {
    die('Failed to connect to server: ' . mysql_error());
}

//Select database
$db = mysql_select_db(DB_DATABASE);
if(!$db) {
    die("Unable to select database");
}

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
    $str = @trim($str);
    if(get_magic_quotes_gpc()) {
        $str = stripslashes($str);
    }
    return mysql_real_escape_string($str);
}

//Sanitize the POST values
$email = clean($_POST['email']);

$valmail = "^([_a-z0-9-]+)(\.[_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$";

//Input Validations
if (eregi($valmail, $email))
{
    if($email == '') {
        $errmsg_arr[] = 'Email address missing';
        $errflag = true;
    }
} else {
    $errmsg_arr[] = 'Email address is not valid';
    $errflag = true;
}
//Check to see if email is linked to an account
if($email != '') {
    $qry = "SELECT * FROM members WHERE email='$email'";
    $result = mysql_query($qry);
    if($result) {
        if(mysql_num_rows($result) < 1) {
            $errmsg_arr[] = 'Email address entered is not linked to an account';
            $errflag = true;
        }
        @mysql_free_result($result);
    }
    else {
        die("Query failed");
    }
}

//If there are input validations, redirect back to the registration form
if($errflag) {
    $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
    session_write_close();
    header("location: forgot.php");
    exit();
}

//Get username linked to email so it can be emailed along with password
$qry = "SELECT username FROM members WHERE email='$email'";
$result = mysql_query($qry);
//Checks success of query, if successful define $username
if($result) {
    $row = mysql_fetch_assoc($result);
    $username = $row["username"];
} else {
    die("Error. Cannot get username from database. Please Contact Webmaster");
}

function randomPassword($length = 8)
{
    // start with a blank password
    $randpw = "";

// define possible characters
$charlist = "0123456789bcdfghjkmnpqrstvwxyz";

// set up a counter
$i = 0;

// add random characters to $randpw until $length is reached
while ($i < $length) {
    // pick a random character from the possible ones
    $char = substr($charlist, mt_rand(0, strlen($charlist)-1), 1);

    // we don't want this character if it's already in the password
    if (!strstr($randpw, $char)) {
        $randpw .= $char;
        $i++;
    }
}
}

// email the random password to the email address the user entered
mail($email,"Account Login Details","Your username is $username and your new password is $randpw","From: noreply@jammontreal.com");
// use md5 to encrypt the random password and store it in database
$encpw = md5($randpw);
$qry = "UPDATE members SET password ='$encpw' WHERE email ='$email'";
$result = @mysql_query($qry);
//Check whether the query was successful or not
if($result) {
    header("location: sentpw.php");
    exit();
} else {
    die("Error. Cannot set new password. Please Contact Webmaster");
}
?>

Now, it is easy to see that $randpw is only defined as a local variable in randomPassword(), but randomPassword() is never called, so you could not have saved its return value in another variable either. Hence, before mail() is called, write:

$randpw = randomPassword();

Incidentally, you might want to avoid interspersing your function definitions with other code as it can be confusing. You could place them all at the start of the file, or even in an include file.

Also, you should use a salt for the password. Consider at least using [man]sha1/man instead of md5() (though MD5 is not broken for password hashing either).

iblackedout

Thanks for the reply.

I can't believe I made such a blatant mistake. Then again, I haven't been scripting in PHP for very long.

As for sh1 encryption, I will make the switch.

I have one question about salting, though. Salting is used to avoid a hacker decrypting a hash stored in a database. I know it adds a random string to the password before encrypting it which makes decrypting the actual hash and extracting the password from it impossible. However, for the password stored in the database and the inputted password to match, they must be assigned the same salt. For the script to know which salt to assign to which password (assuming the salt is unique for each user) it must see which salt is stored for that password in the database.

Now here is my question: If your database is compromised, what stops the hacker from knowing what the salt/string assigned to each user is and then removing it from the decrypted hash to reveal the password?

laserlight

iblackedout wrote:
Now here is my question: If your database is compromised, what stops the hacker from knowing what the salt/string assigned to each user is and then removing it from the decrypted hash to reveal the password?

The cryptographic hash algorithm itself. You may have the salt and the hash, but that is not enough to compute the original password, assuming that the cryptographic hash algorithm is preimage attack resistant (and both MD5 and SHA-1 qualify, for now).

iblackedout

laserlight;10893248 wrote:
assuming that the cryptographic hash algorithm is preimage attack resistant (and both MD5 and SHA-1 qualify, for now).

So if the hash is attack resistant, what is the point of salting it? I'm sorry for being hardheaded, but I just can't see the utility of a salt. Could you give me an example of a non-salted password being compromised and show how the salt would of prevented this, if it's not too much to ask?

Edit: Did some research and answered my own question. 😉

laserlight

Remember to mark this thread as resolved (if it is) using the thread tools.

You might also want to post your own answer, both so that other people can correct any misconceptions that you might have, and so that people who search and find this thread can get the answer that they were looking for.