membership addon help

danielneri

SOLVED

i want to make my index.php homepage so that once the user logs in, the login box on the right hand side disappears and the mini-bio shows.

my homepage is:
www.eliteczlteam.com

i got the script working fine after browsing through the forums becuause i had a few errors. they got fixed so im assuming you guys can help me.

NOT SOLVED
see below please

danielneri

okay so nevermind i got another membership system and now its working fine.

i have another question though, this one might be a little easier to answer.

I got a forgot password/mail password script off some site because the membership system i have didnt come with with, and i tweaked it fine.
Everything works fine, it pulls the username and password out of the database and sends it in a mail all fine, but when the mail arrives, the password is still encrypted.
I need to know how to decrypt mysql-stored passwords to send in a mail?

Any ideas?

Thanks Alot!

Nuvo

With MD5, it's not easily possible to decrypt data since it's hashed rather than being encrypted in the same way that other encryption systems do it.
In order to have forgotten password script, you'd need to have a script which could change the password to something else and then mail a copy of the unencrypted password to the user.
MD5 is hard to decrypt unless you know what was encrypted since it was only ever designed to generate a 32 character string from anything it's used on.
Other systems such as Blowfish aren't overly available in PHP unless you set about coding the encryption engines yourself, which would take a while and be impractical.

danielneri

Nuvo,
So basically you want me to tweak the script so that it would change the mysql password field to a temporary password, then mail that password to the end user?

Wouldnt that leave the password row non-hashed?
Or what your saying is that the script hashs a password and then inputs it into the database, and then unhashes it and sends it to the user?

Could you possibly give me an example of a script that would do that?

Thanks Alot

Nuvo

Basically, what you do is generate a random string of letters and numbers or even just a word (less secure) and then use md5() on it, but keep a copy of it unhashed.
Then you pudate your database so that the password is the hashed version of the string you just created.
You can then send an e-mail containing the unhashed password and anything else you want so they can use the new password to log in.

danielneri

ok so could you give me an example script? just a rough version would be fine. im not sure i know how to update the database with the hashed version and email the unhashed version

thanks

Nuvo

Lets say you already have the new password generated (because I suck at PHP random generation) and it's password (imagination == 0), you'd do something like:

 <?php
  $unhashed = $password;
  $hashed = md5($unhashed);
  
  $mailstring = "This mail was generated by the our password recovery system, don't reply!!<br />Your new password is <strong>".$hashed."</strong> please remember it :p";

  $query = "UPDATE `members` SET `password` = '".$hashed".' WHERE `username` = 'yourusername' LIMIT 1 ;
$runq = mysql_query($query) or die(mysql_error());

 //whatever you're using to send your e-mail goes here...
?>

Python or someone would probably be able to give you a better explination since PHP isn't my main programming language

Python

From what I can see the above script wont do itk... Because that would show the user with a 32 character password which is the encrypted version. Then if they tried to login with this then when the script encrypts that it would mean it is encrypted an already encrypted password and wouldnt match the value in the db.

As far as I know if your using encrypted passwords then the only way to do a password forgot feature is to reset the password.... and then email the unencrypted version to the user before it is encrypted with md5() and inserted into the database.

Get me?

Nuvo

Oops... that should say $unhashed
That's what happens when you're coding something in another language while posting PHP :P

Python

That would explain it

danielneri

so basically i need to get a script that generates a password, mails it to the user, then encrypts it, then updates the database?

Nuvo

Yeah, that's pretty much it.
That's the only real way to do it if you're hashing passwords with md5()...

danielneri

YES! i finally created my first php script, but there are a few errors. Everything works fine, the script executes, and then sends a mail to the user.
Though when the user receives the mail, somehow the information is not being properly pulled out of the database, and this is the result:

This is in response to your request for login details at Clan |TgK|

Login ID: ''
Password: ''

Thank You

Clan |TgK| Admin

$email=mysql_real_escape_string($email);
$status = "OK";
$msg="";
//error_reporting(E_ERROR | E_PARSE | E_CORE_ERROR);
if (!stristr($email,"@") OR !stristr($email,".")) {
$msg="Your email address is not correct<BR>"; 
$status= "NOTOK";}

$query="SELECT email,password FROM users WHERE users.email = '$email'";
$st=mysql_query($query);
$recs=mysql_num_rows($st);
$row=mysql_fetch_object($st);
$em=$row->email;// email is stored to a variable



//password is being pulled up.

$query2="SELECT email,password FROM users WHERE users.password = '$password'";
$st2=mysql_query($query2);
$recs2=mysql_num_rows($st2);
$row2=mysql_fetch_object($st2);
$fm=$row2->password;//current password is stored to a variable
if ($recs == 0) {  echo "<center><font face='Verdana' size='2' color=red><b>No Password</b><br> Sorry Your address is not there in our database . You can signup and login to use our site. <BR><BR><a href='signup.html'> Sign UP </a> </center>"; exit;}

if($status=="OK"){  

 if(mail("$em","Your Request for login details","This is in response to your request for login details at Clan |TgK| \n \nLogin ID: '$row->userid' \n Password: '$row2->password' \n\n Thank You \n \n Clan |TgK| Admin")){echo "<center><font face='Verdana' size='2' ><b>THANK YOU</b> <br>Your password has been emailed to $em. Please check your mail after some time.<br><br> You will be redirected in 3 seconds. </center></font>";
 
 }
 

mysql_query("UPDATE users SET password='$hashed' WHERE password='$fm'"); 

}

Any help is greatly appreciated.

you can the the script in action for yourself at http://www.eliteczlteam.com/forgot-password.php

danielneri

also, im having header output issues,

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /mounted-storage/home6/sub003/sc13330-VFPN/www/forgotpassworddev.php:1) in /mounted-storage/home6/sub003/sc13330-VFPN/www/include/session.php on line 46

I know its a very common error, but this time i dont know what to do.

danielneri

ok scratch that, i figured out something. its not updating the database somehow, so i need an appropriate syntax for updating.
i've tried a million different formats upto now. im going crazy!! :mad:

the current code im using is:

mysql_query("UPDATE 'users' SET 'password'='$hashed' WHERE 'password'='$fm'");

that doesnt seem to be working...

this is the way my database is setup


database4 >
users>
*username* >
username, password, userid, userlevel, email, timestamp


i need an update command that will update the password field. any ideas?

Python

try this:

[PHP]mysql_query("UPDATE 'users' SET 'password'='".$hashed."' WHERE 'password'='".$fm."'");[/PHP]

danielneri

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /mounted-storage/home6/sub003/sc13330-VFPN/www/forgotpassworddev.php:1) in /mounted-storage/home6/sub003/sc13330-VFPN/www/include/session.php on line 46

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /mounted-storage/home6/sub003/sc13330-VFPN/www/forgotpassworddev.php on line 180

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /mounted-storage/home6/sub003/sc13330-VFPN/www/forgotpassworddev.php on line 181
THANK YOU
Your password has been emailed to danielneri@bellsouth.net. Please check your mail after some time.

You will be redirected in 3 seconds.


dontknow..

danielneri

 <?

include "include/session.php";
include "include/constants.php";
// start secure password generator

$config_NumberOfWords = 2; 
$config_MaxNumberOfDigitBetweenWords = 2; 
$config_DigitsAfterLastWord = TRUE; 

function secure_password_generate ($debug=FALSE) { 
    // thank you yaragn! 
    global $config_NumberOfWords, $config_MaxNumberOfDigitBetweenWords, $config_DigitsAfterLastWord; 
    mt_srand ((float) microtime() * 1000000); 
    $securePassword = ""; 
     
    $safeEnglishWords = secure_password_get_words(); 
    $count = count($safeEnglishWords); 
    FOR ($i=0; $i < $config_NumberOfWords; $i++) { 
        $securePassword .= $safeEnglishWords[mt_rand(0,$count)]; 
        If ($config_DigitsAfterLastWord OR $i + 1 != $config_NumberOfWords) $securePassword .= mt_rand(0,pow(10,$config_MaxNumberOfDigitBetweenWords) -1); 
    } 
    If ($debug) { 
        $combinations = pow($count, $config_NumberOfWords) * pow(10, $config_MaxNumberOfDigitBetweenWords * ($config_NumberOfWords - 1)); 
        echo $combinations . " number of combinations.<br>"; 
        echo floor(pow($combinations, 0.5)) . " relative stength.<br>"; 
        // relative strength principle based on rough mean - root of the number of combinations is the time to find a single password 
    } 
    return $securePassword; 
} 

$unhashed="$securePassword";
$hashed=md5($unhashed);


function secure_password_get_words () { 
    // slightly modified data from [url]http://www.rick.harrison.net/annex/specialeng.txt[/url] - many thanks Rick Harrison! 
    $array = Array( 'a', 'able', 'about', 'above', 'accept', 'accident', 'accuse', 'across', 'act',  
'activist', 'actor', 'add', 'administration', 'admit', 'advise', 'affect', 'afraid', 'after', 'again', 
 'against', 'age', 'agency', 'aggression', 'ago', 'agree', 'agriculture', 'aid', 'aim', 'air',  
'airplane', 'airport', 'alive', 'all', 'ally', 'almost', 'alone', 'along', 'already', 'also',  
'although', 'always', 'ambassador', 'amend', 'ammunition', 'among', 'amount', 'an', 'anarchy',  
'ancient', 'and', 'anger', 'animal', 'anniversary', 'announce', 'another', 'answer', 'any',  
'apologize', 'appeal', 'appear', 'appoint', 'approve', 'area', 'argue', 'arms', 'army', 'around',  
'arrest', 'arrive', 'art', 'artillery', 'as', 'ash', 'ask', 'assist', 'astronaut', 'asylum', 'at',  
'atmosphere', 'atom', 'attack', 'attempt', 'attend', 'automobile', 'autumn', 'awake', 'award', 'away',  
'back', 'bad', 'balance', 'ball', 'balloon', 'ballot', 'ban', 'bank', 'bar', 'base', 'battle', 'be', 
 'beach', 'beat', 'beauty', 'because', 'become', 'bed', 'beg', 'begin', 'behind', 'believe', 'bell', 
 'belong', 'below', 'best', 'betray', 'better', 'between', 'big', 'bill', 'bird', 'bite', 'bitter', 
 'black', 'blame', 'blanket', 'bleed', 'blind', 'block', 'blood', 'blow', 'blue', 'boat', eparate', 'series',  
'serious', 'sermon', 'serve', 'set', 'settle', 'several', 'severe', 'sex', 'shake', 'shape', 'share', 'sharp', 'she', 'shell',  
'shine', 'ship', 'shock', 'shoe', 'shoot', 'short', 
 'should', 'shout', 'show', 'shrink', 'shut', 'sick', 'side', 
 'sign', 'signal', 'silence', 'silver', 'similar', 'simple', 'since', 'sing', 'sink', 'sister', 'sit', 'situation', 'size',  
'skeleton', 'skill', 'skull', 'sky', 'slave', 'sleep', 'slide', 'slow', 'small', 'smash', 'smell', 'smile', 'smoke',  
'smooth', 'snow', 'so', 'social', 'soft', 'soldier', 'solid', 'solve', 'some', 'son', 'soon', 'sorry', 'sort', 'sound',  
'south', 'space', 'speak', 'special', 'speed', 'spend', 'spill', 'spilt', 'spirit', 'split', 'sports', 'spread', 'spring',  
'spy', 'stab', 'stamp', 'stand', 'star', 'start', 'starve', 'state', 'station', 'statue', 'stay', 'steal', 'steam', 'steel',  
'step', 'stick', 'still', 'stomach', 'stone', 'stop', 'store', 'storm', 'story', 'stove', 'straight', 'strange', 'street',  
'stretch', 'strike', 'strong', 'struggle', 'stubborn', 'study', 'stupid', 'submarine', 'substance', 'substitute',  
'subversion', 'succeed', 'such', 'sudden', 'suffer', 'sugar', 'summer', 'sun', 'supervise', 'supply', 'support', 'suppose',  
'suppress', 'sure', 'surplus', 'surprise', 'surrender', 'surround', 'survive', 'suspect', 'suspend', 'swallow', 'swear',  
'sweet', 'swim', 'sympathy', 'system', 'take', 'talk', 'tall', 'tank', 'target', 'task', 'taste', 'tax', 'teach', 'team',  
'tear', 'tears', 'technical', 'telephone', 'telescope', 'television', 'tell', 'temperature', 'temporary', 'tense', 'term',  
'terrible', 'territory', 'terror', 'test', 'textiles', 'than', 'thank', 'that', 'the', 'theater', 'then', 'there', 'thick',  
'thin', 'thing', 'think', 'third', 'this', 'threaten', 'through', 'throw', 'tie', 'time', 'tired', 'tissue', 'to', 'today',  
'together', 'tomorrow', 'tonight', 'too', 'tool', 'top', 'torture', 'touch', 'toward', 'town', 'trade', 'tradition',  
'tragic', 'train', 'traitor', 'transport', 'trap', 'travel', 'treason', 'treasure', 'treat', 'treaty', 'tree', 'trial',  
'tribe', 'trick', 'trip', 'troops', 'trouble', 'truce', 'truck', 'trust', 'try', 'turn', 'under', 'understand', 'unite',  
'universe', 'university', 'unless', 'until', 'up', 'urge', 'urgent', 'use', 'usual', 'valley', 'value', 'vehicle', 'version',  
'veto', 'vicious', 'victim', 'victory', 'village', 'violate', 'violence', 'violin', 'virus', 'visit', 'voice', 'volcano',  
'vote', 'voyage', 'wages', 'wait', 'walk', 'wall', 'want', 'war', 'warm', 'warn', 'wash', 'waste', 'watch', 'water', 'wave',  
'way', 'weak', 'wealth', 'weapon', 'wear', 'weather', 'weigh', 'welcome', 'well', 'west', 'wet', 'what', 'wheat', 'wheel',  
'when', 'where', 'which', 'while', 'white', 'who', 'why', 'wide', 'wife', 'wild', 'will', 'willing', 'win', 'wind', 'window', 
 'wire', 'wise', 'wish', 'with', 'withdraw', 'without', 'woman', 'wonder', 'wood', 'woods', 'word', 'work', 'world', 'worry', 
 'worse', 'wound', 'wreck', 'write', 'wrong', 'year', 'yellow', 'yes', 'yesterday', 'yet', 'you', 'young'); 
    return $array; 
} 

// end secure password generator

$email=mysql_real_escape_string($email);
$status = "OK";
$msg="";
//error_reporting(E_ERROR | E_PARSE | E_CORE_ERROR);
if (!stristr($email,"@") OR !stristr($email,".")) {
$msg="Your email address is not correct<BR>"; 
$status= "NOTOK";}

$query="SELECT email,password FROM users WHERE users.email = '$email'";
$st=mysql_query($query);
$recs=mysql_num_rows($st);
$row=mysql_fetch_object($st);
$em=$row->email;// email is stored to a variable



//password is being pulled up.

$query2="SELECT password FROM users WHERE users.password = $password";
$st2=mysql_query($query2);
$recs2=mysql_num_rows($st2);
$row2=mysql_fetch_object($st2);
$fm=$row2->password;//current password is stored to a variable
if ($recs == 0) {  echo "<center><font face='Verdana' size='2' color=red><b>No Password</b><br> Sorry Your address is not there in our database . You can signup and login to use our site. <BR><BR><a href='signup.html'> Sign UP </a> </center>"; exit;}

{  

 $headers4="admin@eliteczlteam.com";         ///// Change this address within quotes to your address ///
$headers.="Reply-to: $headers4\n";
$headers .= "From: $headers4\n"; 
$headers .= "Errors-to: $headers4\n"; 
 if($status=="OK");
 mail("$em","Your Request for login details","This is in response to your request for login details at Clan |TgK| \n \nLogin ID: $row->userid \n Password: $row2->password \n\n Thank You \n \n Clan |TgK| Admin, $headers");
 echo "<center><font face='Verdana' size='2' ><b>THANK YOU</b> <br>Your password has been emailed to $em. Please check your mail after some time.<br><br> You will be redirected in 3 seconds. </center></font>";
 
 }
 

mysql_query("UPDATE 'users' SET 'password'='".$hashed."' WHERE 'password'='".$fm."'"); 



?>

thats the whole code, took out some words from gen to make it fit

$cripts

you might want to do it so it uses the user's id instead of password....
mysql_query("update users set password='".$hashed."' where user_id='"$user_id."'");

eh...the header errors r youve started a session after some stuff was outputted....as far as the mysql_errors might be a miss type somewhere

danielneri

whats the point in changing the userid?

Python

That doesnt change the userid. That simply uses the userid to find which users password to update. Its better to use the userid because they are unique whereas two or more users could have the same password

danielneri

ok i just got so fedup with this whole thing i went out and got this free script that "seems" to work...lets see if it can actually do anything!