PHP MySQL password reset for a website?

Question:

cool_stuff

2012-08-26 20:57:45 UTC

I made a password reset page for my websites for the members. When they are logged in they can change their password. I have a form with 'old password' 'new password' and 'password confirmation'. The php processing file is meant to first check whether the 'old password' matches the current one in the database for the member.

I'm not sure whether the mysql query I used is correct to check the old password. So currently my password reset function isn't working.

Here are the files:

This is the password reset page:

http://pastebin.com/va1FZQP6

This is the mysql functions:

http://pastebin.com/4crNzVBM

Can someone please check this for me.

Four answers:

Ratchetr

2012-08-26 21:18:25 UTC

You are making 2 rather common newbie mistakes. The second one is the reason your password reset isn't working, but I'm not going to tell you how to fix that until you fix the first issue. Right now you don't understand web site security enough to be trusted with storing email addresses and passwords.

You are storing the passwords in plain text. I type my email 'foo@bar.com' and password '1234' and you store foo@bar.com and 1234 in your database, right? That is a BIG NO NO. You *never* want to store 1234 in your database for my password. Why? Because if someone hacks your site (and since you are a newbie using PHP/MySQL, there is an unreasonably high probability that you could get hacked), they will steal my email address AND know my password. And people are creatures of habit. They tend to use the same password on multiple sites. So one bad website can expose a users password for multiple sites.

You need to learn how to use password hashing first. See link. Once you have code that does that, come back and ask again, assuming it still isn't working. (But you should be able to answer both questions from the link).

anonymous

2014-08-11 12:36:15 UTC

Well

This is a link where you can downlod for free Password Recovery http://j.mp/1r4Wm8s

It's a very simple and nice software.

Cheers.

pilat

2016-10-22 09:14:57 UTC

properly, without extra information, that is difficult to assert precisely what you're searching for. notwithstanding, it variety of feels that the least confusing aspect will be to have a column for website and a person id which will be equipped dynamically, and then purely use a uri redirect.

anonymous

2012-08-27 01:50:16 UTC

What Ratchetr said.

Plus being a newbie, I know you have left your site open to SQL injection.

How to protect against that? Look it up, you'll learn some stuff.

ⓘ

This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.

about - legalese