Thread: Problem using the generated password with my php code.

Hi all i created a page that it generates log in password for users. Beleow u see a part of the code and it generates the password and it supposed to email it. The problem is that i am testing this locally and it does not email the password since i do not have any smtp for email . Therefore, i went to mysql db and found the pass word that created for me as some thing like this :*BEE77AB0FB9380C

I tried to use that but it does not work and i keep getting Access Denied massage from access.php part!! I be happy if an expert give me a way so that i be able to use the assigned password and be able to test my prog .Thanks


registerationpage.php code

Code:

$newpass = substr(md5(time()),0,6);

    
    
    $sql = "INSERT INTO user SET
              userid = '$_POST[newid]',
              password = PASSWORD('$newpass'),
              fullname = '$_POST[newname]',
              email = '$_POST[newemail]',
              notes = '$_POST[newnotes]'";
    if (!mysql_query($sql))
        error('A database error occurred in processing your '.
              'submission.\\nIf this error persists, please '.
              'contact [email protected].\\n' . mysql_error());
              
    // Email the new password to the person.
    $message = "   your new password    
     userid: $_POST[newid]
    password: $newpass               ";

    mail($_POST['newemail'],"Your Password for the Project Website",
         $message, "From:Your Name <[email protected]>");

part of access.php code

Code:

dbConnect("test2");
$sql = "SELECT * FROM user WHERE
        userid = '$uid' AND password = PASSWORD('$pwd')";
$result = mysql_query($sql);
if (!$result) {
  error('A database error occurred while checking your '.
        'login details.\\nIf this error persists, please '.
        'contact [email protected].');
}
if (mysql_num_rows($result) == 0) {
  unset($_SESSION['uid']);
  unset($_SESSION['pwd']);
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Access Denied </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=iso-8859-1" />
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>Your user ID or password is incorrect, or you are not a
     registered user on this site. To try logging in again, click
     <a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
     access, click <a href="signup.php">here</a>.</p>
  </body>
  </html>
  <?php
  exit;
}

$username = mysql_result($result,0,'fullname');
?>

Code:

<?php include ' access.php'; ?>
<!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <title> Members-Only Page </title>
  <meta http-equiv="Content-Type"
    content="text/html; charset=iso-8859-1
</head>
<body>
<p>Welcome, <?=$username?>! You have entered a members-only area
   of the site. Don't you feel special?</p>
</body>
</html>

Originally Posted by visualAd

You could also comment you this line to stop it getting encrypted

PHP Code:

$newpass = substr(md5(time()),0,6); 


Thank u all for u replies. well if i remove that line then there will no password will be created!! The problem is that my script does not verify the password correctly and allow me view protected page!

Are you seriously storing passwords in the database rather than hashes?

Originally Posted by penagate

Are you seriously storing passwords in the database rather than hashes?

well when i check db i see a long password but that is not what i typed in registeration page!! I used both password and it does not verify it!!

Originally Posted by visualAd

The password us encryped using a one-way md5 hash. If you are testing locally, I suggest you use your ISP's SMTP server to send the email.

could u tell me how to use my isp smtp as u see in my send php code there is no name of smtp . Where and how i put smtp information ?

Usually you'd MD5 the password when setting it and store that, then for authentication MD5 the submitted password and compare against DB.

Originally Posted by CornedBee

If you just want a test account, manually modify the database. Set it to the PASSWORD() hash of a known value, e.g.

Code:

UPDATE users SET password=PASSWORD('foo') WHERE id = 1

(Statement ignoring any actual DB schema you might have.)
Then you can use 'foo' as your password.

Thank u for u reply. i use phpmyadmin and i went manually changed the pasword to some numbers but did not work. when i run your code i got this massage an no change to password!!:

Affected rows: 0 (Query took 0.0006 sec)

I used echo $newpass just before it get encrpted and used that on i could not log in . Is there any thing wrong with my select statment in my access.php code where i check for pass and log in name ?Thanks

Originally Posted by CornedBee

How do you obtain $uid and $pwd in access.php?

From login form which ask for name and pass!