Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 176
  • Last Modified:

Having user choose his own password

I have a login page where users can enter teir email address and a default password. I want to set it up in a way that users can enter any email address but the password has to be default. Also when they enter the default password, it should ask them to choose a new password and set their emailaddress and the new password as their login credentials.
so if John comes to the site, he can enter John@test.com and use a default password thats given to him which is abc123, then once the default password is proved to br correct it should be a part withing the same page that becomes available where john can set his new passwrod with his email address as john@test.com

Thanks
0
syedasimmeesaq
Asked:
syedasimmeesaq
  • 15
  • 7
  • 5
  • +1
1 Solution
 
netmunkyCommented:
you can have a user provide their email address, then use mail() to send a temporary password (either fixed or random). in the user table, add a boolean flag mustchangepass (or similar). when they login with the password that is sent to them, if the boolean is true, forward them to a password change page (which will unset the boolean). if the boolean is false, allow them to login normally.
0
 
syedasimmeesaqAuthor Commented:
Actually i tried to do something like this but it has some errors may be this give an idea


         <?PHP
 
require_once('con_info.php');
 
// Add slashes to the username, and make a md5 checksum of the password.
$_POST['user'] = $_POST['user'];
$_POST['passdef']= $_POST['passdef'];
 
$result = mysql_query("SELECT count(id) FROM users WHERE passdef='" . $_POST['passdef']. "'") or die("Couldn't query the user-database.");
 
$num = mysql_result($result, 0);
 
if (!$num) {
 
// When the query didn't return anything,
// display the login form.
 
echo "<h4> <center><br><br>
<form action='$_SERVER[PHP_SELF]' method='post'>
UserName: <input type='text' name='user'><br><br>
Password : <input type='password' name='passdef'><br>
 
<br><br>
<input type='submit' size='10' value='Login'>
</form></center></h4>";
 
} else {
 
$_POST['user'] = $_POST['user'];
$_POST['passdef']= $_POST['passdef'];
 
// Start the login session
//session_start();
 
// We've already added slashes and MD5'd the password
//$_SESSION['user'] = $_POST['user'];
//$_SESSION['pass'] = $_POST['pass'];
//header ('Location: district.php');
 
echo "<h4> <center><br><br>
<form action='$_SERVER[PHP_SELF]' method='post'>
New Password: <input type='text' name='pass'><br><br>
Confirm Password : <input type='text' name='conpass'><br>
 
<br><br>
<input type='submit' size='10' value='Login'>
</form></center></h4>";
$newpass = $_POST['pass'];
//$_POST['pass'] = SHA256::hash($_POST['pass']); 
$conpass = $_POST['conpass'];
if ($newpass == $conpass and $newpass!="" and $conpass!=""){
$result = mysql_list_tables(users);
while ($row = mysql_fetch_row($result)) {
        
												   
		    $query = "insert into " . $row[0] . " SET user ='".$_POST['user']."' AND pass = '$newpass'";
            $resultUpdate = mysql_query($query);
            if(!$resultUpdate){
                die(mysql_error());
      
}
 
}
else
{
echo "NOT MATCHED";
}
}
?> 

Open in new window

0
 
nizsmoDeveloperCommented:
You had some syntax errors,
 <?PHP
 
require_once('con_info.php');
 
// Add slashes to the username, and make a md5 checksum of the password.
$_POST['user'] = $_POST['user'];
$_POST['passdef']= $_POST['passdef'];
 
$result = mysql_query("SELECT count(id) FROM users WHERE passdef='" . $_POST['passdef']. "'") or die("Couldn't query the user-database.");
 
$num = mysql_result($result, 0);
 
if (!$num) {
 
// When the query didn't return anything,
// display the login form.
 
echo "<h4> <center><br><br>
<form action='$_SERVER[PHP_SELF]' method='post'>
UserName: <input type='text' name='user'><br><br>
Password : <input type='password' name='passdef'><br>
 
<br><br>
<input type='submit' size='10' value='Login'>
</form></center></h4>";
 
} else {
 
$_POST['user'] = $_POST['user'];
$_POST['passdef']= $_POST['passdef'];
 
// Start the login session
//session_start();
 
// We've already added slashes and MD5'd the password
//$_SESSION['user'] = $_POST['user'];
//$_SESSION['pass'] = $_POST['pass'];
//header ('Location: district.php');
 
echo "<h4> <center><br><br>
<form action='$_SERVER[PHP_SELF]' method='post'>
New Password: <input type='text' name='pass'><br><br>
Confirm Password : <input type='text' name='conpass'><br>
 
<br><br>
<input type='submit' size='10' value='Login'>
</form></center></h4>";
$newpass = $_POST['pass'];
//$_POST['pass'] = SHA256::hash($_POST['pass']); 
$conpass = $_POST['conpass'];
if ($newpass == $conpass and $newpass!="" and $conpass!=""){
$result = mysql_list_tables(users);
while ($row = mysql_fetch_row($result)) {
        
                                                                                                   
                    $query = "insert into " . $row[0] . " SET user ='".$_POST['user']."' AND pass = '$newpass'";
            $resultUpdate = mysql_query($query);
            if(!$resultUpdate){
                die(mysql_error());
      
}
 
}
 
}
else
{
echo "NOT MATCHED";
}
}
?> 

Open in new window

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
syedasimmeesaqAuthor Commented:
But now its not inserting the data into the table users.
Thanks
0
 
nizsmoDeveloperCommented:
Small change from:
$newpass == $conpass and $newpass!="" and $conpass!=""

to
$newpass == $conpass && $newpass!="" && $conpass!=""

 <?PHP
 
require_once('con_info.php');
 
// Add slashes to the username, and make a md5 checksum of the password.
$_POST['user'] = $_POST['user'];
$_POST['passdef']= $_POST['passdef'];
 
$result = mysql_query("SELECT count(id) FROM users WHERE passdef='" . $_POST['passdef']. "'") or die("Couldn't query the user-database.");
 
$num = mysql_result($result, 0);
 
if (!$num) {
 
// When the query didn't return anything,
// display the login form.
 
echo "<h4> <center><br><br>
<form action='$_SERVER[PHP_SELF]' method='post'>
UserName: <input type='text' name='user'><br><br>
Password : <input type='password' name='passdef'><br>
 
<br><br>
<input type='submit' size='10' value='Login'>
</form></center></h4>";
 
} else {
 
$_POST['user'] = $_POST['user'];
$_POST['passdef']= $_POST['passdef'];
 
// Start the login session
//session_start();
 
// We've already added slashes and MD5'd the password
//$_SESSION['user'] = $_POST['user'];
//$_SESSION['pass'] = $_POST['pass'];
//header ('Location: district.php');
 
echo "<h4> <center><br><br>
<form action='$_SERVER[PHP_SELF]' method='post'>
New Password: <input type='text' name='pass'><br><br>
Confirm Password : <input type='text' name='conpass'><br>
 
<br><br>
<input type='submit' size='10' value='Login'>
</form></center></h4>";
$newpass = $_POST['pass'];
//$_POST['pass'] = SHA256::hash($_POST['pass']); 
$conpass = $_POST['conpass'];
if ($newpass == $conpass && $newpass!="" && $conpass!=""){
$result = mysql_list_tables(users);
while ($row = mysql_fetch_row($result)) {
        
                                                                                                   
                    $query = "insert into " . $row[0] . " SET user ='".$_POST['user']."' AND pass = '$newpass'";
            $resultUpdate = mysql_query($query);
            if(!$resultUpdate){
                die(mysql_error());
      
}
 
}
 
}
else
{
echo "NOT MATCHED";
}
}
?> 

Open in new window

0
 
syedasimmeesaqAuthor Commented:
hmm it still is not adding the records to the table
Thanks
0
 
syedasimmeesaqAuthor Commented:
what possibly could be wrong ..I checked the code again and again..it just doesn't insert into the table
0
 
nizsmoDeveloperCommented:
then it simply means that this condition:
$newpass == $conpass && $newpass!="" && $conpass!=""

is not being satisfied. Check that you are passing using POST (not GET) and check that $newpass and $conpass actually contain something.
0
 
syedasimmeesaqAuthor Commented:
ok it is strange..how come I am inserting the value in the testboxes but it shows in echo that $newpass and $conpass is empty
Thanks
0
 
nizsmoDeveloperCommented:
What is the point of this?
$_POST['user'] = $_POST['user'];
$_POST['passdef']= $_POST['passdef'];

Also i think there is something wrong with the logic of your script, i don't think you should have the login form and what you are trying to do in the same script.
0
 
syedasimmeesaqAuthor Commented:
Nizsmo. Thank you again for helping. I am trying to do what I mentioned above. How could I reset the logic to achieve what I describedd in question above

Thank you
0
 
nizsmoDeveloperCommented:
Try something like this, not sure if it will work since I have no way of testing.
 <?PHP
 
require_once('con_info.php');
 
// Start the login session
//session_start();
 
// We've already added slashes and MD5'd the password
//$_SESSION['user'] = $_POST['user'];
//$_SESSION['pass'] = $_POST['pass'];
//header ('Location: district.php');
 
 
$newpass = $_POST['pass'];
//$_POST['pass'] = SHA256::hash($_POST['pass']); 
$conpass = $_POST['conpass'];
if ($newpass == $conpass && $newpass!="" && $conpass!=""){
$result = mysql_list_tables(users);
while ($row = mysql_fetch_row($result)) {
        
                                                                                                   
                    $query = "insert into " . $row[0] . " SET user ='".$_POST['user']."' AND pass = '$newpass'";
            $resultUpdate = mysql_query($query);
            if(!$resultUpdate){
                die(mysql_error());
      
}
 
}
 
}
else
{
echo "<h4> <center><br><br>
<form action='$_SERVER[PHP_SELF]' method='post'>
New Password: <input type='text' name='pass'><br><br>
Confirm Password : <input type='text' name='conpass'><br>
 
<br><br>
<input type='submit' size='10' value='Login'>
</form></center></h4>";
}
?> 

Open in new window

0
 
syedasimmeesaqAuthor Commented:
nope that doesn't work either
0
 
netmunkyCommented:
as a side note, never ever supply user provided data directly to a query. always use mysql_real_escape_string() (or mysqli_prepare if you are using msyqli instead of msyql)
0
 
syedasimmeesaqAuthor Commented:
yea I was going to add that later on but I am trying to make this thing work first. The last script you sent took the first part out. But I just wanted to see if it will insert the data into table or not and it didn't

Thanks
0
 
netmunkyCommented:
add some debug prints
ie -
if ($newpass == $conpass && $newpass!="" && $conpass!="")
{ print "i should be insertingg"; }
else { print "something didn't match"; }

check mysql_errno() or mysql_error() after your query and see if it is having some sort of problem at the database level with your query.
0
 
syedasimmeesaqAuthor Commented:
I have a field in table called ID which is primary key and autoincrement..could that matter?
0
 
syedasimmeesaqAuthor Commented:
>>>>>>>>>check mysql_errno() or mysql_error() after your query and see if it is having some sort of problem at the database level with your query.

  how do I do that?
Thanks
0
 
netmunkyCommented:
$resultUpdate = mysql_query($query);
if( mysql_errno() ) { die( mysq_errno() .": ". mysql_error() ); }

http://us3.php.net/mysql_query does not specify what mysql_query() will return for an INSERT statement, so I don't know if the code you have right now for mysql_error checking is sufficient or not
0
 
HMoellendorfCommented:
Use the following snippet to test the queries:
$resultUpdate = mysql_query($query);
if( !$resultUpdate ) { die( mysq_errno() .": ". mysql_error() ); }

Open in new window

0
 
nizsmoDeveloperCommented:
>>nope that doesn't work either

Can you elaborate? What doesn't work and what gets outputted? Any errors?
0
 
syedasimmeesaqAuthor Commented:
its not giving any errors using the above. However its still not inserting new records into the table

Thanks
0
 
syedasimmeesaqAuthor Commented:
isn't this insert statement worng

$query = "insert into " . $row[0] . " SET user ='".$_POST['user']."' AND pass = '$newpass'";

souldn't we be using set with update and not with insert.

And if it is wrong, what would be the right statement.
Thanks
0
 
syedasimmeesaqAuthor Commented:
shouldn't it be
 $query = "insert into " . $row[0] . " (pass, user) Values ('$_POST['user'],'$newpass'";
instead of
$query = "insert into " . $row[0] . " SET user ='".$_POST['user']."' AND pass = '$newpass'";
?
Thanks
0
 
netmunkyCommented:
yes
set is only for update
ie - update table set pass=... where user=...
but you forgot the closing ) on your insert

$query = "insert into {$row[0]} (pass, user) Values ('{$_POST['user']},'$newpass')";
0
 
syedasimmeesaqAuthor Commented:
ok I have this now ..but its not inserting the values
<?PHP
 
require_once('info.php');
 
$user = mysql_real_escape_string($_POST['user']);
 
$pass = mysql_real_escape_string($_POST['pass']);
 
$result = mysql_query("SELECT user,pass FROM users WHERE pass='" . $pass. "'  OR (user='". $user."' AND pass='".$pass."')") or die("Couldn't query the user-database.");
 
$num = mysql_num_rows($result);
 
if (!$num) {
 
 
echo "<h4> <center><br><br>
<form action='$_SERVER[PHP_SELF]' method='post'>
UserName: <input type='text' name='user'><br><br>
Password : <input type='password' name='pass'><br>
 
<br><br>
<input type='submit' size='10' value='Login'>
</form></center></h4>";
 
}else {
 
        list($dbuser,$dbpass) = mysql_fetch_row($result);
       
        if($dbuser==$user && $dbpass==$pass) {
       
                echo "You entered a username & password";
       
        }else{
       
                echo "<h4> <center><br><br>
<form action='$_SERVER[PHP_SELF]' method='post'>
New PassWord: <input type='text' name='newpass'><br><br>
Confirm Password : <input type='password' name='confirmpass'><br>

<br><br>
<input type='submit' size='10' value='Login'>
</form></center></h4>";

if($_POST['newpass'] == $_POST['confirmpass'])
{
            $insertquery = "insert into user (user, pass) VALUES ('{$_POST['user']}','{$_POST['newpass']}')";
            $resultinsert = mysql_query($insertquery);
       
        }
            else {
            echo " your password didn't match";
            
}
 
 }
}
?>
0
 
syedasimmeesaqAuthor Commented:
This code inserts the record but not in same row.
So the user name is in different row than the password
how can I fix it
<?PHP
 
require_once('info.php');
 
$user = mysql_real_escape_string($_POST['user']);
 
$pass = mysql_real_escape_string($_POST['pass']);
 
$result = mysql_query("SELECT user,pass FROM users WHERE pass='" . $pass. "'  OR (user='". $user."' AND pass='".$pass."')") or die("Couldn't query the user-database.");
 
$num = mysql_num_rows($result);
 
if (!$num) {
 
 
echo "<h4> <center><br><br>
<form action='$_SERVER[PHP_SELF]' method='post'>
UserName: <input type='text' name='user'><br><br>
Password : <input type='password' name='pass'><br>
 
<br><br>
<input type='submit' size='10' value='Login'>
</form></center></h4>";
 
}else {
 
        list($dbuser,$dbpass) = mysql_fetch_row($result);
        
        if($dbuser==$user && $dbpass==$pass) {
        
                echo "You entered a username & password";
        
        }else{
        
                echo "<h4> <center><br><br>
<form action='$_SERVER[PHP_SELF]' method='post'>
New PassWord: <input type='text' name='newpass'><br><br>
Confirm Password : <input type='password' name='confirmpass'><br>
 
<br><br>
<input type='submit' size='10' value='Login'>
</form></center></h4>";
 
if($_POST['newpass'] == $_POST['confirmpass'])
{
		$insertquery = "insert into users (user, pass) VALUES ('{$_POST['user']}','{$_POST['newpass']}')";
		$resultinsert = mysql_query($insertquery);
        
        }
		else {
		echo " your password didn't match";
		
}
 
 }
}
?>

Open in new window

0
 
nizsmoDeveloperCommented:
Try this:
<?PHP
 
require_once('info.php');
 
$user = mysql_real_escape_string($_POST['user']);
 
$pass = mysql_real_escape_string($_POST['pass']);
 
$result = mysql_query("SELECT user,pass FROM users WHERE pass='" . $pass. "'  OR (user='". $user."' AND pass='".$pass."')") or die("Couldn't query the user-database.");
 
$num = mysql_num_rows($result);
 
if (!$num) {
 
 
echo "<h4> <center><br><br>
<form action='$_SERVER[PHP_SELF]' method='post'>
UserName: <input type='text' name='user'><br><br>
Password : <input type='password' name='pass'><br>
 
<br><br>
<input type='submit' size='10' value='Login'>
</form></center></h4>";
 
}else {
 
        list($dbuser,$dbpass) = mysql_fetch_row($result);
        
        if($dbuser==$user && $dbpass==$pass) {
        
                echo "You entered a username & password";
        
        }else{
        
                echo "<h4> <center><br><br>
<form action='$_SERVER[PHP_SELF]' method='post'>
New PassWord: <input type='text' name='newpass'><br><br>
Confirm Password : <input type='password' name='confirmpass'><br>
 
<br><br>
<input type='submit' size='10' value='Login'>
</form></center></h4>";
 
if($_POST['newpass'] == $_POST['confirmpass'])
{
		$insertquery = "UPDATE users SET pass='{$_POST['newpass']}' WHERE user='{$_POST['user']}'";
		$resultinsert = mysql_query($insertquery);
        
        }
		else {
		echo " your password didn't match";
		
}
 
 }
}
?>

Open in new window

0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 15
  • 7
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now