md5 decrypt

Find out why thousands trust the EE community with their toughest problems.

jonofat

5/15/2011

ASKER

Michael701, I am trying to do what you recommended. I have done the following so far...

When a user types in their email address it is stored in a new table I created which stores their email address and token which is md5 random number. It then emails them this and the link looks like this:

http://myurl.com/reset_password.php?token=d86f7a3927be034eac22601be4b07750&custid=3548

What I want to happen now is that when they click on that link, it must change their password in the database to a new random md5 password and then email them that password recommending that they login with it and change it to something they want.

What is the best way to do this? Surely when they click that link, it should also delete the email address and token from the temp table?

Michael701

5/15/2011

Close, but the token doesn't have to be MD5 encoded, only their password should be.

Instead of emailing them the new password it should work this why.

They say they lost their password.
Set the token to a random number.
email then a reset link (like you have without MD5 on the token)
reset_password.php will read their ID and compare the URL token to the one stored in the database. If they agree display a 'Change password form' have hidden fields with the customer id and token. Upon 'submit' reverify the id, token and that the two new passwords match, then update the customer record with the new MD5(password) also set the token back to zero.

Hope this helps.

jonofat

5/16/2011

ASKER

Okay, I have sort of got it. THe only problem is that when I click on the link in the email It goes to the right url but I get an error:

Error 404 Page Not Found
The requested URL /reset_password.php?token=1997881a220ff6eb339f7d5de16fdf1f&customerid=3 was not found on this server.

but in the address bar is the full url. Weird?

Find out why thousands trust the EE community with their toughest problems.

Michael701

5/16/2011

first, you *DO* have a reset_password.php program?

Next, try adding http://www.mysite.com/ to the email address

jonofat

5/16/2011

ASKER

I have the following code on reset_password.php

$colname_Recordset1 = "-1";
if (isset($_GET['token'])) {
  $colname_Recordset1 = $_GET['token'];
}
$colname2_Recordset1 = "-1";
if (isset($_GET['customerid'])) {
  $colname2_Recordset1 = $_GET['customerid'];
}
mysql_select_db($database_test, $test);
$query_Recordset1 = sprintf("SELECT customerid, customeremail, random_token, customerpass FROM customers WHERE random_token = %s AND customerid = %s", GetSQLValueString($colname_Recordset1, "text"),GetSQLValueString($colname2_Recordset1, "int"));
$Recordset1 = mysql_query($query_Recordset1, $test) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);

Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!

jonofat

5/16/2011

ASKER

Never mind, I was being an idiot. There was a small spelling mistake in the URL.

Walt Forbes

Michael701

5/16/2011

If you cut and paste the url from the email does it work?

jonofat

5/17/2011

ASKER

Ok, my problem now is getting the info from the url to the page. If I do it with just the customer ID it works fine but as soon as I try involve the token, I get no result. I want to use them both together... This doesn't work..

$colname_Recordset1 = "-1";
if (isset($_GET['token'])) {
  $colname_Recordset1 = $_GET['token'];
}
mysql_select_db($database_test, $test);
$query_Recordset1 = sprintf("SELECT customerid, customeremail, customerpass, random_token FROM customers WHERE random_token = %s", GetSQLValueString($colname_Recordset1, "text"));
$Recordset1 = mysql_query($query_Recordset1, $test) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);

This does work:

$colname_Recordset1 = "-1";
if (isset($_GET['customerid'])) {
  $colname_Recordset1 = $_GET['customerid'];
}
mysql_select_db($database_test, $test);
$query_Recordset1 = sprintf("SELECT customerid, customeremail, customerpass, random_token FROM customers WHERE customerid = %s", GetSQLValueString($colname_Recordset1, "int"));
$Recordset1 = mysql_query($query_Recordset1, $test) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);

This is what I want but doesn't work either:

$colname_Recordset1 = "-1";
if (isset($_GET['token'])) {
  $colname_Recordset1 = $_GET['token'];
}
$colname2_Recordset1 = "-1";
if (isset($_GET['customerid'])) {
  $colname2_Recordset1 = $_GET['customerid'];
}
mysql_select_db($database_test, $test);
$query_Recordset1 = sprintf("SELECT customerid, customeremail, customerpass, random_token FROM customers WHERE random_token = %s AND customerid = %s", GetSQLValueString($colname_Recordset1, "text"),GetSQLValueString($colname2_Recordset1, "int"));
$Recordset1 = mysql_query($query_Recordset1, $test) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);

Michael701

5/17/2011

Don't MD5 the token, it should just be a large random number. say between 100000 and 999999

Find out why thousands trust the EE community with their toughest problems.

jonofat

5/17/2011

ASKER

Why not MD5 the token? WHen I have forgotten my password on other sites, the email I receive has a MD5 token.

jonofat

5/17/2011

ASKER

Why would it make a difference if I use MD5? The md5 in the database is exactly the same as the one in the URL

Michael701

5/17/2011

You right there it shouldn't matter. Just easier to debug.

Are you saying that you get zero records returned from the sql statement?

Let's see the sql command

add this after you set the variable

echo $query_Recordset1;

post the results

All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat

William Peck

jonofat

5/17/2011

ASKER

SELECT customerid, customeremail, customerpass, random_token FROM customers WHERE random_token = '5d43d368994ef0eaae351493c99985cf'

jonofat

5/17/2011

ASKER

Yes, when I put this on the page there is no value when there should be.

<?php echo $row_Recordset1['customeremail']; ?>

Michael701

5/17/2011

echo the $query_Recordset1 before the $row_Recordset1

It seems like there is something amiss about the query itself cause no results to be returned.

FYI: Most of the time I ask people to echo the sql query it become one of the DUH, I see the problem. BUt echo the query and post the raw sql commands for review

Find out why thousands trust the EE community with their toughest problems.

jonofat

5/17/2011

ASKER

Not sure if I am putting it in the right place what you are asking for?

mysql_select_db($database_test, $test);
$query_Recordset1 = sprintf("SELECT customerid, customeremail, customerpass, random_token FROM customers WHERE random_token = %s", GetSQLValueString($colname_Recordset1, "text"));
$Recordset1 = mysql_query($query_Recordset1, $test) or die(mysql_error());
echo $query_Recordset1;
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);

After running the above code I got :

SELECT customerid, customeremail, customerpass, random_token FROM customers WHERE random_token = '5d43d368994ef0eaae351493c99985cf'

Michael701

5/17/2011

that will work. but let's try something else.

use the select ... where customerid=

then add these echo statements

echo $colname_Recordset1. "\n<br />";
echo $row_Recordset1['random_token']. "\n<br />";

Let's see if the really match. Paste the reply.

jonofat

5/17/2011

ASKER

Okay, I used this code:

$colname_Recordset1 = "-1";
if (isset($_GET['token'])) {
  $colname_Recordset1 = $_GET['token'];
}
$colname2_Recordset1 = "-1";
if (isset($_GET['customerid'])) {
  $colname2_Recordset1 = $_GET['customerid'];
}
mysql_select_db($database_test, $test);
$query_Recordset1 = sprintf("SELECT customerid, customeremail, customerpass, random_token FROM customers WHERE random_token = %s AND customerid = %s", GetSQLValueString($colname_Recordset1, "text"),GetSQLValueString($colname2_Recordset1, "int"));
$Recordset1 = mysql_query($query_Recordset1, $test) or die(mysql_error());
echo $colname_Recordset1. "\n<br />";
echo $row_Recordset1['random_token']. "\n<br />";
echo $colname2_Recordset1. "\n<br />";
echo $row_Recordset1['customerid']. "\n<br />";
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);

Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!

and from the code you asked me to input, the display was

5d43d368994ef0eaae351493c99985cf

3

which is correct since email I received shows token=5d43d368994ef0eaae351493c99985cf&customerid=3

James Murphy

Michael701

5/18/2011

That's odd that all the token match, but you can't seem to Select where token=

ANyway, it's better to select by id then compare the tokens. I'llassume that id is an index field and token is not.

so let's do this, after the select where id=

if {$row_Recordset1['random_token']==$colname_Recordset1}
{
echo "Tokens match<br />\n";
\\ you can place the html form here.
}

jonofat

5/20/2011

ASKER

Yep, I got the message:

Tokens match

jonofat

5/20/2011

ASKER

However, I changed the token and I still get the same message : Tokens match

Find out why thousands trust the EE community with their toughest problems.

jonofat

5/20/2011

ASKER

Okay, I changed it a bit. Now it just says : "Don't match" no matter what I do....

$colname_Recordset1 = "-1";
if (isset($_GET['customerid'])) {
  $colname_Recordset1 = $_GET['customerid'];
}
$coltoken_Recordset1 = "-1";
if (isset($_GET['token'])) {
  $coltoken_Recordset1 = $_GET['token'];
}
mysql_select_db($database_test, $test);
$query_Recordset1 = sprintf("SELECT customerid, customeremail, customerpass, customername, customerlastname, random_token FROM customers WHERE customerid = %s AND random_token = %s", GetSQLValueString($colname_Recordset1, "int"),GetSQLValueString($coltoken_Recordset1, "text"));
$Recordset1 = mysql_query($query_Recordset1, $test) or die(mysql_error());
if ($row_Recordset1['random_token']==$coltoken_Recordset1) {
echo "Tokens match<br />\n";
   }else{
	     echo "don't match";
   }
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);

Michael701

5/20/2011

that's because you haven't yet gotten the row data. move the fetch_assoc up a bit in the code

$row_Recordset1 = mysql_fetch_assoc($Recordset1);
if ($row_Recordset1['random_token']==$coltoken_Recordset1) {
echo "Tokens match<br />\n";
   }else{
	     echo "don't match";
   }

jonofat

5/21/2011

ASKER

Haha. Never mind. I figured out that the probelm is something else! The record isn't updating and so the token never changes. For some reason when the form submits the record isn't updating.

<form action="<?php echo $editFormAction; ?>" id="form1" name="form1" method="POST">
          <table width="65%" border="0" align="center" cellpadding="2" cellspacing="2">
            <tr>
              <td width="9%">&nbsp;</td>
              <td bgcolor="#D71820"><span class="headingtext">FORGOTTEN PASSWORD<strong>
<input name="token" type="hidden" id="token" value="<?php echo md5(mt_rand()); ?>" />
                    <input name="customerid" type="hidden" id="customerid" value="<?php echo $row_Recordset1['customerid']; ?>" />
              </strong></span></td>
            </tr>
            <tr>
              <td>&nbsp;</td>
              <td class="headingtext">If that email address is registered with us, you should receive an email shortly. </td>
              </tr>
          </table>
          <input type="hidden" name="MM_update" value="form1" />
        </form>
        <script>
document.form1.submit();
</script>