PHP Forgotten password recovery

Question

im working on my uni project and i stuck on password recovery. Everything is working, mail is sent, new password typed in and it goes to database. BUT problem is it goes without md5 encryption and is nicely visible in my db. How to actually encrypt it in md5. Belowe my code:

<?php

$email = $_POST["email"];
$reset_token = $_POST["reset_token"];
$new_password = $_POST["new_password"];

$connection = mysqli_connect("localhost", "root", "", "registration");

$sql = "SELECT * FROM users WHERE email = '$email'";
$result = mysqli_query($connection, $sql);
if (mysqli_num_rows($result) > 0)
{
    $user = mysqli_fetch_object($result);
    if ($user->reset_token == $reset_token)
    {
        $sql = "UPDATE users SET reset_token='', password='$new_password' WHERE email='$email'";
        mysqli_query($connection, $sql);

        echo "Password has been changed";
    }
    else
    {
        echo "Recovery email has been expired";
    }
}
else
{
    echo "Email does not exists";
}

Also as Im already asking here, how to setup token for 24hrs instead of forever. Sorry, im a bit of a newbie with all of this.

Knd regards.

just edit your `new_password` to `$new_password = md5($_POST["new_password"])` — Joseph, Oct 06 '19 at 18:18
Thanks guys so much. Joseph cheers. @Jens yeah buddy, I heard about that, will be definitely going though this. — abbes, Oct 06 '19 at 18:23
Don't use MD5. It's highly insecure - you might as well be storing plain text. — ceejayoz, Oct 06 '19 at 19:38

score -1 · Answer 1 · answered Oct 06 '19 at 18:51

To encrypt a password / string, you can use the PHP function password_hash() Personally i don't recommend using MD5, because it's easy to crack MD5 hashes using rainbow tables. To test, create a MD5 string and then input it in https://www.crackstation.net.
My recommendation would be using blowfish.
If you want to know how to implement this into your script:

$new_password = password_hash($_POST['new_password'], PASSWORD_BCRYPT);
// BRYPT is hashing / encrypting it using Blowfish which is a very powerful encrypting method.

If you want to have even a better security, you can use a salt. For more information:
What is SALT and how do i use it?
And if it comes down to security, your SQL query isn't safe and is vulnerable for SQL Injections. (How can I prevent SQL injection in PHP?)
If you don't know what it is, in short: A SQL injection is a way to modify your SQL query. More information: https://www.w3schools.com/sql/sql_injection.asp
Use prepared statements to defend your SQL code, otherwise any hacker can get into your MySqli database without a lot of effort.
I hoped this helped you,
With kind regards,

PS. If you want to login again and check if an user inputted the right password, use password_verify() to verify if the user logged in using the right password.

score -1 · Answer 2 · answered Oct 06 '19 at 19:36

-1

Use

password=MD5($new_password)

in your update query it will work ,if you got any kind of error just copy whole query and pest it in SQL section of your phpmyadmin don't forgot to replace all variables with the actual values It will help a lot to find your errors

answered Oct 06 '19 at 19:36

Pritesh Wani

11
4

This will cause a syntax error if the password isn't an integer. – ceejayoz Oct 06 '19 at 20:52

PHP Forgotten password recovery

2 Answers2