Forgot Password sending encrypted string

ace67 · February 10th, 2006, 05:37 PM

Finally got Reviewpost back online. Problem was with the server's mysql program. But one thing that I've now noticed that has started is when a user uses the "forgot password" link, the program is sending a new one but instead of being a short word it sending the entire encypted string as in:

Your new password is: 563068853874a66d19f8ffd3fd0798ab

and that can't be used to log in.

How can I correct this? Thanks.

Chuck S · February 10th, 2006, 08:24 PM

I would suggest you download the program from our site and update your files. I can not tell you what your problem is as the code I am looking at looks fine. We send via the email the unencrypted password

$newpass is the one you get in the email.

Code:

Content visible to verified customers only.

ace67 · February 10th, 2006, 11:21 PM

Thanks for giving me the code to look for. What you have there is correct. However after testing the forgot password function further, I found that the email was being generated by this in member.php:

Quote:

if ( $ppaction == "forgot" ) {
if ( $do == "process" ) {
$resultb = ppmysql_query("SELECT username,userid,joindate FROM {$Globals['rp_db_prefix']}users WHERE email='$inemail'", $link);
$checkrows = mysql_num_rows($resultb);

if ($checkrows > 0) {
while( list( $dbuser, $dbuid, $joindate ) = mysql_fetch_row($resultb) ) {
$genpass = gen_password();
$newpass = md5($genpass);
$resulta = ppmysql_query("UPDATE {$Globals['rp_db_prefix']}users SET password='$newpass' WHERE userid=$dbuid", $link);

include("{$Globals['RP_PATH']}/languages/$rplang/emails.php");

$email_from = "From: {$Globals['adminemail']}";
$letter = $Globals['pp_lang']['epassres1'];
$subject = $Globals['pp_lang']['epasssub2'];

mail( $inemail, $subject, $letter, $email_from );
}

That code, as you can see, encrypts the password before it is sent in the email. So I changed the code from $genpass on down to:

Quote:

$genpass = gen_password();
$newpass = $genpass;

include("{$Globals['RP_PATH']}/languages/$rplang/emails.php");

$email_from = "From: {$Globals['adminemail']}";
$letter = $Globals['pp_lang']['epassres1'];
$subject = $Globals['pp_lang']['epasssub2'];

mail( $inemail, $subject, $letter, $email_from );

$newpass = md5($genpass);
$resulta = ppmysql_query("UPDATE {$Globals['rp_db_prefix']}users SET password='$newpass' WHERE userid=$dbuid", $link);

}

I sent the email with $newpass before it was encrypted and added to the user table. Now it seems to be working correctly. Do you see anything that making this change will harm that I may have overlooked?

Chuck S · February 11th, 2006, 07:19 AM

Your member.php is not correct download the software and upload member.php

ace67 · February 11th, 2006, 09:14 AM

Downloaded another copy of 3.11. Unzipped. Uploaded member.php untouched. Tested Forgot Password option. Same problem I had with original member.php. New password is sent encrypted.

::shrug::

So I've put my original member.php that I edited as in above post back up and it works fine. I think I'll stick with that.

Thanks.