I had my forgot password working properly, but I was concerned that I was not using a salt with the storage in MySQL.
My original code:
$query = "SELECT sec_ques, email, user_id FROM users_tbl WHERE user_id='$u'";
$result = mysql_query ($query) or trigger_error("3Security Answer was Wrong");
if (mysql_affected_rows() == 1) {
$row = mysql_fetch_array ($result, MYSQL_NUM);
mysql_free_result($result);
if($sq == $row[0]){
$email = $row[1];
$p = substr ( md5(uniqid(rand(),1)), 3, 10);
$query2 = "UPDATE users_tbl SET pass=SHA('$p') WHERE user_id='$u'";
$result2 = mysql_query ($query2) or trigger_error("Your Password Couldn't be changed. Try later.");
I changed one line to read:
$query2 = “UPDATE users_tbl SET pass=SHA(‘$p’ . ‘salt’) WHERE user_id=‘$u’”;
That gave me this code that does not work:
$query = "SELECT sec_ques, email, user_id FROM users_tbl WHERE user_id='$u'";
$result = mysql_query ($query) or trigger_error("3Security Answer was Wrong");
if (mysql_affected_rows() == 1) {
$row = mysql_fetch_array ($result, MYSQL_NUM);
mysql_free_result($result);
if($sq == $row[0]){
$email = $row[1];
$p = substr ( md5(uniqid(rand(),1)), 3, 10);
$query2 = "UPDATE users_tbl SET pass=SHA('$p' . 'salt') WHERE user_id='$u'";
$result2 = mysql_query ($query2) or trigger_error("Your Password Couldn't be changed. Try later.");
I have also tried using this line:
$query2 = “UPDATE users_tbl SET pass=SHA($p.‘salt’) WHERE user_id=‘$u’”;
My issue is that the script is showing me the results of the last line:
$result2 = mysql_query ($query2) or trigger_error(“Your Password Couldn’t be changed. Try later.”);