1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Location
    S. Texas
    Posts
    8
    Rep Power
    0
    For "derplumo", please:

    Could you please post the table structures related to the forgot password mechanism?

    Seems like there are calls to "responses" and "sent emails" but its not clear what table structures must exist to make things work.

    Thanks for posting the PHP code to the other thread I started recently. I think I'm "almost" there to make it work as you've evolved the various scripts.

    Dave
  2. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    311
    Rep Power
    8
    Sure,

    Code:
    CREATE TABLE responses (
    reset_key CHAR(32) PRIMARY KEY, 
    user INT NOT NULL,
    secret CHAR(60) NOT NULL, 
    request_timestamp DATETIME NOT NULL, 
    request_ip VARCHAR(39) NOT NULL, 
    used BOOLEAN DEFAULT 0 NOT NULL, 
    active BOOLEAN DEFAULT 1 NOT NULL 
    ) ENGINE=InnoDB
    ;
    
    CREATE TABLE sent_emails (
    email_address CHAR(64) NOT NULL,
    timestamp DATETIME NOT NULL
    ) ENGINE=InnoDB
    ;
    if there's anything I can help with, just leave a shout
    Last edited by derplumo; December 7th, 2013 at 02:54 PM. Reason: ...
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Location
    S. Texas
    Posts
    8
    Rep Power
    0
    Many Thanks!
  4. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Location
    S. Texas
    Posts
    8
    Rep Power
    0
    Originally Posted by derplumo
    if there's anything I can help with, just leave a shout
    I'm seeing data created and sent from the "forgot_password" routines; however, the reset key and token contain characters not normally a part of an English text/data stream and if I capture the full link and paste into a browser to try to reset the password, the result is ALWAYS a failure.

    Is there something in the hashing or PHPMailer or (who-knows!) ?? that needs to be configured?

    Thanks again.
    Dave
  5. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    311
    Rep Power
    8
    oh yea, that was the little bug, it is something in the links in the form (I think it was in the form) wait a minute.
  6. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    311
    Rep Power
    8
    ok it took a little longer than a minute, but it was a new bug. in forgot_password.php change $user_id['user_id'] in $user_id around line 77. You can change some double declarations if you want, I still have to make a final version of it because there is also a problem with the activation etc. (if you use it, you can now still use it again, this needs to be changed)...

    Thanks for noticing the problem
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Location
    S. Texas
    Posts
    8
    Rep Power
    0
    I've really become interested in using the core functionality of this thread in a real-life application. I anticipate being extremely frugal and selective in the matter of allowing people to register and gain access to information that is proprietary or protected by law.

    Does it make sense to expand the register.php to require enough information that I can actually verify on a case-by-case basis WHO I want to have access and what their permission level should be, but archive/remove the most sensitive elements to provide as much long-term privacy protection as practical?

    My thought is to make the register.php write to a completely independent database, have the procedure notify me by email that someone has applied for registration and then accept/reject them.

    If I decide to accept the person, I'll move the essential credentials from the registration DB to the "working" DB and archive all but the essential data (username, email, date registered), probably using an off-line spreadsheet or XAMPP DB to archive the entire original submission.

    It may be "overkill" to use a separate DB vs. special table in the primary DB. I'd love to know what "best practices" are on these types of matters.

    My expected user population will be quite small and niche interest area (related to music, both sacred and secular). I will use personal evaluation of registrations and employ the open source "secure image" captcha mechanism.

    TIA for suggestions.
    Dave
  8. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    311
    Rep Power
    8
    I don't really know where you are working to but I have to say a captcha is always good, some people just want to see your server burn... I'll try to include it in the next version of the password forgot system

    I know a little bit of security but this is Jacques territory
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Location
    S. Texas
    Posts
    8
    Rep Power
    0
    Originally Posted by derplumo
    I don't really know where you are working [snip]
    Do you mean geographically "where"?
  10. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    311
    Rep Power
    8
    no the 'what' What kind of website you're working on, wait, I'll send a pm, otherwise this thread will become bigger and bigger...
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2014
    Posts
    4
    Rep Power
    0
    hello guys, first post, firstly great site and a wonderful piece of code here.

    However, this line in common.php freezes the whole script for me:

    Code:
    $db->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);
    If I remove it, login.php at least works, but register.php still does not. I am a relative beginner, does anyone have any ideas what's happening?

    cheers,
    Andy
  12. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,921
    Rep Power
    1045
    What's your PHP version? This sounds like a really, really old bug in PHP 5.2.

    Either way, this isn't a simple application problem. It means there's something wrong with your PHP.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2014
    Posts
    4
    Rep Power
    0
    Originally Posted by Jacques1
    What's your PHP version? This sounds like a really, really old bug in PHP 5.2[/URL].

    Either way, this isn't a simple application problem. It means there's something wrong with your PHP.
    Thanks a lot for the quick response.

    Sadly, I'm running PHP 5.1.6 (and mySQL 5.0.95.)

    So I assume this bug also affects versions older than 5.2.

    I'll see if we can upgrade. Thanks again.
  14. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,921
    Rep Power
    1045
    Originally Posted by Dusk1983
    I'll see if we can upgrade.
    You definitely need to do that. The 5.1 branch has been abandoned a long, long time ago (in 2006, to be exact). It's full of bugs and security vulnerabilities waiting to be exploited.

    The current branch is PHP 5.5.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2014
    Posts
    4
    Rep Power
    0
    OK. Sorry to take this off topic but are the mySQL_* functions at least supported in 5.5? I know they're deprecated, but our site remains full of them... not good! Thanks.

IMN logo majestic logo threadwatch logo seochat tools logo