You've probably noticed a couple approaches to this as you've used
various websites.
I think the more secure approach is to reset a user's password, and I'll
tell you why:
First, you shouldn't be storing the password in your database as
plaintext... that's a bad call.
IMO encryption method you can reverse easily (BASE64, etc) might as well
be plaintext.
Even if your application isn't sensitive, I guarantee somebody
registered with their one and only password.
You can modify your query to store an MD5 hash of the password
instead... just like this:
INSERT INTO users (username,password,etc) VALUES
('$username',MD5('password'),etc);
You'll probably need to update your authentication scheme to compare the
supplied password to the MD5 hash in the database, instead of selecting
the password directly.
ie. (And naturally, you're sanitizing the user input before you pass it
to the database)
SELECT * FROM users WHERE user = '$user' AND password = MD5('$password');
Anyway, you can probably update your existing database by doing:
UPDATE users SET password = MD5(password);
[Backup first, just in case I'm wrong... ]
The thing about MD5 is that you can't decode it -- it's a one-way hash,
which is where the Password Reset suggestion comes in.
You can't just fish around and email them their password, because you
don't actually know what it is.
You *can*; however, generate a random password, and email that to them.
Once they log in, they can reset their password through your UI. Much
more secure.
-Jeromie
>Here is the problem. I would like to create a lost password feature where
>the user specifies their email address and their password is emailed to
>them out of the database.
>
>
>
------------------------ Yahoo! Groups Sponsor --------------------~-->
Most low income households are not online. Help bridge the digital divide today!
http://us.click.yahoo.com/cd_AJB/QnQLAA/TtwFAA/CefplB/TM
--------------------------------------------------------------------~->
The php_mysql group is dedicated to learn more about the PHP/MySQL web database
possibilities through group learning.
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/php_mysql/
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
