PDA

View Full Version : Easy Password: Coders Please read.


noj75
07-30-2008, 11:15 AM
Hi all,

I have nothing but problems on my board with people using the default Lost Password system and then emailing me as it has not worked.

I therefor wrote the following script to make my life a little simpler.

If there are any professional coders amongst you that would like to review and critique this script I would very much appreciate your view as I am by no means a pro. I am just a person interested in PHP.


I HAVE REMOVED THE CODE


I have tested this script and it is running fine.

Your views are appreciated.

Kind regards

Marco van Herwaarden
07-30-2008, 11:21 AM
This script is very insecure and is vulnerable to SQL-Injections. Please see our articles section on how to write secure scripts.

PS Why would the default recover password not work?

noj75
07-30-2008, 11:27 AM
Hi Marco,

Thanks for the prompt reply.

My default system either defaults the user to the login page or does not recognise the password that is sent in the email.

P.S. Any pointers on making this script more secure? Would appreciate your input.

Regards

Dismounted
07-30-2008, 11:33 AM
Why not try fixing the current system? Try disabling any modifications running.

Marco van Herwaarden
07-30-2008, 11:41 AM
Please provide a link to your board so i can see what is going wrong with the default system.

P.S. Any pointers on making this script more secure? Would appreciate your input.
See the articles on writing secure modifications in our articles section.

noj75
07-30-2008, 12:15 PM
Please provide a link to your board so i can see what is going wrong with the default system.

See the articles on writing secure modifications in our articles section.

Sent you a PM Marco

--------------- Added 1217425598 at 1217425598 ---------------

Does this improve things?


I HAVE REMOVED THE CODE


Regards

Marco van Herwaarden
07-30-2008, 12:56 PM
I have tested the (default vBulletin) lost password feature on your site, and i had no problem at all getting a new password. You might want to delete the account created for testing: vBTest

Also i suggest that you remove your own script (really remove from disk) ASAP as it is very insecure and could very easily be used to destroy your database or such.

noj75
07-30-2008, 01:10 PM
Well, thats strange. It did not work for me this morning, but it does now?

I have though, taken your advice and removed the script from my server. Thank you very much for the advice Marco, very much appreciated.

Kindest regards