Password Recovery System

Place to place any code snippets, completed games, or even uncompleted games for IR users to use.
Post Reply
User avatar
vitinho444
Posts: 2825
Joined: Mon Mar 21, 2011 4:54 pm

Password Recovery System

Post by vitinho444 »

Hello community today i bring to you the system im using in my "engine" to recover passwords for the users.

Ok, its not a recovery .... its more the ability to change to a new one.

So lets start
I placed the code in a page called lostpw.php

Here's the full commented source:

Code: Select all

<html>
<center>
<head><link href="style.css" rel="stylesheet" type="text/css"/> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></head>

<title>Village Wars</title> 
<?php
include_once 'config.php'; //database configuration
require "languages/index.lang.php"; // this is because i use multi language system you can remove it.
echo "<a href='index.php'><img src='images/VW-Logo.png'></a><br><br>"; //Banner of my game

function md5_pass($length = 8) //this function you will see later, but what it does its creating a md5 hash with 8 chars lenght.
{
    return substr(md5(rand().rand()), 0, $length);
}

if(isset($_POST['email']))  $bypass = 2; //this is needed so we can know if the user has inputed the email of the account


echo "<div id='igactivemenu'>"; //div of my content, from here all is displayed in the screen with my style.css
echo "<center><h2>Password Recovery</h2></center>"; //no comments xD

if(!$bypass) //check if the user has putted the email or not
{
    echo "<h3>To recover your password, you need to enter the email your account is linked to, and then you will receive a temporary password that you can change once you login with it.</h3>";
    echo "Email:";
    echo "<form method='post' action='lostpw.php'>
    <input type='text' name='email'>
    <input type='submit' name='sbm' value='Send'>    
    </form>";
}
if($bypass == 2)//what to do when we got the email
{
    $email = $_POST['email'];
    
    if($info = mysql_fetch_array(mysql_query("SELECT * from players where email='$email'"))) //check what account has this email (if any)
    {
        $player_email = $info['email']; //check the email
        $username = $info['username']; //check the username
        
        $password_init = "tmp9031"; //not this is the begining of my system, i think it was a original idea by me.. at least i didn't stole it..
        $password = md5_pass(); //now we create that 8 lenght hash
        
        $password = $password_init . '' . $password; //and we combine, so it will be: tmp9031XXXXXXXX
        
        $encrypted = md5($password); //now encrypt the new password into a real md5
        
        mysql_query("UPDATE players SET password='$encrypted', realpw='$password' WHERE username='$username'"); //and update the player with the new password.
        
        $to = $email; //now to send a email, we need the receiver
        $subject = "Village Wars Password Recovery"; //subject
        $message = "Dear user $username , you used the Village Wars password recovery system to recover your password.
        Your temporary password is $password 
        Please<a href='$site'>Login now</a>, and change the password as soon as possible.
        
        Village Wars Team
        "; //message, about the <a href='$site'>Login now</a> part, i think it should work.. (the $site variable is the site path included in my database config file)
        $headers = "From: no-reply@vw.oryzhon.com";  //the headers that will be shown as the sender
        
        mail($to,$subject,$message,$headers); //send to the user the new info
        
        echo "<h3>The new password was sent to $email.</h3>";
        echo "<h3><a href='index.php'>Back</a></h3>";                
        
    }    //you can put a else here so you can echo a message like: "sorry no acc with that email"
    
}

echo "</div>";
?>

</center>
</html>
Notes: Noticed i updated the players database with 2 password, one is the md5 one, other is the unsecure one. We will need it unencrypted further.

Ok very easy.
Now go to your first game page. What's this? Well, you got your login one right? You need to go to the page that is displayed once the user login.

Mine is game.php and is where i display server and game news.

And then, in your first game page you will add to the content area this:

Code: Select all

echo "<div id='igactivemenu'>"; //my content div

  $temp_password = "tmp9031"; //we know that the new password has this string on it
  $password = $info['realpw']; //we check for the real password of the player (the changed but unencrypted one)
  $pos = strpos($password, $temp_password); //then we do a strpos function that will see where in the $password is the $temp_password 
  
  if(isset($_POST['newpassword'])) //this is to check if the player already changed
  {
        $newpassword = $_POST['newpassword']; //catch the newpassword
        $encrypted = md5($newpassword); //encrypt it
        
        
        mysql_query("UPDATE players SET password='$encrypted' where username='$username'"); //update and its done
        echo "Your password has been changed! You will be redirected to game.";
        echo '<meta http-equiv="refresh" content="2; URL=game.php">'; // 2 seconds waiting and then it will redirect to this page again, but since the password changed it will go straight to news.
  }
  
  if(strlen(strstr($password,$temp_password))>0) //now we check if the $temp_password is inside $password 
  {
    if(!isset($_POST['newpassword'])) //and if the player didnt submit the new password yet we display the change password content
    {
        echo "<h3>Change your Temporary Password</h3>"; 
        echo "<form method='post' action='game.php'> 
        Password: <input type='text' name='newpassword'>
        <input type='submit' value='Change'>
        </form>";
    }
  }
  else
  {
    include_once 'news.php';  //and when there is no tmp9031 chars in the password, it means the player changed it.. so display normal content :D
  }



echo "</div>";
And its done.. i think it is pretty basic but it gets the work done.

About the unsecure password, dont mind because the new one wont get stored unencrypted so nothing to fear.

Thanks, and any comment or question, reply :D
My Company Website: http://www.oryzhon.com

Skype: vpegas1234
User avatar
Jackolantern
Posts: 10893
Joined: Wed Jul 01, 2009 11:00 pm

Re: Password Recovery System

Post by Jackolantern »

Very nice! Every game needs password recovery, so this is very useful :D
The indelible lord of tl;dr
User avatar
MikuzA
Posts: 395
Joined: Thu Aug 08, 2013 8:57 am

Re: Password Recovery System

Post by MikuzA »

Hello,

I know this is just me answering in an 'old' thread, but since I'm new here so I browse stuff! ;)

But after a recovery, you do not zero out the realpw, I would guess that should be done in order to secure hacking attempts?
I mean, I'm going through this code and I see that after recovery, I could use someones user id and type in the same password I got from recovery and be able to change his password, right?

As a suggestion, skip the temp_password creation and if you wish to have the temporary_password saved unecrypted in DB, use that as a identifier.
And then clear it, and code the PHP so that If realpw is blank, no recovery requested by user.

Like this,
1. User requests for password recovery
2. Random password generated and set as uncrypted and decrypted into db.
3. Mail sent to user.
4. Login has a check that if posted password matches to the uncrypted one, then action is recovery == let user change his password.
5. empty uncrypted password from db, and set decrypted password as user password.

What do you think?

Otherwise I like the idea how you made the recovery, never thought it like you did :)
Why so serious?

Business Intelligence, Data Engineering, Data Mining
PHP, HTML, JavaScript, Bash/KornShell, Python, C#, PL/SQL
MySQL, DB2, Oracle, Snowflake
Pentaho, DataStage, Matillion, Unity3D, Blender
User avatar
vitinho444
Posts: 2825
Joined: Mon Mar 21, 2011 4:54 pm

Re: Password Recovery System

Post by vitinho444 »

Hehe this is a old thread but np.

The real password in the db was a system i used before, when i was stupid.
I guess what you can take from this, is change the password to a random one, and send to the email. Then in the auth page check if the password is that random one and if yes tell him to change it.
My Company Website: http://www.oryzhon.com

Skype: vpegas1234
Post Reply

Return to “Code Sharing”