|
You last visited: Today at 22:10
Advertisement
[release] Reset Lost Password Script
Discussion on [release] Reset Lost Password Script within the EO PServer Hosting forum part of the Eudemons Online category.
04/30/2011, 23:56
|
#16
|
elite*gold: 0 
Join Date: Aug 2010
Posts: 219
Received Thanks: 110
|
Nice release  I would add some input sanitization though, to easy to hack that script and gain full access to accounts table (no offense as all the sites on here require that).
|
|
|
|
05/01/2011, 00:18
|
#17
|
elite*gold: 0
Join Date: Oct 2009
Posts: 1,208
Received Thanks: 926
|
Since its constantly connected through mysql, you can use mysql's built in mysql_real_escape_string(variable) function. It will sanitize any input that could harm the database.
|
|
|
|
|
05/01/2011, 00:44
|
#18
|
elite*gold: 90
Join Date: Feb 2008
Posts: 1,112
Received Thanks: 642
|
i am not that skilled at mysql/php
i mostly copy/paste the core functions from differend scripts to mix it to a part to do what i need to do (this script is a rebuild of a register script with verification email and a few other scripts where i took the code from)
basicly i wanted to make it with a dual database conection ( single database on website and main database on vps so you can only acces the database from the vps with read acces , is safer then allowing a conection from the web to the vps) but i failt at that part as everyhting that i found doesnt seems to work :'(
anyway
it is atleast a usefull release for some persones , you are free to modifie it for your needs and improve it , but let me know when you want to re release it as it is still my own work 
Greets From PowerChaos
if you got example codes for me , please send them to me and i will use them in the script (i just need the basic functions and examples) so i know what i can put in it
|
|
|
|
|
05/01/2011, 01:18
|
#19
|
elite*gold: 0
Join Date: Oct 2009
Posts: 1,208
Received Thanks: 926
|
I've gone through and fixed up the majority of the sanitizing issues. I haven't tested it, but I don't see how it could cause any issues. These are just simple sanitizing functions, if you want to fully secure it, I suggest that you write up your own functions.
If you encounter any problems with this, feel free to post.
newpass.php:
Code:
<?php
$myhost="localhost"; //server ip
$myuser="test"; //your server login username
$mypass="test"; //your server login password
$mydb="compose"; //your server my database
mysql_connect($myhost,$myuser,$mypass);
mysql_select_db($mydb);
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>New Password</title>
</head>
<body>
<form action="newpass.php" method="post" name="password reset confirm">
Pass Reset Code: <input type="text" name="code"/>
<input type="submit" name="confirm" value='Confirm Code' />
</form>
<?php
if(isset($_POST['confirm'])){
$confirm = mysql_real_escape_string($_POST['code']);
$res = mysql_query("select * from passreset where activationkey = '".$confirm."'");
$row = mysql_fetch_assoc($res);
$email = $row['email'];
if(mysql_num_rows($res) == 0)
{
Echo "Sorry that Confirm code does not exist";
}else{
$res2 = mysql_query("select * from account where email = '".$email."'");
$row2 = mysql_fetch_assoc($res2);
echo "
<script type=\"text/javascript\" src=\"http://178.32.174.84/md5.js\"></script>
<form method=\"post\" action=\"newpass.php\">
<TABLE align=\"center\">
<tr><td align=\"center\">email :</tr></td>
<tr><td align=\"center\"><input type=\"hidden\" name=\"email\" value=".$row['email']."><font color='red'>".$row['email']."</font></tr></td>
<tr><td align=\"center\">Login Name:</tr></td>
<tr><td align=\"center\"><input type=\"hidden\" name=\"name\" value=".$row2['name']."><font color='red'>".$row2['name']."</font></tr></td>
<tr><td align=\"center\">New Password:</td></tr>
<tr><td align=\"center\"><input type=\"password\" size=\"20\" name=\"newpas\"/></td></tr>
<tr><td align=\"center\">Retype New Password:</td></tr>
<tr><td align=\"center\"><input type=\"password\" size=\"20\" name=\"renew\"/></td></tr>
<tr><td align=\"center\">
<input type=\"hidden\" name=\"hash\"><input class=Butt type=submit onClick=\"hash.value = login(newpas.value)\" value=\"Change Password\" name=complete>
</td></tr>
</TABLE>
</form>"
;
}
}
if(isset($_POST['complete'])){
$userid = mysql_real_escape_string($_POST['name']);
$password=mysql_real_escape_string($_POST['curpass']);
$passretype=mysql_real_escape_string($_POST['repass']);
$hash=mysql_real_escape_string($_POST['hash']);
$hash1=mysql_real_escape_string($_POST['hash1']);
$newpass = mysql_real_escape_string($_POST['newpas']);
$renewpass = mysql_real_escape_string($_POST['renew']);
$email = mysql_real_escape_string($_POST['email']);
if($newpass != $renewpass)
{
echo "Your New paswords dont match , please complete the process again";
}
if($userid == "")
{
echo "This account does not seems to exist";
}
else{
$sql = "UPDATE account SET password='$hash' WHERE name='$userid'";
$query = mysql_query($sql) or die(mysql_error());
echo "Password Changed correctly ";
mysql_query("DELETE FROM passreset WHERE email = '".$email."'");
}
}
?>
</body>
</html>
lostpass.php:
Code:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Lost Password</title>
</head>
<body>
<form action="lostpass.php" method="post" name="password reset">
Email: <input type="text" name="email" maxLength="128"/>
<input type="submit" name="passreset" value='Lost Password Request' />
</form>
<?php
$myhost="127.0.0.1"; // server ip
$myuser="test"; //your server login username
$mypass="test"; //your server login password
$mydb="compose"; //your server account database
mysql_connect($myhost,$myuser,$mypass);
mysql_select_db($mydb);
if (isset($_POST['passreset'])) {
$activationKey = mt_rand() . mt_rand() . mt_rand() . mt_rand() . mt_rand();
$email = mysql_real_escape_string($_POST['email']);
if($email == ""){
die( "email is not valid" );
}
$res = mysql_query("select * from account where email = '".$email."' order by id desc") or die(mysql_error());
if(mysql_num_rows($res) == 0)
{
die("email does not exist , please try again");
}
$res2 = mysql_query("select * from passreset where email = '".$email."' order by id desc") or die(mysql_error());
if(mysql_num_rows($res2) == 0)
{
mysql_query("insert into passreset (email,activationkey,date) values ('".$email."', '".$activationKey."','".date("y-m-d H:i:s", time())."')") or die(mysql_error());
echo "An email has been sent to $_POST[email] with an pass reset key. Please check your mail to continue to change your password.";
}
else
{
mysql_query("DELETE FROM passreset WHERE email = '".$email."'");
die( "passreset code is deleted , please submit your email again for a new code");
}
//Send activation key Email
$to = mysql_real_escape_string($_POST[email]);
$subject = " DemonPower Password Change Request";
$message = "DemonPower Pass Restore!\r\rYou, or someone using your email address, has lost his password.\rYou can change your password at the following link:\r\rhttp://www.demonpower.com/newpass\r\r Please fill in below code to reset your pass \r\r$activationKey\r\rIf this is an error, ignore this email and report it to us .\r\rRegards,\r DemonPower.com Team";
$headers = 'From:  ' . "\r\n" .
'Reply-To: ' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
mail($to, $subject, $message, $headers);
}
?>
</body>
</html>
|
|
|
|
|
05/01/2011, 01:41
|
#20
|
elite*gold: 90
Join Date: Feb 2008
Posts: 1,112
Received Thanks: 642
|
ok , Thank you
i changed a few more things in it that i noticed (in some cases)
i changed the "echo" comamnds to "die" commands to prevent execution of the other commands (what happends in rare cases)
but after looking true the script i founded something where i can not figure out how it comes that it works ( make no sense for me but it works)
Code:
else{
$sql = "UPDATE account SET password='$hash' WHERE name='$userid'";
$query = mysql_query($sql) or die(mysql_error());
if i understand php good enouf , then $query need to run somewhere or it is not even suposed to be running ? (as it is a variable that get set to the command $query so you can use that command to execute on the place you like )
anyway , thank you for the update
i going edit my first post with this new post and the mirror fix on it
Greets From PowerChaos
|
|
|
|
|
05/01/2011, 01:47
|
#21
|
elite*gold: 0
Join Date: Oct 2009
Posts: 1,208
Received Thanks: 926
|
Quote:
Originally Posted by PowerChaos
ok , Thank you
i changed a few more things in it that i noticed (in some cases)
i changed the "echo" comamnds to "die" commands to prevent execution of the other commands (what happends in rare cases)
but after looking true the script i founded something where i can not figure out how it comes that it works ( make no sense for me but it works)
Code:
else{
$sql = "UPDATE account SET password='$hash' WHERE name='$userid'";
$query = mysql_query($sql) or die(mysql_error());
if i understand php good enouf , then $query need to run somewhere or it is not even suposed to be running ? (as it is a variable that get set to the command $query so you can use that command to execute on the place you like )
anyway , thank you for the update
i going edit my first post with this new post and the mirror fix on it
Greets From PowerChaos |
The $query variable is what's running the sql. Since you have it defined, it will run even if its not called through an echo or print statement.
|
|
|
|
 |
|
Similar Threads
|
[RELEASE] Secure PHP Web Change Password Script
08/28/2013 - Shaiya PServer Guides & Releases - 8 Replies
This is a secure password change script meant for Shaiya private servers.
I noticed a lot of private servers do not allow regular users to change passwords. Be warned, this script is a double-edged sword in a way, ESPECIALLY since most servers do not allow for password recovery via email or some other method. By implementing this script players who have shared their account credentials with other players can now get their password changed unknowingly (and thus their account is now...
|
[RELEASE]Password Reset Tool
04/04/2011 - Dekaron Private Server - 6 Replies
Dekaron Password Reset Tool
This tool will change the passwords of all your Dekaron accounts to a 14 character, case-sensitive, alphanumeric string. Such as "8f9EobZouaMztW".
You can use the tool both on the dedicated server or off it. It is easiest to just use on the dedicated server by clicking the check box for "Windows Authentication" then you don't have to enter anything, just click and go!
The other feature on this tool is importing your new passwords to a MySQL database for...
|
[Release] Ip-Reset D2NT-Script!(beta)
10/08/2010 - Diablo 2 - 28 Replies
Soo Leute es ist soweit
Hiermit stelle ich die Version 0.97Beta des D2NT-Reconnecters Online!
Alle Dateien/Scripts wurden von mir verfasst!
Ihr könnt sie gerne scannen!
Wollte die Dateien eigentlich openSource anbieten.
Jedoch habe ich es schon öfter miterlebt das openSource Programme
missbraucht wurden, von 3. Verschlüsselt wurden und weiterverkauft!
Somit bekommen hier nur 1 oder 2 Leute denen ich vertraue eine Opensource Version!
|
Reset password ifyou lost the Secret answer
06/06/2008 - WoW Exploits, Hacks, Tools & Macros - 1 Replies
Hi all
So, you have wow and you forgot the password and cant get it changed because
your one of the many who either purchased a wow account or you simply cant remember your secret question/answer.
This is what I done to reset my password on one of my accounts that I purchased.
You have to have the email on the account set to your email btw.
Simply get a friend or if you have an alt account do it yourself.
And report yourself for buying gold.
|
All times are GMT +1. The time now is 22:11.
|
|
![[release] Reset Lost Password Script](https://www.elitepvpers.com/forum/iconimages/eo-pserver-hosting/release-reset-lost-password-script_ltr.gif){kind=small}
