[RELEASE] Secure PHP Web Change Password Script

abrasive · 02/14/2011, 04:52

This is a secure password change script meant for Shaiya private servers.

I noticed a lot of private servers do not allow regular users to change passwords. Be warned, this script is a double-edged sword in a way, ESPECIALLY since most servers do not allow for password recovery via email or some other method. By implementing this script players who have shared their account credentials with other players can now get their password changed unknowingly (and thus their account is now "stolen"). It is up to you to determine how to handle this.

I put the CAPTCHA in this to prevent other players from using a bot to brute-force passwords from other accounts.

Also some error messages are purposely generic to prevent users from verifiably guess account names from this script.

I commented these scripts fairly verbosely, so please read the comments! They are meant to tell you useful stuff.

There are seven scripts you will need to make this work:
changepassword.php
changepassword.view.php
success.view.php
db.php
db.config.php
recaptchalib.config.php
recaptchalib.php (From Google:

)

You can get success.view.php, db.php, db.config.php, recaptchalib.config.php, and recaptchalib.php from this post:

[changepassword.php] (Edit the SQL in this file if needed)

Spoiler

Code:

<?php
require_once('recaptchalib.config.php');
require_once('recaptchalib.php');
require_once('db.config.php');

$username = isset($_POST['username']) ? mssql_escape_string(trim($_POST['username'])) : '';
$password = isset($_POST['password']) ? mssql_escape_string(trim($_POST['password'])) : '';
$newpassword = isset($_POST['newpassword']) ? mssql_escape_string(trim($_POST['newpassword'])) : '';
$newpassword2 = isset($_POST['newpassword2']) ? mssql_escape_string(trim($_POST['newpassword2'])) : '';
$errors = array();
$success = false;
if(isset($_POST) && !empty($_POST)){
	require_once('db.php');
	
	// Validate user name and password.
	$result = @mssql_query("SELECT UserID FROM PS_UserData.dbo.Users_Master WHERE UserID = '{$username}' AND Pw = '{$password}'") or die('Failed to verify is the provided user named already exists.');
	if(!mssql_num_rows($result)){
		$errors[] = 'Invalid user name and/or password.';
	}
	// Validate new passwords.
	if(empty($newpassword)){
		$errors[] = 'Please provide a new password.';
	}else if(strlen($newpassword) < 3 || strlen($newpassword) > 16){
		$errors[] = 'New password must be between 3 and 16 characters in length.';
	}else if($newpassword != $newpassword2){
		$errors[] = 'New passwords do not match.';
	}
	// Validate reCAPTCHA.  This is to prevent someone brute force guessing passwords with a bot.
	$response = recaptcha_check_answer($recaptcha_private_key,$_SERVER['REMOTE_ADDR'],$_POST['recaptcha_challenge_field'],$_POST['recaptcha_response_field']);
	if(!$response->is_valid){
		if($response->error == 'incorrect-captcha-sol'){
			$errors['recaptcha'] = 'Incorrect answer to reCAPTCHA';
		}else{
			$errors['recaptcha'] = $response->error;
		}
	}
	// Persist the new password to the database if no previous errors occured.
	if(count($errors) == 0){
		$sql = "UPDATE PS_UserData.dbo.Users_Master
				SET Pw = '{$newpassword}'
				WHERE UserID = '{$username}'";
		// Remove the @ symbol here to see what the SQL error message is when running the above query in $sql.
		if($result = @mssql_query($sql)){
			$success = "Password for {$username} successfully changed!";
		}else{
			// This means the update statement is probably not valid for your database.  Fix the query or fix your database, your choice ;)
			$errors[] = 'Failed to change password, please try again later';
		}
	}
}
// Determine which view to show.
if($success === false){
	require_once('changepass.view.php');
}else{
	require_once('success.view.php');
}
?>

[changepassword.view.php] (Re-style the display in this file)

Spoiler

ProfNerwosol · 02/15/2011, 11:20

HINT:

Those willing to add password retrieval through email can use PHPMailer. It's a PHP script meant to send email without having to install SMTP servers and such.

nevak · 02/15/2011, 15:45

Hi Abrasive! Thanks for this script, I really appreciate your work =)

I have a question regarding security: are the passwords (old and new) with this script sent to the server in plain text? If so, how risky is that?
I also read that client side password encrypting is not that useful since anyone with the encrypted password could use it if there are not other security measures server side...
How could we work around this? https?

Maybe I'm getting the point totally wrong, if so, please excuse me ^^

Cheers and thanks again =)

abrasive · 02/15/2011, 16:53

Yes, it is sent in plain text, but someone would need to be on the same internal network as you or the server to be able to sniff your password. If they can do that, then they can probably sniff the password when you log into the game server anyways though.

Https would encrypt the password so it would not be sniffable, but I didn't think was worth the time investment to try to implement it. You can also encrypt the password with javascript before sending it to the server, but then if someone has javascript turned off, it will not work.

By "secure" in this context, I meant it was not vulnerable to SQL injection like so many other scripts.

benoli105 · 11/08/2011, 00:53

can you make a video tutorial of this plz ><?

ferrox1 · 08/27/2013, 21:03

Hey all anyone can help me when i tried to change pass at some acc i got this error
Fatal error: Call to undefined function mssql_escape_string() in C:\xampp\htdocs\reg\changepass.php on line 6

where is mistake

castor4878 · 08/27/2013, 23:26

According to:

Code:

Fatal error: Call to [B]undefined function[/B] mssql_escape_string()

you are using an undefined function.

"mssql_escape_string" is a "mssql" function (!) and if it is undefined it is because you don't load the mssql module (!).

to repeat myself, XAMPP can be a nice tool when the user knows why he's using it and how to use it (it then allows portable installation, and so easy setup of an illimited number of configurations).
but when it is used "because it's easy", "because I can't spend 10mn to read the guide" or any other (bad) reason that leads to not know or try to understand what has been installed, it's a bad tool.

the mistake is your setup.

ferrox1 · 08/27/2013, 23:57

Castor but other my scripts as register or pvp ranks working fine and only passwordchange don't working

castor4878 · 08/28/2013, 05:13

ok, error in "bla foo, line 6" let me think that it was the first mssql_xx function call.
if you have several pages that work fine with the mssql-wrapper-for-php, the module is (of course) installed.

the "mysql_escape_string" still exists in the MySQL module, but may be the equivalent function was removed from the mssql module; if the page generating the issue was posted 2 or 3 years ago it's more than certain, if it's a 2 months release, it's a bit puzzling...

you can provide your own function and rename all occurences to "mssql_escape_string" by your function's name. knowning that the sole purpose of these escape functions is to replace each single-quote by two-single-quote (not a double-quote), you will provide:

Code:

function my_escape_function($inStr){
   return str_replace("'", "''", $inStr);
}