Reputation: 63
Using bcrypt for passwords- forgotten password email
I have recently implemented bcrypt for user passwords. I have managed to get the password to hash when the user registers, and they can login to their account with the password they registered with (not the hashed version) by comparing them against each other. My problem is- I am working on a forgotten password email page that sends an email to the user stating their password, HOWEVER it sends the hashed version. Is there any way around this that I could state the old one or is this impossible? I know this is not very safe, however it is only a small personal project I am completing and is not live.
Here is my forgot.php
<?php
if (isset($_POST['email'])){
$email = $_POST['email'];
$sql="select * from user where email='$email'";
$result = mysqli_query($mysqli_conn, $sql);
$count=mysqli_num_rows($result);
if($count==1)
{
$rows=mysqli_fetch_array($result);
$pass = $rows['password'];//FETCHING PASS
//echo "your pass is ::".($pass)."";
$to = $rows['email'];
//echo "your email is ::".$email;
//Details for sending E-mail
$from = "Website";
$url = "www.website.com";
$body = "Password recovery
-----------------------------------------------
Url : $url;
<br> Your email details: $to;
<br>Here is your password : $pass;
<br><br>Sincerely,
Find-a-room";
$from = "[email protected]";
$subject = "Password recovered";
$headers1 = "From: $from\n";
$headers1 .= "Content-type: text/html;charset=iso-8859-1\r\n";
$headers1 .= "X-Priority: 1\r\n";
$headers1 .= "X-MSMail-Priority: High\r\n";
$headers1 .= "X-Mailer: Just My Server\r\n";
$sentmail = mail ( $to, $subject, $body, $headers1 );
} else {
if ($_POST ['email'] != "") {
echo "<span> Not found your email in our database</span>";
}
}
if($sentmail==1)
{
echo "<span style='color: #ff0000;'> Your Password Has Been Sent To Your
Email Address.</span>";
}
else
{
if($_POST['email']!="")
echo "<span style='color: #ff0000;'> Cannot send password to your e-mail
address.Problem with sending mail...</span>";
}
}
?>
<form action="" method="post">
<label> Enter your User ID : </label>
<input id="email" type="text" name="email" />
<input id="button" type="submit" name="button" value="Submit" />
</form>
Upvotes: 0
Views: 789
Answers (1)
Reputation: 399
Hashing uses one-way algorithms so you can't do this, I wouldn't advise sending passwords in plain text either.
Upvotes: 0
Related Questions
- What column type/length should I use for storing a Bcrypt hashed password in a Database?
- Secure hash and salt for PHP passwords
- Failed to send AUTH LOGIN command. Error: Unable to send email using PHP SMTP. Your server might not be configured to send mail using this method
- How to set timeout in Account verification through gmail?
- Loop through database for a particular record and show results - PHP
- Joomla Activation Email via custom registration is not resolving language string
- Using bcrypt for user passwords
- Two issues with function to clone rows in a form