Change Password [How it would work]

[TheJacob]

Change Password Script​

The UberCMS is leaked, therefore incomplete. It has a lot of features missing, including the "Change Password" option. Below is how I would form a change password script (general idea thinking of how it could work, what would need to be coded and what variables may need to be set if you were to officially make one).

Post your opinions on how this could be setup, and how it should be setup. Feel free to use this base and complete it.

Legend:
COLOR - Needs to be modified to match what it should be.

The HTML: (could look something like this)

<form method="post" action="">
<table>
<tr>
<td>New Password</td>
</tr>
<tr>
<td><input type="password" name="npassword"></td>
</tr>
<tr>
<td>Re-enter New Password</td>
</tr>
<tr>
<td><input type="password" name="rnpassword"></td>
</tr>
<tr>
<td></td>
<td><input type="submit" name="submit"></td>
</tr>
</table>
</form>

The PHP: (could look something like this)

<?php

$error_message_1 = "<span style="color:red;">The new password must be 3-15 characters in length.</span>"; //Error Message (password length)
$error_message_2 = "<span style="color:red;">The passwords must match.</span>"; //Error Message (passwords must match)
$success_message_1 = "<span style="color:green;">The new password has been successfully updated!</span>"; //Success Message (password updated)

[COLOR="YellowGreen"]$susername = $_SESSION['username'];[/COLOR] //Variable for the session username
$npassword = $_POST['npassword']; //Variable for the new password
$rnpassword = $_POST['rnpassword']; //Variable for the confirmed new password
$submit = $_POST['submit']; //Variable for the submit button

if (isset($submit) == true) {
$password = strtolower(preg_replace("/[^a-zA-Z0-9\-\_\!\$\#\@\^\&\*\(\)\^\+\ \.\?]/", "", $npassword));

if ((isset($submit) == true) and ((strlen($npassword) > 15) || (strlen($npassword) < 3) || (strlen($rnpassword) > 15) || (strlen($rnpassword) < 3))) {
echo $error_message_1;
} 

else if ((isset($submit)) and ($npassword != $rnpassword)) {
echo $error_message_2;
} else {
$query = mysql_query("[COLOR="YellowGreen"]REGISTER NEW PASSWORD QUERY[/COLOR]");
echo $success_message_1;
}

}

?>

 

[Ðavid]

First post.

Very good!

 

[LMC]

Nice i suppose... I would do it via email though. Oh i forgot, most noobs on here use xampp so that feature would be pointlesss....

 

[TheJacob]

Nice i suppose... I would do it via email though. Oh i forgot, most noobs on here use xampp so that feature would be pointlesss....

What do you mean via email? How could you possibly change your password via email?

 

[LMC]

What do you mean via email? How could you possibly change your password via email?

Say if someone forgets there password they can request a new one via email. Oh sorry i forgot, that wasnt actually what you was saying. I thought you ment resetting a lost password. my bad!

 

[Grant]

Pretty useful

 

[TheJacob]

Pretty useful

You're welcome. This is to help everyone get the "idea" of how an ideal script would work for this.

I am looking forward to seeing how they develop this base.

 

[winterpartys]

Say if someone forgets there password they can request a new one via email. Oh sorry i forgot, that wasnt actually what you was saying. I thought you ment resetting a lost password. my bad!

The admin cannot just add it, becase you see it's encrypted not just plain text. So if you were to use variables (I think it could sha1) so it would be like this:

$pass = sha1($_POST['pass']); <Something like that

 

[TheJacob]

The admin cannot just add it, becase you see it's encrypted not just plain text. So if you were to use variables (I think it could sha1) so it would be like this:

$pass = sha1($_POST['pass']); <Something like that

Is it sha1 Uber uses? I didn't ever notice, well, I never even looked tbh. I always assumed it was md5. I'll look into this and post a better base script tomorrow.

 

[Idiotic]

Well what about this, the user forgets his password, and a secret authentication code is stored in the database (along with the username) and for the user to reset his password it could be something like reset_pass.php?user=USER&auth=CODE. The secret code could be like random numbers to some hash, or so. Then if they don't match it will display an error. If it is correct display a form to reset the password.

Something like..

<?php

$myusername = $_POST['username'];

$results = mysql_query("SELECT username FROM users WHERE username='" . $myusername . "'");
if(mysql_num_rows($results) == 1)
  {
  //send the reset password url to user's email
  }
else //error out

?>

etc..

<?php

$user = $_GET['user'];
$auth = $_GET['auth'];

$results = mysql_query("SELECT * FROM reset_pass WHERE auth='" . $auth . "'");
while($rows = mysql_fetch_array($results))
  {
  if(($user == $rows['user']) && ($auth == $rows['auth']))
    {
    //reset password form
    }
  else //error out

?>

Very simple stuff, but do you understand what I'm trying to say?

 

[TheJacob]

Well what about this, the user forgets his password, and a secret authentication code is stored in the database (along with the username) and for the user to reset his password it could be something like reset_pass.php?user=USER&auth=CODE. The secret code could be like random numbers to some hash, or so. Then if they don't match it will display an error. If it is correct display a form to reset the password.

Something like..

<?php

$myusername = $_POST['username'];

$results = mysql_query("SELECT username FROM users WHERE username='" . $myusername . "'");
if(mysql_num_rows($results) == 1)
  {
  //send the reset password url to user's email
  }
else //error out

?>

etc..

<?php

$user = $_GET['user'];
$auth = $_GET['auth'];

$results = mysql_query("SELECT * FROM reset_pass WHERE auth='" . $auth . "'");
while($rows = mysql_fetch_array($results))
  {
  if(($user == $rows['user']) && ($auth == $rows['auth']))
    {
    //reset password form
    }
  else //error out

?>

Very simple stuff, but do you understand what I'm trying to say?

Yes I understand what you're saying, and this base could work with what you're trying to setup (have a new password forum setup after the user authenticates). So yes that could work.

But the base was mainly for adding it into a user cp type thing. But I like the creativity... so to speak :.

 

[Moogly]

This feels more like a tutorial than a release?

 

[TheJacob]

This feels more like a tutorial than a release?

It's more or less a debatable release / discussion. I wrote up a script of how it could look, so people can use that base and modify it appropriately. As well I am getting opinions on how they modified it.

 

[Moogly]

Is it sha1 Uber uses? I didn't ever notice, well, I never even looked tbh. I always assumed it was md5. I'll look into this and post a better base script tomorrow.

Can use whatever you want, and change it the only thing that needs to verify the users password is the CMS the emulator wont be affected unless it's pre-flash and has old login (v1 - v17 ~).

As for the comment about encrypted, SHA1 = hashing not exactly encryption...

 

[Sean]

Thanks Jacob

~sean111

 

[Grant]

I never knew uber encrypted with SHA1

 

[PEjump2]

Nope uber doesnt use sha1, it uses sha1 + site hash encryption

 

[Idiotic]

Yes I understand what you're saying, and this base could work with what you're trying to setup (have a new password forum setup after the user authenticates). So yes that could work.

But the base was mainly for adding it into a user cp type thing. But I like the creativity... so to speak :.

Well, instead of having the code in the URL, the code could be in the message. So..

Email:

You have requested to change your password, etc..

Click here to change your password: link here
Code: new893b29werbiu0

You must use this activation code, or else you will not be able to change your password, etc..

Then the change password form can have an extra input for the code.

 

[Grant]

Nope uber doesnt use sha1, it uses sha1 + site hash encryption

Smart, very smart..

 

[TheJacob]

Thanks Jacob

~sean111

You're welcome. I am just helping out, not hand feeding

Well, instead of having the code in the URL, the code could be in the message. So..

Email:

You have requested to change your password, etc..

Click here to change your password: link here
Code: new893b29werbiu0

You must use this activation code, or else you will not be able to change your password, etc..

Then the change password form can have an extra input for the code.

The email thing won't work for change password. Like I mean it's just not practical when you can simply just make a small panel that does it...