Another issue with sha1.

I am creating users via a registration form, that when submitted, has made the password a sha1.
Registration script:

$password = sha1(mysqli_real_escape_string($connection, $_POST['pass1']));

When the user log in, I have this script using sha1.
Login script:

$password = sha1(mysqli_real_escape_string($connection, $_POST['password']));
$sql=("SELECT id, email, username FROM users WHERE email='$email' AND pass='$password' LIMIT 1");

Then I have made a forgot password script, that creates a random password like this.
Forgot password script:

$password =  substr(md5(uniqid(rand(),true)), 10,15); 
// Creates a unique temp password
$password = sha1($password);
// Then I make it a sha1
$query = "UPDATE users SET pass= '$password' WHERE id=$userid LIMIT 1";

This is my question/problem:
When the user has forgotten his password, I want to email him a new one.

So I reset the password completely, and email the user the new reset password.

Ass you can see in my script above: The password the user gets emailed, and that he has to use for login has been sha1 encrypted.

When he wants to login, the reset password, is once again being sent through a sha1 in the log in forms script, since this is the encryption, both the registration and login form uses, and that the login form needs to use to recognize the registered password, right?

But after running the new reset password through the login script, the script makes a sha1 encryption of the new reset password once again, and it doesnt recognize the reset password in the DB.....

I hope this makes sence.
The core issue is that after a user resets his password he cant login using the login form because it encryptes the reset password again...

How can I make a user reset his password, and use it in the login form that sha1 the password?

I hope this made sence!

Member Avatar


Send a link in the email, as opposed to offering a new PW. This link, containing various querystring parameters (hashed) sent to say a forgot.php page takes the info, accepts them and compares them to a one-use value in the DB field.

username | pw (hashed) | .... | forgotcode | forgot_expire

When forgot requested, hashed value placed in 'forgotcode' with say a 24 hour time frame (can't be used after this time - user will need to request another). When forgot verifies the data (matches DB), the forgotcode and forgot_expire are wiped and the user is logged in and redirected to the profile page where he/she can change the pw.

Just an idea.

This has the advantage that if a malicious user requests a reset for another user, the other user isn't locked out.

I guess it was an quite obvious solution, which i didnt see yesterday,
but i should just extract the random generated password, before it is made sha1, and then use that for login..
Before it was:

$password =  substr(md5(uniqid(rand(),true)), 10,15); 
// Creates a unique temp password
$password = sha1($password);
// Then I make it a sha1
$query = "UPDATE users SET pass= '$password' WHERE id=$userid LIMIT 1";

Now it is:

$pass =  substr(md5(uniqid(rand(),true)), 10,15); 
// Creates a unique temp password, echo it out to check
echo $pass; // This is the password the user get emailed and uses for login
// Make it a sha1 for later use, in the login script:
$password = sha1($pass);
// Now its sha1, so it fits the login script.
$query = "UPDATE users SET pass= '$password' WHERE id=$userid LIMIT 1";