|
Posted by shimmyshack on 03/29/07 16:06
On 29 Mar, 15:56, custom...@gmail.com wrote:
> I have designed a site that requires users to login. Me being new to
> php, I hired a guy to help me setup the database. He set it up and it
> works flawlessly. Well.. instead of helping me finish the project, he
> has pretty much dissapeared.
>
> Looking at the code, the passwords are stored using Md5 encryption in
> the database. I was able to get a password retrieval form working,
> but its sending the passwords encrypted.
>
> Can they be retrieved unencrypted via form?
if you mean, can you get the users to post their passwords from the
form so that you can see them, and still authenticate them, the answer
is yes (if you fiddle with the form) but you should leave it just as
it is!
The last reply (Arjen) was spot on, you shouldnt have to know what
your users passwords are, just reset them, that's all they need. The
way the form is set up _probably_ (we can't really tell cos you didn't
provide a URL) means that it is logging them in securely without SSL,
if you fiddle with this, you will be increasing the surface area of
attack for your site.
If you meant anything else, the answer is _probably_ no.
Navigation:
[Reply to this message]
|