Version 1.4 on the way...

[Chris Cromer]

I am trying to fix it, but am haveing trouble.

The problem is that, the password being sent to the e-mail address for some reason is not the same as the one that is in the member table... I don't know why it is doing this either. I don't know much about how the crypt function works so I beleive the crypt function is somehow tied into my problem.

[John R]

The encryption works pretty much the same way in PHP as it does in Perl.  As I understand it, the way it works with the SE scripts is that the password is encrypted and stored in the membertable.  When a user logs in, he enters the un-encrypted version of his password.  Once he has entered his password, the password is encrypted and compared to the password stored in the membertable.  If it matches, he is logged in otherwise you get the incorrect password error.

To answer your query, the password that is emailed should be the plain version of the encrypted version that is stored in the membertable.  It shouldn't be the same as what is stored in the membertable.

cheers........

[xtra]

I really think that storing encrypted passwords in a password protected database is useless and a waste of programming time. Protect only the password in cookies.

It's only a idea... I never protect them, because the database is already protected, so there isn't much sense on doing that. Is it?

[Hypocrite]

I really think that storing encrypted passwords in a password protected database is useless and a waste of programming time. Protect only the password in cookies.

It's only a idea... I never protect them, because the database is already protected, so there isn't much sense on doing that. Is it?

I don't want that admins see my passwords.

[Chris Cromer]

I wouldn't want them seeing my passwords either. Just because they are an admin, does not mean they wouldn't try something with your password.

[xtra]

Come on guys, this is a simple forum, not the FBI files or some hot shot database from an organization. Why should we bother with an encrypted password in a forum, when we buy stuff over the internet and send our credit card info to people we don't know...?

[Chris Cromer]

Listen would you trust me being able to see your password? I doubt anybody would but still it is just smart to encrypt them. This should not and probably will not be changed so everybody just shut up about it.

[Dude]

 
I want everything encrypted.
 
And one feature I think you need to add is an intelligence checker. Works like a spell checker only instead of correcting your spelling it removes all the dumb stuff and makes you sound smart.
 


Seriously, 1.4 is a bug fix with a few new features. Personally I was surprised at the number of bugs squashed.

[Jeff Lewis]

Using encrypted passwords only makes the application more secure.

Anyway, once Chris tackles that issue, I think I'm going to release 1.4...

[Mach8]

Okay listen up here's a real example as to why the passwords should be encrypted:

About 5 months ago, a friend of mine signed up on a forum running a rival's forum software which DID NOT encrypt passwords. he'd spent the day doing stuff in his online bank account, then for a break went to this forum. Everything seemed normal.

Then he went to the bank's site the next day and noticed a problem... he couldn't login. The fact he needed to check something urgently made him email the bank. It turned out someone had logged in using his details, and changed the password.

The only site he'd been on that MONTH apart from the bank site was the forum. He had a good firewall which blocked personal data from being sent, so packet sniffers would find it hard to get his password.
Although he could never prove it, he knew someone with authority on this forum must have obtained his password, found he'd come from the bank site, and logged in.

I never use the same password across multiple sites, simply because if that one password is found out, then one person can login to all those sites at once.

[Chris Cromer]

Alright, here is what I have:

Code Select Expand

      $pswd = $member['passwrd1'];
      $request = mysql_query("UPDATE {$db_prefix}members SET passwd='crypt($pswd,substr($pswd,0,2))' WHERE memberName='$user'");
      sendmail($member['email'],"$txt[700] $mbname", "$txt[733] $pswd $txt[734] $member[user].\n\n$txt[701] $scripturl?action=profile;user=$euser\n\n$txt[130]");
The only thing is it is sending a different password to the user than is being put into the table, any suggestions/ideas why?

[Neil Darlow]

I don't see how you can use the crypt function within the MySQL query like you are. I would expect you'd need to assign the crypted password to a PHP variable and put that variable into the query.

[Chris Cromer]

Well that is how the dev's did it in Profile.php, whether it is correct or not... I am not sure.

[sagacio]

I will be releasing a 1.4 version but am needing more information from you guys...

What bugs have popped up that we've needed to tackle?

Not really a bug, perhaps an enhancement to existing features... One of the things I was really hoping for was better control over group access to boards/categories.

For example, I have board Cat1 & Cat2, and custom labeled groups 1, 2, and 3.  I want custom group 1 to have user access to Cat1, group 2 to have moderator access to Cat1 (but not Cat2) and group 3 to have moderator access to Cat2 (but not Cat1).

Maybe I'm not looking deep enough, but I don't see a way to do this without a lot of unnecessary work, and without relying on "# of posts" ranks.

(Sorry if I've put this in the wrong area... Looked like the best place for it, since I figured it would be a code change.)

[Chris Cromer]

1.4 is for bug fixes. They will add new features to YaBBSE2.