I'm having a trouble about changing login password. I use hash and salt for my password. I can't change it on the phpmyadmin because it's hash type of characters. Here's my
create_acc.php
<?php
include_once('config.php');
$email = $_POST['e-mail'];
$pass = $_POST['pass'];
$hash = hash('sha256',$pass);
function createSalt(){
$text = md5(uniqid(rand(), true));
return substr($text,0,3);
}
$salt = createSalt();
$pass = hash('sha256',$salt.$hash);
$email = $mysqli->real_escape_string($email); //$mysqli is located at my config.php
$query = $mysqli->query("INSERT INTO `login`(`email`,`pass`,`salt`) VALUES('$email','$pass','$salt')");
$mysqli->close();
header('location: login.html');
?>
Any ideas on how can I create an change password or forgot password just like in modern login system right now. Whenever you forgot your password or you want to change it, the server will send a link on your email regarding on changing your encrypt password?
No, Using phpmyadmin you just can do some simple encryption like md5 and sha1. But you can do this in a tricky way. encrypt your password from any online service or by php and then put your encrypted password at your phpmyadmin. That's it :)
You can use this same logic for actually resetting the password/assigning new password. What you can do in the simplest way is create a password reset form and some URL (endpoint) that would accept (POST) requests consisting of e-mail or username as input/data. Once you get that, you would typically send an e-mail to the user's e-mail consisting of the URL that allows user to reset password. This part should create a unique token and should be stored in database of your choice. The e-mail sent to user typically consists of the token as part of the URL and the token should be ideally removed as soon as the user visits but your mileage and choice for deleting/keeping token may vary according to application and users. Once the user visits the URL sent for password reset, you perform a lookup for the token, find which user wanted to reset password if token exists and then just allow user to input password (& confirm password). Once the user hits Submit, you just pass the new password through the same password hashing function you use while creating a new user.
Oh and you can do much better with your code. It looks like it comes from few years back. It can be more secure and better written. I suggest checking php manual for password hashing and prepared statements.