A year ago, I developed the login system in Western Pennsylvania School f/t Deaf Alumni Association (WPSDAA) website. The login system’s function is used by PHP server side scripting and MySQL database. Most of the scripts I learned from the book, Visual QuickPro Guide: PHP and MySQL for Dynamic Web Sites.
Last Wednesday, January 19th, I just found out myself that I can’t login in myself by using email account and password. It kept saying 'bad password', and I am puzzled with this. Even whole numbers of the alumnus members users cannot log in. I went over to PHPMyAdmin front-end MySQL database administration to see what’s wrong and tried to run the test with SQL query:
SELECT * FROM [table] WHERE email='[email name]' AND password=PASSWORD('[password]')
The result appears nowhere. Lastly, I tried the simple SQL query to see my password compare to my login password:
SELECT PASSWORD('[password]')
The result: the encrypted password is very different than my login encrypted password. I suspected that web hosting, ProHosting has updated a new version of MySQL database and PHPMyAdmin. I emailed to them about this and they replied me back that it is all true. I am extremely very angry with this; because there is no way that I could solve the password situation with my two hundred sixty WPSDAA register users. The MySQL password function is translated into an encrypted password, which I can't see the users' password secrets and there is no way for the decrypt this back to original ones.
I went MySQL developer’s reference manual web site to search the different way to solve this problem. In article of Encryption Functions, they said:
The PASSWORD() function is used by the authentication system in MySQL Server, you should not use it in your own applications.
I’m angry again. I felt like I screwed up with WPSDAA password login system. Those PASSWORD() function I used from Visual QuickPro Guide book, and I believe they are making a bad choice to use PASSWORD() function in my login system application.
I have forced to shut down the WPSDAA login system, to avoid the problem from user logged in or else they might click 'forgot password' to get old & bad password, which it might get worse problem. I have been thinking and figuring out how to solve this damn problem from keeping users records to change the password without register needed.
Next to part two...
