Ok, so I have the following code. To some extent, it should work. It checks first if e-mail is in database, if found, it will reset the password to a random value from 1000 to 9999, and e-mail it. sendMail is a custom function, and works in other forms so it is not the faulty chunk of code here. I'm unsure about a couple of things, which I belive MIGHT cause the PHP errors below:
<?php
define('INCLUDE_CHECK',true);
require 'connect.php';
require 'functions.php';
// Allowing MySQL Connection - Include_Check has to be TRUE
$email=$_POST['email'];
$email=mysql_real_escape_string($email);
$status = "OK";
$msg="";
if (!stristr($email,"@") OR !stristr($email,".")) {
$msg="Invalid E-Mail:<br>This address format is invalid!";
$status= "NOTOK";}
if($status=="OK") { // If e-mail is valid, status stays the same: query time!
$query="SELECT email,usr FROM tz_members WHERE email = '$email'";
$st=mysql_query($query);
$recs=mysql_num_rows($st);
$row=mysql_fetch_object($st);
$em=$row->email;// Switching $email to $em for the query.
if ($recs == 0) { // $recs is 0, that means that address doesn't exist. Tell the guy to register ? Yes plz.
// Display the message
echo "We're sorry: We could not find your address in the database.<br>Click here to create an account!<br> <a href='register.html'>Register </a></center>";
exit; }
$pass = rand(1000,9999);
// Using the functions.php public: sendMail
send_mail( 'administrator@cod5showtime.url.ph',
$_POST['email'],
'Username: '.$row->usr,
'Password: '.$pass);
mysql_query("UPDATE tz_members SET $row->pass = md5($pass)");
}
?>
Nearly forgot, this is the HTML form.
<form action="forgot.html" method="post">
<p><b>Email Address:</b> <input type="text" name="email" size="20" maxlength="40" value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /></p>
<input type="submit" name="submit" value="Reset" /></div>
</form>
Let me describe my issue: the e-mail is sent, with the $pass, but the Username in the e-mail (see the code to know what I refer to) is something like this: Username (5), which makes me think it doesn't pick the good username (name of column in MySQL is 'usr').
Finally, the update query has to be wrong too, as the password isn't update in MySQL!
mysql_query("UPDATE tz_members SET $row->pass = md5($pass)");
That is the update query, I'm unsure why it doesn't work.
$query="SELECT email,usr FROM tz_members WHERE email = '$email'";
This is the query that should pick the usr and email if found in the database.
$row->pass is the PREVIOUS pass you retrieved from the database, which will be a simple md5 hash value. In other words, you're generating
... SET acbd18db4cc2f85cedef654fccc4a4d8 = md5(1234);
Don't know about you, but if I ever had a database table that used field names like that, I'd have to hunt down the schema designer and torture them to death.
You want
... SET pass=md5($pass)
^^^^---your table's password field
instead.
It should be:
mysql_query("UPDATE tz_members SET pass = md5('$pass') WHERE email = '$email'");
The name of the field you want to update is just pass, not $row->pass (which would be the old value of the password if you included that column in the SELECT list). And you need a WHERE clause, otherwise it will set everyone's password.
To update the password related to the email address, you must specify it
mysql_query("UPDATE tz_members SET pass = md5($pass) WHERE email = $email");
$newhash = md5($pass);
mysql_query("UPDATE `tz_members` SET `pass` = '".$newhash."' WHERE `email` = '".$email."');
Please update to MySQLi, MySQL in't a function anymore in the future.