I am working on a forgot password page. The page allows a user to submit email and then a temp password is assigned for the user to login and then update his/her password. The problem that I am having is that the forgot password page does not update the database with the random password so the user cannot login. Any help is much appreciated.

The problem is somewhere in the update password section. Here is the code:

<?php

	if(ereg("memberforgotpassword.php",$_SERVER['PHP_SELF'])){
		@header("Location:index.php");
		die("<script>window.location='index.php';</script>"); //js redirect backup
	}
	
	//if post => process form
	if(isset($_POST['email']) && $_POST['email'] != ""){
		$sql = sprintf("select email, password from members where email = '%s' ", mysql_real_escape_string($_POST['email'], $mysql->conn));
		$result = $mysql->exSql($sql) or die($mysql->debugPrint());	
		if(mysql_num_rows($result)>0){
			$row = mysql_fetch_assoc($result);
			
			function createRandomPassword() {
			    $chars = "abcdefghijkmnopqrstuvwxyz023456789";
			    srand((double)microtime()*1000000);
			    $i = 0;
			    $pass = '' ;
			    while ($i <= 7) {
			        $num = rand() % 33;
			        $tmp = substr($chars, $num, 1);
			        $pass = $pass . $tmp;
			        $i++;
			    }
			    return $pass;
			}
			$password = createRandomPassword();
			$row['password'] = $password;
			
			//update password
			$sql = sprintf("update members set password = '$password' where email = '$email' and password = '$password'", mysql_real_escape_string($_POST['email'], $mysql->conn), mysql_real_escape_string (md5($_POST['password']), $mysql->conn));
			$mysql->exSql($sql) or die($mysql->debugPrint());;

			
			
			//Validate that admin email & member's email are valid
			if(validEmail($row['email']) && validEmail($settings['email'])){
				
				
				//send message
				$to = $row['email'];				
				$headers = sprintf("From: %s\r\nReply-To: noreply@%s\r\nX-Mailer: PHP/%s", $settings['email'], str_replace("www.","",str_replace("http://","",$settings['domain'])), phpversion());				
				$emailXtpl =  new XTemplate("emailmessages/forgotpassword.xtpl", SKIN);
				$emailXtpl->assign('row',$row);
				$emailXtpl->assign('settings',$settings);
				$emailXtpl->parse('main.subject');
				$emailXtpl->parse('main.body');
				$subject = $emailXtpl->text('main.subject');
				$message = $emailXtpl->text('main.body');
				
				if(@mail($to,$subject,$message,$headers)){
					$xtpl->parse('main.passwordsent');			
				}else{
					$xtpl->assign('error','Please contact webmaster [Failed to send message]');
					$xtpl->parse('main.forgotpassword.error');
					$xtpl->parse('main.forgotpassword');					
				}		
			}else{
				$xtpl->assign('error','Please contact webmaster [Invalid Email(s)]');
				$xtpl->parse('main.forgotpassword.error');
				$xtpl->parse('main.forgotpassword');			
			}

		}else{
			$xtpl->assign('error','Email address not found');
			$xtpl->parse('main.forgotpassword.error');
			$xtpl->parse('main.forgotpassword');
		}
	}else{
		$xtpl->parse('main.forgotpassword');
	}

?>

Your query is a total mess. Using sprintf() is handy in various languages, but as PHP is very flexible with strings, it is completely useless in SQL in my opinion. And if you are going to use it, use it correctly, consult the PHP manual (php.net).

Make it something more nicely put together, and add some comments ;)

Variables:
> $new_password :: The new password
> $old_password :: The old password
> $email :: The email address (used as username)

$query = "UPDATE members 
SET password='".$new_password."' 
WHERE email='".$email."' AND password = '".$old_password."'";

~G

Thank you for your help. I did not right this code. My username phpnewby says it all. The code above does not work for this script.

That is right, the code I provided needs to be implemented before it works.

If you are not the author of this code, and bought it from someone (or just copied it?), you can ask him to rewrite the code. The purpose of this forum is to help people to fix their problems by giving clues and advice, not to fix the problems for them.

~G

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.