Hello.

I created a little recover page. Users write the email and a random password is sent to them. The random password is successfully send in their emails but when they login with the new password it doesn't login. I think the new password does not updates in my database. How do I fix this issue?

Heres the code:

if(isset($_POST['submit']) && $inLoggad == false){

    //storing the posted info in variables // anvandare or anvandarnamn means 'users' in swedish.

    $email = mysql_real_escape_string($_POST['email']);

    $exist = mysql_fetch_array( mysql_query("SELECT * FROM anvandare WHERE email='$email' LIMIT 1") );

    if($exist['email'] == $email){

        //creating a new generated password for the user, if the user has forgotten
        $newPwd = genPassword();
        $newHashPwd = md5($newPwd);

        //send the new generated password via email of the user
        $message = "Hello " . $exist['anvandarnamn'] . ". Your new password is: " . $newPwd;
        $mailheader = "From: mySite";   
        $mailheader .= "Reply-To: noreply@noreply.com";   
        $mailheader .= "Content-type: text/html; charset=iso-8859-1\r\n"; 
        mail($exist['email'],  "mySite - Your new password has arrived!", $message, $mailheader) or die($fail = true); 

        //Updating the new password in the dB
        if($fail != true){
            mysql_query("UPDATE anvandare SET password='$newHashPwd' WHERE email='$email' ");
        }
    }else {
        $showErrors = true;
    }


}
elseif($inLoggad == true) {
    print '<script>window.location = "index.php"</script>';
}

?>

Thank you.

Have you confirmed the problem by using the process for your own "test" account?

I'll get back to you soon. Just busy with other commitments.

Debug it...

Try just running this statement:

mysql_query("UPDATE anvandare SET password='$newHashPwd' WHERE email='$email' ");

If that passes something before is stopping it from working. Just gotta figure out step by step what it is.

Here's my simplified method. Note: I would personally do more validation of the post['email'].

No need to LIMIT 1 - email should be unique.
No need to confirm email before, simply update.

$query = sprintf("
    update anvandare
    set password = '%s'
    where email = '%s'
    ",
    mysql_real_escape_string($newHashPwd),
    mysql_real_escape_string($post['email'])
);

$rs = mysql_query($query);
$rowsUpdated = mysql_affected_rows();

if ($rowsUpdated==1) {
    //send your email
} else {
    //log the failure and/or check if email is valid
    //be aware if the newHashPwd value is the same as existing password rowsUpdated will equal 0
}