I have having a problem with a script I have wrote for resetting a members password

Basically it checks to make sure the user has entered all the fields in the reset form, then it checks that the email they have entered is the same one they login with, then it checks to make sure the new passwords match and finally updates the password in the table.

However when the script is run I always get the error message 'The email address you entered does not correspond to your account'

This is my form

<table name="reset">
		<form name="password" action="reset.php" method="post">
		<tr><td>email:</td><td><input type="text" name="email" value="current@email.com"/></td></tr>
		<tr><td>password:</td><td><input type="password" name="new_password"/></td></tr>
		<tr><td>Repeat your new password:</td><td><input type="password" name="confirm_password"/></td></tr>
		<tr><td><input type="submit" name="submit" value="Reset"</td></tr>

the php script is

if (isset($_POST['submit'])) {
			if(!$_POST['email'] | !$_POST['new_password'] | !$_POST['confirm_password']) {//makes sure the user has filled the form in
				die('You did not fill in a required field.');
			$emailCheck = "SELECT COUNT(*) as rowcount FROM users WHERE email = '".$_POST['email']."' AND id = '" . $SESSION['user_id'] . "'";//gives error if user doesnt exsist
			$checkResults = mysql_query($emailCheck);
			$checkCount = mysql_fetch_assoc($checkResults);
			if ($checkCount['rowcount'] == 0) {
				die('The email address you entered does not correspond to your account</a>');
			if ($_POST['new_password'] != $_POST['confirm_password']) {
				die('Your passwords did not match. ');//makes sure both passwords match
			$_POST['new_password'] = md5($_POST['new_password']);
			if (!get_magic_quotes_gpc()) {
				$_POST['new_password'] = addslashes($_POST['new_password']);
			else {
			$reset_password_sql = "UPDATE users SET password = '$_POST[new_password]' WHERE id = '" . $SESSION['user_id'] . "'";
			mysql_query($reset_password_sql) or die (mysql_error());
			echo "Your password has been updated";

Can anyone notice an error where it checks the email against the user id?

6 Years
Discussion Span
Last Post by lit108

| should be || (OR).

Sorry, I didn't scan the code properly, but are you sure that providing an email and username is sufficiently secure? As a rule, you'd want to send an url with a hashed security parameter to the user's e-mail account. The hash is then processed to allow the change of the password.

Edited by diafol: n/a


Its a basic system I am trying to make, I am not worried about the security aspect at the minute. Its just trying to get over this issue that I am having problems with

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.