Emailing a password from SQL database

gilizama

I have this lost password form. But when I test it, it doesn't send a password at all. I also understand that it resets a password, and then sends it to the user. But I don't want it to reset the password. I just want it to send the current password to the user. Can someone help me out on why it's not showing a password in the email, and if it does reset the password, how can you change it to where it doesn't reset a user's password.

Here's the script: lostpassword.php

<html>
<head>
<title>My Invoice</title>
<link rel="stylesheet" href="inc/style.css" type="text/css">
</head>
<body>

  <p><img src="inc/title.gif" width="308" height="82"></p>
  <blockquote> 
  <h1>Lost Password</h1>

<?php 
include("inc/config.php");
$connection = mysql_connect($hostname, $user, $pass) or die ("Unable to connect!");
?>

<?php
$action = $HTTP_GET_VARS['action'];

if(!$action)
{
?>

<p>&nbsp;</p>
<form name="form1" method="post" action="<?$PHP_SELF?>?action=yes">
  <table width="350" border="0" cellspacing="2" cellpadding="2" align="center">
	<tr>
	  <td><b>Username:</b></td>
	  <td>
		<input type="text" name="username">
	  </td>
	</tr>
	<tr>
	  <td><b>E-mail Address:</b></td>
	  <td>
		<input type="text" name="email">
	  </td>
	  <td>
		<input type="Submit" name="submit" value="Enter">
	  </td>
	</tr>
	<tr>
	  <td>&nbsp;</td>
	  <td>&nbsp;</td>
	</tr>
  </table>
</form>

<?php
}
else
{
	$username = $HTTP_POST_VARS['username'];
	$email = $HTTP_POST_VARS['email'];
	$query = "SELECT * FROM clients WHERE name = '$username' AND email = '$email'";
	$result = mysql_db_query($database, $query, $connection);
	if (mysql_num_rows($result) == 1)
	{
		$npass = $username;
		$usql = "update clients set password=PASSWORD('$username') where email='$email' and name='$username'";
		$uqry = mysql_query($usql);

	$subject = "Lost password for $username";
	$extra = "From: [email]host@hostingcompany.com[/email]\r\n";
	$recipient = "$email";
	$message = "Dear Customer,\n\n A new password for your username \"$username\" have been issued. Your new password is: \n$password\n Regards, \n$yourtitle";

	mail ($recipient, $subject, $message, $extra);

	echo("A new password have been issued and e-mailed to you.");
}
else
{
	echo("<font color='red' size='2' face='verdana'>Sorry! but there is no such username and e-mail combination in our member database.");
	exit();
}
}
?>

<?
include "inc/nav.inc";
include "inc/footer.inc";
?>
</body>
</html>
<!-- 
Copyright Notice:
This add-on created by [email]omair@omair-haroon.com[/email]. 

This script was written by Rob Minto, and is free for you to use. 
Any improvements, please email [email]rob@widgetmonkey.com[/email]. 
Keep software free. 
And please leave this copyright notice. Thanks.
-->

bpat1434

This changes the password:

$usql = "update clients set password=PASSWORD('$username') where email='$email' and name='$username'";

The reason the password never shows up, is because it's never retrieved. You need to execute one more query to get the new password.

SELECT password 
FROM clients 
WHERE name='$username' 
    AND email='$email'

Run that, grab the result, and display that where you want the password to be.

gilizama

Okay. Lemme try that. I'll post back. Thanks bpat!

gilizama

Okay, it's a whole bunch of numbers and all. I'm guessing it's that encrypted password thingy. How do I fix that?

bpat1434

heh.... you're setting the password to a hash of their username... just tell them to enter their username at the next login.