Php forgot password script

dm corporation Posts 327 Registration date Monday December 15, 2008 Status Member Last seen January 15, 2016 - Dec 19, 2013 at 02:58 PM
dm corporation Posts 327 Registration date Monday December 15, 2008 Status Member Last seen January 15, 2016 - Dec 20, 2013 at 05:35 PM
hello Everyone, my name is Marc Donald and I have a little problem with my forgot php script. In fact , I got the new random password in my mail but when I'm trying to login with that new password it does not work I don't know. I hope that I will found solution. Thanks
below is my code :
<?php include 'includes/header.php'; ?>
define('IN_SCRIPT', true);
// Start a session
include '../includes/settings.php';
if(isset($_SESSION['username']) == true )

header('location: index.php');

//Connect to the MySQL Database
include 'includes/settings.php';

//this function will display error messages in alert boxes, used for login forms so if a field is invalid it will still keep the info
//use error('foobar');
function error($msg) {


//This functions checks and makes sure the email address that is being added to database is valid in format.
function check_email_address($email) {
// First, we check that there's one @ symbol, and that the lengths are right
if(preg_match('#^(([a-z0-9!\#$%&\\\'*+/=?^_'{|}~-]+\.?)*[a-z0-9!\#$%&\\\'*+/=?^_'{|}~-]+)@(([a-z0-9-_]+\.?)*[a-z0-9-_]+)\.[a-z]{2,}$#i',$email)) {
// Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
return false;
// Split it into sections to make life easier
$email_array = explode("@", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i < sizeof($local_array); $i++) {
if(preg_match('#^(([a-z0-9!\#$%&\\\'*+/=?^_'{|}~-]+\.?)*[a-z0-9!\#$%&\\\'*+/=?^_'{|}~-]+)@(([a-z0-9-_]+\.?)*[a-z0-9-_]+)\.[a-z]{2,}$#i', $local_array[$i])) {
return false;
if(preg_match('#^(([a-z0-9!\#$%&\\\'*+/=?^_'{|}~-]+\.?)*[a-z0-9!\#$%&\\\'*+/=?^_'{|}~-]+)@(([a-z0-9-_]+\.?)*[a-z0-9-_]+)\.[a-z]{2,}$#i', $email_array[0])) { // Check if domain is IP. If not, it should be valid domain name
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) < 2) {
return false; // Not enough parts to domain
for ($i = 0; $i < sizeof($domain_array); $i++) {
if (!preg_match("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) {
return false;
return true;

if (isset($_POST['submit'])) {

if ($_POST['forgotpassword']=='') {
error('Please Fill in Email.');
if(get_magic_quotes_gpc()) {
$forgotpassword = htmlspecialchars(stripslashes($_POST['forgotpassword']));
else {
$forgotpassword = htmlspecialchars($_POST['forgotpassword']);
//Make sure it's a valid email address, last thing we want is some sort of exploit!
if (!check_email_address($_POST['forgotpassword'])) {
error('Email Not Valid - Must be in format of name@domain.tld');
// Lets see if the email exists
$sql = "SELECT COUNT(*) FROM users WHERE email = '$forgotpassword'";
$result = mysql_query($sql)or die('Could not find member: ' . mysql_error());
if (!mysql_result($result,0,0)>0) {
error('Email Not Found!');

//Generate a RANDOM MD5 Hash for a password

//Take the first 8 digits and use them as the password we intend to email the user
$emailpassword=substr($random_password, 0, 8);

//Encrypt $emailpassword in MD5 format for the database
$newpassword = md5($emailpassword);

// Make a safe query
$query = sprintf("UPDATE 'users' SET 'password' = '%s'
WHERE 'email' = '$forgotpassword'",

mysql_query($query)or die('Could not update users: ' . mysql_error());

//Email out the infromation
$subject = "Your New Password";
$message = "Your new password is as follows:
Password: $emailpassword
Please make note this information has been encrypted into our database

This email was automatically generated.";
$site_name = 'xxx';
$site_email = 'xxx';
if(!mail($forgotpassword, $subject, $message, "FROM: $site_name <$site_email>")){
die ("Sending Email Failed, Please Contact Site Admin! ($site_email)");
error('New Password Sent!.');


else {
echo'<br /><br /><br /><br />';

echo' <form name="forgotpasswordform" class="" action="" method="post">
<div>Please enter your email address to get a new password</div><br />
<td>Email Address:</td>
<td><input name="forgotpassword" required="required" type="text" value="" id="forgotpassword" /></td>
<td colspan="2" class="footer"><input type="submit" name="submit" value="Submit" class="mainoption" /></td>

<?php include 'includes/footer.php' ?>

<?php ob_end_flush(); ?>

7 responses

Blocked Profile
Dec 19, 2013 at 05:27 PM
WOW, what a question.....Is this production, or beta?

If production, Who else is having this problem?

So, let me see, you have access to the script, but you are not certain where the script connects?

"$query = sprintf("UPDATE 'users' SET 'password' = '%s'
WHERE 'email' = '$forgotpassword'",

So, where does the USERS table reside? Either you are failing to connect, or you are failing to update the USERS table with the newly created password in the variable - $strforgotpassword.

So, I would troubleshoot by gaining access to the DB and seeing the index of USERS!

IS your DB being connected to? I notice in your code that you check for all sort of server side stuff, but not if the DB makes a valid connection. Maybe you might want to give feedback if DB is not connected to.

Also, the browser may be injecting ascii codes for characters, therfore never finding a match. Also, I would suggest not making changes based on the email, but get the user ID from the email, and change the QUERY based on the ID, and not the email. Just an idea.

Check the DB is ONline.

dm corporation Posts 327 Registration date Monday December 15, 2008 Status Member Last seen January 15, 2016
Dec 20, 2013 at 04:57 AM
Hello , Thank you ac3mark for your reply, I am not sure that I am failing to update because I saw that the password change in the DB. I would like follow your idea about get the user ID from the email but I don't know how to do it you know I am a big beginner in PHP. Thanks again
Blocked Profile
Dec 20, 2013 at 09:36 AM
No problem..before you try to update the password, get the id with a Query that says something like "SELECT [ID] FROM tblUSERS WHERE EMAIL = $somestring".

Store the return value in a variable called intID (int - integer so that your code will be uniform).

The record would look like:

So your query would return 845.

Now use your update to update the record with ID, and not the email:

Helpful note......

Do not store your password in the same table as your users. Make a seperate table that links ID with passwords, adn any other data you wish to store regarding password (last time loggged in, changed, ip of

Second note....I really hope you are not storing your password in the table as plain language. So if I were to gain access to the DB, I would be able to see that User ID of 849 has a password of "PASSWORDXYZ". You should use a HASH - One way crypto-so you run the PASSWORDXYZ through YOUR HASH.PHP and HASH.PHP turns that plain word into another encrypted word , (IE. #JIFDJS&SKSHUUHHHHGG&HHSBBUH*UHHHKAJS).

Now, when you get a password, see if the two HASH.PHP returns match, if they do, then the password is the same, and access is gained.

I have a VERY SIMPLE HASH in ASP, if you wish to use as a template. I will share with you if you understand the techniques that I am describing to you.

dm corporation Posts 327 Registration date Monday December 15, 2008 Status Member Last seen January 15, 2016
Dec 20, 2013 at 03:10 PM
Firstly Thanks for everything that you are doing for me, may God bless you. I will start with your indication and try it . Regarding to the password in DB I hashed by using sha1. Thanks you again . Please check your inbox I sent you a private message. thanks alot.

Didn't find the answer you are looking for?

Ask a question
dm corporation Posts 327 Registration date Monday December 15, 2008 Status Member Last seen January 15, 2016
Dec 20, 2013 at 04:08 PM
I tried what you shown me but still the same problem . My last request is can you please code one forgot password script for me ?
Blocked Profile
Dec 20, 2013 at 05:00 PM
Ok.... well one last question that was never answered; Is this production and broke, or beta and for a grade? If it is for your job and a production site is broke, I am concerned.

Let me know what situation it is?

I am going to tell you up front, I will not do homework....

You have to have echo statment and debuggin steps to break down each and every step in your code. Turn on a switch in your code that says "if I am in debugging, then display every ACK!"

Have fun....
dm corporation Posts 327 Registration date Monday December 15, 2008 Status Member Last seen January 15, 2016
Dec 20, 2013 at 05:35 PM
that's not a homework . Also they don't teach PHP in my School . it's for an attachement. Thanks I will do your last option to see what will happen