forgotten password

[Phases]

I've done an aweful lot of searching around these forums and reading all the threads on forgotten passwords.

There seems to be several different ways to do it, and there's only one way that I'm comfortable with and seems abuse-proof. And that is this method:

Click "forgot password?" link.
Fill in your username and and email.
Username and email are cross checked and if they match:
Email is sent with a link to click.
If not clicked, no change
If clicked, you are asked for the new password (twice).
New password is encrypted and all is well.

The problem with this is, well to be realistic, I'm pretty darn new to this and have no clue where to start. I have the page made asking for the username and email. I'm sure I can handle the cross checking, that's just doing a query and telling it to look for the email in row (whatever username they put in) and if it matches the email they put in, then go on, right?

Next is where I'll get lost. How do I have it email a random link to give them the option to basically 'update' their password? I imagine I need to add a new column in my table to begin with.. but..

Is anyone already using this particular way already?

[reminder]

PHP Code:

$mailret = $_POST["mailret"];
$ret = mysql_query("SELECT * FROM adm_user WHERE email = '$mailret'");
$row = mysql_fetch_row($ret);
$username = $row['1'];
$name = $row['3'];
function randname($name) {
$str .= substr(md5(rand($name)), 0, 7);
return $str;
}
function randusername($username) {
$str .= substr(md5(rand($username)), 0, 7);
return $str;
}
$key = randname();
$key2 = randusername();
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
$headers .= "To: ".$mailret."\r\n";
$headers .= "From: me <me@you.net>\r\n";
$message = "New username and password for ".$row['3']." ".$row['4']."<br>";
$message .= "Username:&nbsp;".$key2."<br>";
$message .= "Password:&nbsp;".$key;
$subject = "New password";
mail($mailret, $subject, $message, $headers);
$newpass = md5(randname());
$newuser = randusername();
if($mailret == $row['2']) {
mysql_free_result($ret);
if(!empty($_POST["mailret"])) {
$ret = mysql_query("UPDATE adm_user SET username = '$newuser', password = '$newpass' WHERE email = '$mailret'");
echo "Success!";
} else {
echo "The field is empty! Go back";
}
} else {
echo "The email is invalid! Go back";
} 


cheers

[Phases]

Thanks for the reply reminder

Not sure what exactly that is, or how much of the process that covers. But I've only looked over it a couple times.

Does that randomly generate a new password AND a new username?

[reminder]

this module cover all the process

[Phases]

I'm not sure but that doesn't appear to be what I need. That looks like it generates a random password and a random username?

I just want it to ask for your username and email, if the info is correct, for it to email you a link you click, that then lets you choose your own new password.

hmm..

[reminder]

i dont suggest this couse there can be easy hacks

[Phases]

There can? That seems foolproof..

It emails to the registered email addy, and gives the user the option to change it. Unless someone has access to their email account, I don't see how it can be tampered with?

Dernit!

[reminder]

so i see the link...then go to link...then with the email of my friend i enter....
bad thing my friend

[Phases]

But it will just email him a link asking if he wants to change his password, and if so, click here.

Unless you can get into his email account, only he can change his password.

[reminder]

someone can see it at the act of changing password!
or if i know another who use your site i enter with his email.....
end so on...end so on.....
easy hacks