E-Mail Password Reminder

Hi guys,

Well from what it looks like everything in my coding seems to be working except the part where the reminder e-mail is sent. Can someone maybe tell what I am missing, or doing wrong here?

<?php 
$con = mysql_connect("localhost","root","password");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
   mysql_select_db("csops", $con); 
?>

<form method="post" action="password_reminder.php">

<h1>E-mail Password Reminder</h1>

<p>
 Forgot your password? Just enter your e-mail address, and we'll e-mail
 your password to you!
</p>

<p>
 E-mail Address:<br />
 <input type="text" id="e-mail" name="e-mail" />
</p>

<p>
 <input type="submit" class="submit" name="action" value="Send my reminder!" />
</p>
</form>

 <?php
$con = mysql_connect("localhost","root","password");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }  
 mysql_select_db("csops", $con); 

   if (isset($_POST['e-mail'])) {
    $sql = "SELECT password FROM userinfo " .
        "WHERE email_address='" . $_POST['e-mail'] . "'";

    $result = mysql_query($sql,$con)
     or die('Could not look up password; ' . mysql_error());

    if (mysql_num_rows($result)) {
     $row = mysql_fetch_array($result);

     $subject = 'Call Tracker Password Reminder';
     $body = "Just a reminder, your password for the " .
         "Call Tracker site is: " . $row['password'] .
         "\
\
You can use this to log in at http://" .
         $_SERVER['HTTP_HOST'] .
         dirname($_SERVER['PHP_SELF']) . '/';

     mail($_POST['e-mail'],$subject,$body)
      or die('Could not send reminder e-mail.');
    }
   }
   redirect('login.php');
   break;
   
?>

Your best bet is to use a library such as PHPMailer or Swift (I prefer Swift). They will let you make HTML e-mails very easily.

One other thing, you should escape the email input before putting it in the query:

$sql = "SELECT password FROM userinfo " .
        "WHERE email_address='" . $_POST['e-mail'] . "'";

What would happen if I entered the following as email?

test@example.org' OR '1' = '1

That would return every row in your table :o
Sending the email would probably fail, but it’s not very secure.

Here’s a better version:

$sql = "SELECT password FROM userinfo " .
        "WHERE email_address='" . mysql_real_escape_string($_POST['e-mail']) . "'";

Now the email is passed through mysql_real_escape_string, which will escape the apostrophes the naughty user entered.

Ok I solved my problem. I was an idiot, my php.ini file wasn’t configured to send mail. But now that I have sorted that out. How can I make the password reminder email be a html email so that I can make it look nice?

Note that it’s generally not a very good idea to store passwords in the database plain text, because people tend to use the same password on different websites. So if I know someone that is a user on your website, and I somehow manage to get my hands on your database, and thus their password, I might use that password to log in to other sites they’re members of, inclusing possibly their bank account!

It would be better to store the password as a hash (eg md5 or sha1) and then hash the password they entered when logging in and compare the result to the hashed password in the database. That way you know they entered the correct password without the need to know what their password actually is.

When a user forgets their password you can just generate a new one at random, e-mail that to them, and store the hash of that password in the database.

Can you tell us what the problem is?
“Doesn’t work” is a bit vague

google html email php, lots of examples

Well, it seems to process all the cade and returns my error at the end of my code “Could not send reminder e-mail”. So it seems as if everything is running except for the e-mail being generated and sent to the user.

Sorry I need to learn to be a little more specific on these