Forgot Password

I am writing a login form with php and mysql. Everything is done except the forgot password. The users puts his email and then gets a confirmation link on his email, but when he click on the confirmation an error ocurrs. Pleaseee help its urgent.

this is the mail function

	function forgot_pass($confirm_code, $email){
				$mail = new PHPMailer(true);
				$mail->isSMTP();                            // Set mailer to use SMTP
				$mail->Host = '';             // Specify main and backup SMTP servers
				$mail->SMTPAuth = true;                     // Enable SMTP authentication
				$mail->Username = '';          // SMTP username
				$mail->Password = 'password'; // SMTP password
				$mail->SMTPSecure = 'tls';                  // Enable TLS encryption, `ssl` also accepted
				$mail->Port = 587;                          // TCP port to connect to
				$mail->SMTPOptions = array(
					'ssl' => array(
					'verify_peer' => false,
					'verify_peer_name' => false,
					'allow_self_signed' => true
				$mail->Subject = "Welcome ot MovieFox";
				$mail->Body = "Your Comfirmation link is http://localhost/moviefox/reset.php?email='.$email.'&confirm='.$confirm_code;)";
				return $mail->send();

This is the reset.php, which has to be executed after the users clikes his confirmation link

          /* The password reset form, the link to this page is included
         from the forgot.php email message
       require 'db.php';
      // Make sure email and hash variables aren't empty
      if( isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['confirm']) && !empty($_GET['confirm']))
           $email = $mysqli->escape_string($_GET['email']); 
          $confirm_code = $mysqli->escape_string($_GET['confirm']); 

    // Make sure user email with matching hash exist
    $result = $mysqli->query("SELECT * FROM `users` WHERE `email`='$email' AND `confirm`='$confirm_code'");
    echo $email;
    if ( $result->num_rows == 0 )
        $_SESSION['message'] = "You have entered invalid URL for password reset!";
        header("location: error.php");
else {
    $_SESSION['message'] = "Sorry, verification failed, try again!";
    header("location: error.php");  
    <div class="form">

      <div class="tab-content">

         <div id="login"> 
         <h1>Change your password</h1>
          <form action="confirmpass.php" method="post" autocomplete="off">

            <input type="password" required autocomplete="off" name="newpassword" placeholder="New Password"/>
            <input type="password" required autocomplete="off" name="confirmpass" placeholder="Confirm new password"/>
          <!---<p class="forgot"><a href="forgot.php">Forgot Password?</a></p>-->
           <!-- This input field is needed, to get the email of the user -->   
           <input type="hidden" name="email" value="<?= $email?>">    
           <input type="hidden" name="confirm" value="<?= $confirm_code ?>"> 
          <button class="btn btn-block btn-primary" name="submit" />Submit</button>


      </div><!-- tab-content -->
</div> <!-- /form -->
  <script src=''></script>
    <script src="js/index.js"></script>


And this is the confirmpass.php which has to be executes after the reset.

         /* Password reset process, updates database with new user password */
         require ("db.php");

        // Make sure the form is being submitted with method="post"
       if ($_SERVER['REQUEST_METHOD'] == 'POST') { 

    // Make sure the two passwords match
    if ( $_POST['newpassword'] == $_POST['confirmpass'] ) { 

        $new_password = password_hash($_POST['newpassword'], PASSWORD_BCRYPT);
        $confirm_code = $mysqli->escape_string($_POST['confirm']);
        $email = $mysqli->escape_string($_POST['email']);
        $result = "UPDATE `users` SET `password`='$new_password', `confirm`='$confirm_code' WHERE `email`='$email'";

        if ( $mysqli->query($result) ) {
            header("location: login.html");    

    else {
        $_SESSION['message'] = " The two passwords you entered don't match, try again!";
        header("location: error.php");    

And what is the error that occurs, and where in the code is it occurring?

Should this string be like this?

$mail->Body = "Your Comfirmation link is http://localhost/moviefox/reset.php?email='.$email.'&confirm='.$confirm_code;)";

You’ve opened the string with double quotes, then put single quotes and a dot around the variables, then a semi-colon and a close-bracket at the end. Surely that will mean the link is wrong?

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.