I am trying to create a forgot password page. I have heard that it is not a good idea to send the original password to the user via email so I am trying to create a random confirmation password that they can use to log into their account and later change the password to whatever they want. So far the problem is it is saying the users email is not in the database when in fact it is. Also, should I update the database to store the random password or will the way I have it work? My database has the tables username, fristname, email, and password. I am asking the user for their email address in a html form then sending it to this php form. This is my first time attempting to do this so it might have a lot of errors, but I found a tutorial to help some so it shouldn't. Thanks for the help.

<!--
To change this template, choose Tools | Templates
and open the template in the editor.
-->
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>Sending Password</title>
    </head>
    <body>
        <?php
      $db_server = "server";
       $db_username = "name";
       $db_password = "pass";

       $con = mysql_connect($db_server, $db_username, $db_password);if (!$con)
                {
                    die('Could not connect: ' . mysql_error());
                }

               $database = "Test_Members";  

              $er = mysql_select_db($db_username);
        if (!$er) 
        {
         print ("Error - Could not select the database");
         exit;
        }        

        //include "session.php";


function createRandomPassword() {



    $chars = "abcdefghijkmnopqrstuvwxyz023456789";

    srand((double)microtime()*1000000);

    $i = 0;

    $pass = '' ;



    while ($i <= 7) {

        $num = rand() % 33;

        $tmp = substr($chars, $num, 1);

        $pass = $pass . $tmp;

        $i++;

    }
    return $pass;

}

$password = createRandomPassword();
$password =$_P0ST['password']; 
      $email = $_P0ST['email']; 

        $tbl_name=Account_Holders;


        $sql="SELECT password FROM $tbl_name WHERE email='$email'";
        $result=mysql_query($sql);

        // if found this e-mail address, row must be 1 row
        // keep value in variable name "$count"
        $count=mysql_num_rows($result);


        // compare if $count =1 row
        if($count==1){

        $rows=mysql_fetch_array($result);

        // keep password in $your_password
        $your_password=$rows['password']; //will this replace the users password with the random one? That is what I am attempting to do here. 

        // send e-mail to ...
        $to=$email;

        // Your subject
        $subject="Your Password";

        // From
        $header="from: Feed The Students";

        // Your message
        $messages= "Your password for login to our website \r\n";
        $messages.="Your password is $your_password \r\n";
        $messages.="Please change this password for security reasons. Thank you. \r\n";

        // send email
        $sentmail = mail($to,$subject,$messages,$header);

        }

        // else if $count not equal 1
        else {
        echo "Sorry we did not find your email in our database.";
        }

        // if your email succesfully sent
        if($sentmail){
        echo "Your password has been sent to your email address.";
        }
        else {
        echo "We can not send your password at this time.";
        }



        ?>


    </body>
</html>

First of all, you shouldn't be storing the users' passwords in your database - not in cleartext, anyways. I'm going to address this before addressing the password reset problem since they're connected.

A common technique is to transform the password using a one-way hash algorithm with a salt (see Wikipedia Definition of Salt for more info), and then when users attempt to login, to perform the same encryption and compare the hashes.

To make things even more complex, try changing the salt on every hash.

Here's a step-by-step method that I use:

1. User creates password (via a registration form)

2. A function creates a random salt and then encrypts the password, in this case, using SHA256 algorithm and using a randomly created salt.

   $password_salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));

   $password_hash = hash('sha256', $salt . $password);

3. Save the $password_hash and the $password_salt to the users table. These will be used later to authenticate the user when they attempt to login in the future.

4. When the user logs in, check the username/email/login and if found, grab the hash and salt from the users table and compare the password hash from the db to the hash returned from performing the same function on what they entered as their password.

   $salt = $user_record['password_salt'];

   $entered_hash = hash('sha256', $salt . $entered_password);

In the case above, if $entered_password_hash == $user_record['password_hash'] ($user_record, being what comes from your db) then the password is validated.

Note To make things more complex, I actually store the password hash and the salt in the same field in the db. You can concat them together, one way or the other so if your database is compromised, the password field is effectively useless for retrieving user passwords.

Now when you want to address forgotten passwords, you can create a random password but that's still going to be emailed to the user, which isn't a good idea, even for a temporary password. I would suggest emailing the user a link to click, leading them to a password reset page. Here are a few steps for that process:

1. Create an email_authentication table with two columns - userid and key. This will contain information which will associate ids of users with a randomly generated key.
2. Create a page (ex: reset.php) which expects a URL parameter ($k for example) and then looks for the parameter in the email_authentication table. If a matching record is found in the table, delete the record, and redirect to a page which will allow the password for the userid in the same record.
3. User forgets their password, clicks the Forgot Password link and enters their correct email address.
4. Record is created in email_authentication table containing their userid and a random string (32 or so characters long) is generated for the key (ex: 'r4nd0mstr1ng')
5. Email the user a link to the page you created in Step 2 with the key generated in the urlstring. (ex: http://foo.com/reset.php?k=r4nd0mstr1ng
6. User clicks the link in the email, the script in reset.php looks up 'r4nd0mstr1ng' in the email_authentication table and finds it associated with a userid and they're redirected to a form which allows them to reset their password.
7. When the password is reset, don't save it cleartext!!

For more info (and probably a better explanation of the password hashing technique, have a look at This post by HeyBigName. It's based on CodeIgniter, but the functions contained are universally applicable.

I suggest: 1 - The user click forgot pass, and write the username and/or email. You check if username and/or email exists on your database, if true, generate a random code and store it on your database. 2 - Send the user a email with a link like: wwww.yourwebsite.com/forgot?recovery=CODEGENERATED 3 - The user click the link, and you check if the code exists on your DB, if true, show a form to fill the new password. The user fill, and your save ate DB. 4 - Done.

An question: Why you request the user to fill the password field, if he don't have the password?

$password =$_P0ST['password']; 

And, why not use:

$your_password = createRandomPassword();

instead:

$your_password=$rows['password'];

And, why these two lines:

$password = createRandomPassword();
$password =$_P0ST['password']; 

The first generate a new password, but you set the value posted on the same variable..

A few problems to note:

1. Right after you create your $password variable with createRandomPassword() you overwrite it with the value in $_POST['password'].

2. You need to put quotation marks around your assignment of $tbl_name, ie:

   $tbl_name = "Account_Holders";

   That's probably why you're not finding the user's email in the db.

3. If you're going to email a new password to the user then you will want to update that in the database so that when they go to log in with the new password it will match what's in the db. In order to do that you need to use an update statement:

   UPDATE Account_Holders SET Password = '$password' WHERE Email = '$email';

Note: It's generally not a good idea to store passwords in a database unencrypted. What's typically done is the password is first encrypted and then stored in the db that way. When you go to validate the user's login credentials, encrypt the password they send with the same encryption algorithm and compare against what's in the database.

So far the problem is it is saying the users email is not in the database when in fact it is.

As far as I can see there is nothing wrong with your query but not putting your $tbl_name value in quotes probably isn't helping. Also, have you doubled checked the name attribute on the email input is definitely email too and that it all matches up correctly?

Also, should I update the database to store the random password or will the way I have it work?

The way I usually do it is like this, when they request a new password, generate a token along with their user id and email. Send them an email with a link, something like the following:

example.com/reset/?id=THERE_ID&token=RANDOM_TOKEN

Then on that page check they match up and if it does, let them enter a new password.

I have heard that it is not a good idea to send the original password to the user via email

In all honesty, you shouldn't even be storing raw passwords in your db anyway, you want to look up things like hash_hmac and password salts - there should be other links somewhere on those types of pages for you to figure it all out with the tutorials/examples.

And as a final note, always validate your user input (regex for example), since you're using mysql_query you always want to be escaping inputs too with mysql_real_escape_string - a preferred method for querys is to use prepared statements, these are very good to stop accidents such as little bobby tables coming to your site.