Forgotten Password Form - PHP

Question

I have this code for my forgotten password form, but it does not work, can anybody see the error(s)? It just comes up with a blank screen and does nothing. I have tried everything, but cannot make it work. Thanks

    <?php
$host="localhost"; // Host name 
$username="admin"; // Mysql username 
$password=""; // Mysql password 
$db_name="members"; // Database name 
$tbl_name="members"; // Table name 

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$myemail=$_POST['myemail']; 

$sql="SELECT * FROM $tbl_name WHERE email='$myemail'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
$email = $_P0ST['email']; 

function createRandomPassword() {



    $chars = "abcdefghijkmnopqrstuvwxyz023456789";

    srand((double)microtime()*1000000);

    $i = 0;

    $pass = '' ;



    while ($i <= 7) {

        $num = rand() % 33;

        $tmp = substr($chars, $num, 1);

        $pass = $pass . $tmp;

        $i++;

    }
    return $pass;

}

if($count==1){
$newpassword=createRandomPassword();
$encrypted_mypassword=md5($newpassword);
$sql="UPDATE members SET password= ('$encrypted_mypassword') WHERE email = ('$myemail')";
$run=mysqli_query($sql);


$to = "$myemail";
$subject = "Your Password";
$messages="Your password for accessing to our website \r\n";
$messages="Your password is $encrypted_mypassword \r\n";
$messages="Please change this password for security reasons. Thank you. \r\n";
$from = "info@.co.uk";
$headers = "From:" . $from;
mail($to,$subject,$messages,$headers);
echo "Mail Sent.";

Answer 1

Can you try this, $sql="UPDATE members SET password='$encrypted_mypassword' WHERE email = '$myemail' "; $run=mysql_query($sql);. you have used mysqli_query that is the reason.

        $host="localhost"; // Host name 
        $username="admin"; // Mysql username 
        $password=""; // Mysql password 
        $db_name="members"; // Database name 
        $tbl_name="members"; // Table name 

        // Connect to server and select databse.
        mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
        mysql_select_db("$db_name")or die("cannot select DB");

        // Define $myusername and $mypassword 
        $myemail=$_POST['myemail']; 

        $sql="SELECT * FROM $tbl_name WHERE email='$myemail'";
        $result=mysql_query($sql);
        // Mysql_num_row is counting table row
        $count=mysql_num_rows($result);
        $email = $_POST['email']; 

        function createRandomPassword() {       

            $chars = "abcdefghijkmnopqrstuvwxyz023456789";

            srand((double)microtime()*1000000);         
            $i = 0;         
            $pass = '' ;            
            while ($i <= 7) {           
                $num = rand() % 33;         
                $tmp = substr($chars, $num, 1);         
                $pass = $pass . $tmp;           
                $i++;

            }
            return $pass;

        }

        if($count>0){
        $newpassword=createRandomPassword();
        $encrypted_mypassword=md5($newpassword);
        $sql="UPDATE members SET password='$encrypted_mypassword' WHERE email = '$myemail' ";
        $run=mysql_query($sql);


        $to = "$myemail";
        $subject = "Your Password";
        $messages="Your password for accessing to our website \r\n";
        $messages="Your password is $encrypted_mypassword \r\n";
        $messages="Please change this password for security reasons. Thank you. \r\n";
        $from = "info@.co.uk";
        $headers = "From:" . $from;
        mail($to,$subject,$messages,$headers);
        echo "Mail Sent.";
  }

Answer 2

It just comes up with a blank screen and does nothing

As you have an echo at the end of the script, but are getting a blank screen and no message, this more than likely points to a PHP error (which will halt the script and why you get a blank page).

You need to access your error log file, usually in /var/log/apache2/error.log.
You should be accessing this file regularly when developing PHP anyway to check for errors, mistakes and problems from PHP warnings and notices.

I suspect the error is simply a missing close of this:
if($count==1){

You open it with { but do not close it with }.
Put } after your echo "Mail Sent."; and that problem will be gone. Leaving only the remaining issues:

Echoing "echo "Mail Sent.";" at the end of your script does not mean the email was sent. Something might have gone wrong somewhere, so check if the email was sent, and echo a relevant statement to the outcome.

Such as:

if (mail($to,$subject,$messages,$headers))
  {
    echo "Mail Sent.";
  }
else
  {
    echo "Something went wrong";
  }

You can do a bit better than that, but it gives you the idea, as just echoing "email sent" is misleading and you will trust the script is working even if something failed.

You also really need to read about user input validation and Mysql sanitization. As trusting the variables before you insert or select or delete (anything) with the database introduces a very real security issue.
A starter read can be found here:
How can I prevent SQL injection in PHP?

md5() is no longer a secure method for encrypting passwords. See here for the main reason and also ideas of the current best practice, such as "crypt()":
http://www.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash

Answer 3

Besides the fact that you should use prepared statements, and you should use a secure way to store passwords [i.e. not md5], $_P0STshould be $_POST.

Answer 4

This brace

if($count==1){

is never closed.