[c9-adams]

Hi guys,

I have recently created a website so that I can practice users registrations and user logins. Ive been successful with this however I now want to create a system whereby if a user forgot their password and wanted to find their password then the system would require the users username, would then check the password matched with the username in the mysql database and would then send the user an email with their password:

This is what I have tried so far however I keep getting an error message "Warning: mail() [function.mail]: Failed to connect to mailserver at "localhost" port 25, verify your "SMTP" and "smtp_port" setting in php.ini or use ini_set()" and does not send any email:

<!Doctype html>
<html>
<head>
<title>
Forget Password
</title>
<LINK REL=StyleSheet HREF="style.css" TYPE="text/css" MEDIA=screen>
<body bgcolor="#872588" id="background">
</head>
<body>
<CENTER><img src="banner.png" alt="logo" id="logo"></CENTER>
<div id="navigation">
<ul>
<li><a href="home.html" id="child"><b><font style="Alan Den">Home</font></b></a></li>
<li><a href="about.html"><b><font style="Alan Den">About Stress?</font></b></a></li>
<li><a href="beat.html"><b><font style="Alan Den">Beating stress?</font></b></a></li>
<li><a href="enquiry.html" id="parent"><b><font style="Alan Den">Contact us!</font></b></a></li>
</ul>
</div>
</br>
<div id="box201">
<form name="forgot" method="post" action="<?php $_SERVER['PHP_SELF'];?>">
<h1><font color="pink">Forget Password Form</font></h1>
<p><font color="white">(Please fill in your username which you used to register with when registering on to this website.)</font></p>
<p><label for="username">Username:</label>
<input name="username" type="text" value="" />
</p>
<br>
<input type="submit" name="submit" value="submit"/>
<input type="reset" name="reset" value="reset"/>
</form>
</div>
<?php
if(isset($_POST['submit']))
{
mysql_connect("localhost", "root", "Fatiuma1234") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());

$username = $_POST['username'];
$sql = "SELECT `email`, `password` FROM `users` WHERE `username` = '$username'";
$query = mysql_query($sql);

if(!$query) 
    {
    die(mysql_error());
    }
    
if(mysql_num_rows($query) != 0)
    {
$row=mysql_fetch_array($query);
$password=$row["password"];
$email=$row["email"];
$subject="your password";
$header="from:you@yourdomain.com";
$content="your password is ".$password;
mail($email, $subject, $content, $header);
print "An email containing the password has been sent to you";
    }
else 
    {
    echo("no such login in the system. please try again.");
    }
}
?>

Any help or feedback would be greatly appreciated.

This post has been edited by macosxnerd101: 03 September 2012 - 10:26 AM
Reason for edit:: Please use code tags

[macosxnerd101]

You have more than 60 posts. You should know how to use code tags, and that programming help questions do not belong in the Student Campus. I'll move this over to PHP.

Have you tried doing what the error message suggested? That would be a good place to start.

[c9-adams]

I dont understand what the error message is trying to tell me hence why im asking.

[Atli]

c9-adams, on 03 September 2012 - 05:15 PM, said:

... then the system would require the users username, would then check the password matched with the username in the mysql database and would then send the user an email with their password

OK, first of all I'd like to point out that this is a very very insecure thing to do. There are two reasons for this:

• This indicates that you are storing the passwords in the database in a form that allows you to read them. That you should never do. You should hash all passwords the moment you get them from the user, and store only the hash in the database. - Read: PHP: Password Hashing in the PHP manual for details.
  
  
• Sending this through email means that you are, usually, sending the plain-text password through an unencrypted connection. That means that your email, and the password, is being routed through any number of routers, where it is more than likely cached and plainly readable to anybody with access to that router. And then there is also the concern of hackers intercepting and reading the mail on route. - Hackers could request password sent to random accounts, knowing your system will send an email with the password, which they could then easily intercept to gain access to those accounts.

What you should be doing is allowing users to request a password reset. There are several ways to do this, but a simple one goes like this:

• User types in a Username or an Email into a form on your site.
  
• Your site generates a random token that is saved into the database with the user account, and is sent via email to the address registered to the account, embed in a link that takes them to a password reset form on your site.
  
• When the user clicks the link, the page compares the token in the URL to the token in the database, and if they match you provide a form where the user can change the password.