ok i been doing a forgot password script and its going a bit weird and im hoping to get some tips

ok so heres the script i have at the moment.

PHP Code:

<?php
include('includes/includes.php'); //contains DB connection and a couple of Defined bits...
#include('includes/db_connect_calm_main.php');
if( $_GET['change'] == 'y')
{
if(isset($_POST['email']) && isset($_POST['verify']) && isset($_POST['npass']) && isset($_POST['npass2']))
{
$npass   =(isset($_POST['npass']))    ? mysql_real_escape_string($_POST['npass'],$link_db)     : '';
$npass2   =(isset($_POST['npass2']))    ? mysql_real_escape_string($_POST['npass2'],$link_db)     : '';
$result_check = mysql_query("SELECT * FROM pword_reset WHERE email='".$_POST['email']."' 
AND verify_code ='".$_POST['verify']."'") 
or die("Error checking email and verify code against database.".mysql_error());
if($num_rows >= 1)
{
$reset_info = mysql_fetch_array($result_check);
if($npass == $npass2)
{
$result_change_pw = mysql_query("UPDATE users SET password='$npass' WHERE id='$usr_id'") or die("Error modify password");
echo 'Modified password';
}
} //end if email + verify valid.
else { echo 'Hacking attempt deteched.'; } // else if email +verify valid.
} //end if modify password vars set
}
else { //else modify password vars sent
if(isset($_GET['email']) && isset($_GET['verify']))
{
$email   =(isset($_GET['email']))    ? mysql_real_escape_string($_GET['email'],$link_db)     : '';
$verify  =(isset($_GET['email']))    ? mysql_real_escape_string($_GET['verify'],$link_db)    : '';
$result_check = mysql_query("SELECT * FROM pword_reset WHERE email='$email' AND verify_code ='$verify'") 
or die("Error checking email and verify code against database.".mysql_error());
$num_rows = mysql_num_rows($result_check);
if($num_rows >= 1) 
{
echo 'Code and email has been verified.<br />';
echo '
<form action="forgot.php?change=y" method="post">
<input type="hidden" value="'.$verify.'" name="verify_code" />
<input type="hidden" value="'.$email.'" name="email" />
<input type="hidden" value="'.$usr_id.'" name="usr_id" />
password:<input type="password" name="npass" /><br />
confirm:<input type="password" name="npass2" /><br />
<input type="submit" name="change_password" value="Modify Password" />
</form>';
}
else {
echo 'Error: There is a problem with your email or verification code. This could be because you have copied it wrong.
OR that the password reset request has expired. Requests expire after 48 hours. click here to make a request and wait for the email. <a href="forgot.php">here</a>';
}
}
else {
if($_POST['submit_email'])
{
$email  =(isset($_POST['email']))      ? mysql_real_escape_string($_POST['email'],$link_db)      : '';
$result_email = mysql_query("SELECT * FROM users WHERE email='$email'") or die("Error checking emial");
$num_rows = mysql_num_rows($result_email);
if($num_rows >= 1) 
{
$user_info = mysql_fetch_array($result_email);
$usr_id = $user_info['id'];
$ip = $_SERVER['REMOTE_ADDR'];
$request_time = date('U');
$expire_time = $request_time + 60*60*48;
$verify_code = "vfvkdfvkfmvfgbghhjmj666m6j555m6jhm4545hj";# Random string of X chars numbers/chars 
mysql_query("INSERT INTO pword_reset SET ip='$ip', email='$email', usr_id='$usr_id', 
request_time='$request_time', expire_time='$expire_time', verify_code='$verify_code'") or die("Error inserting request.".mysql_error());
$nl = "\n\r";
$from = "noreply@dansgalaxy.co.uk";
$headers = '';
$headers .= "FROM: $from".$nl;
$headers.= "Message-ID: <".time()."-$from>".$nl;
$headers.= "X-Mailer: PHP v".phpversion()." Dan Rodgers Password Recovery Script".$nl;
 // These two to help avoid spam-filters
$headers.= 'MIME-Version: 1.0'.$nl;
$headers.= "Content-type: text/html; charset=iso-8859-1".$nl;
$subject = 'Forgot Password Request';
$body = "Hey, ".$user_info['fullname']." <br/> $nl";
$body.= "A request has been made to reset your password.<br /> $nl";
$body.= "To reset your password please click the link below or copy and paste it into your browser. <br /> $nl";
$body.= "<br/> $nl";
$body.= "<a href='".SITE_URL."/forgot.php?email=$email&verify=$verify_code'>".SITE_URL."/forgot.php?email=$email&verify=$verify_code</a> <br /> $nl";
$body.= "<br /><br /> $nl";
$body.= "<strong><em>If you did not make this request please ignore this 
email it will expire in 48 hours anyway.</em></strong>";
$body.= "This is a automated email, sent be the CALM website. Please do not reply to this address as email sent to this address are automatically discarded. If you wish to contact calm please do so through the website <a href='".SITEURL."'>here</a>.";

mail($email, $subject, $body, $headers);
echo 'Email Sent.';
}
else {
echo 'No account exists with this email.';
}
} //end if submit_email
else {
echo '<form action="" method="post">
Email: <input type="text" name="email" />
<input type="submit" name="submit_email" />
</form>';
}
} //end else email and verifty set.
} //end else modify password vars sent.
?>

one of the problems i am ahving is with the email which is sent after you request it. for some reason is isnt reconising the headers, and is shoving them into the body of the mail and as a result it isnt picking up its text/html so the HTML isnt being parsed either

Thanks,
TP for al good posts and help

I could do the reset password script nice and easy. I know how to send mail by PHP, but I wouldn't have a clue how to pass variables from an email back to the server again.

However, maybe I would have the password changed for them, and have the new password emailed to them advising them to change the password once they log in. Obviously, the email is sent only to the email address in the database.

Just my idea.

ok.. Ill explain the above script.

This script user makes request by enterign the email associated with their account. IF it is a valid email which is connected with a account a entry is made to my pword_reset table

It adds a randomly generated string of 50 numbers and letters (not on this version but it is...) the email their user_id AND also the request time (in unix time) and also a expire time which is generated by adding 60*60*48 to the current unix time.



It emails the user with a url the url is like forgot.php?email=myaccount_email@dan.com&verify=My Special50characterlongcodewhichisinthetable

Then the user clicks the link they go to the page and IF the user has requested their password there will be a entry with that code for that account.

If it all checks out it provides two fields to enter a new password (and confirm it) submit and it overwrites their password.

I will also be running a CRON job which deletes all entries where the expire time is less than the current unix time. there-fore deleting all entries older than 48 hours. providifing more security

Its fairly simple. but i can be fairly dumb as well

Well with how you explained it there, it does actually seem fairly simple and I will have to try it out as I don't really have a password reset system in place, other than I usually change the password myself to something easy and then ask the users to change it to something else they will remember!!

ill customise what i have for you for cheap