Reset Password doesn't do ANYTHING!

[c-o-d-e]

I have a password reset form, and it doesn't do anything when I click submit. It refreshes my page. Nothing happens.

I don't recieve an email, I've tried to echo the password as soon as it gets created. Nothing echo'd. Seems that NOTHING happens at all.

 

Can anyone help me out? Here is the code.

<?php 
session_start(); 
include ("inc/config.php");

if(isset($_POST['reset']))
{
$username = addslashes(mysql_real_escape_string($_POST['username']));
$email = addslashes(trim(mysql_real_escape_string($_POST['email'])));

if(empty($username)){
	$error['username'] = '<span style="color:red;">Your Username is required!<br /></span>';
}
if(empty($email)){
	$error['email'] = '<span style="color:red;">Your registered Email Address is required!<br /></span>';
}

$query = mysql_query("SELECT * FROM Users WHERE Username = $username") or trigger_error("Query failed: ".mysql_error());
if(mysql_num_rows($query) > 0) {
	$row = mysql_fetch_array($query);
	if($email == $row['Email']){}{
		$error['email'] = 'The entered Email is not the registered email!';
	}
} else {
	if($username > 0){
		$error['username'] = 'The entered Username is not registered!';
	}
}

if(!isset($error)){
	 $length = 9;
	 $characters = 'abcdefghjkmnpqrstwxyz23456789';
	 $max = strlen($characters) - 1;
	 $pwd = '';
	 mt_srand((double)microtime() * 1000000);
	 while (strlen($pwd) < $length + 1)
	 $pwd .= $characters{mt_rand(0, $max)};
	 $pass = md5($pwd.strtolower($username));

	 $query = mysql_query("UPDATE Users SET Password = '$pass' WHERE Username = '$username'") or trigger_error('Query failed: '. mysql_error());

	 $send = mail($email , "Password Reset Request" , "You have applied for a new password at Developers Community\n\nYour Username and New Password are below, Please change your Password when you login!\n\nUser: ".$username."\nPass: ".$pwd."\n\nIf you did not request a New Password, please change your Password and if this continues to happen then please contact us.\n\nPlease do not reply, this is an automated mailer.\n\nThanks", "FROM: no-reply@developers-community.com");

	 if(($query)&&($send)){
		 $success['complete'] = 'Your New Password has been sent to your Email Address. The Email could be in your Junk. If you do not recieve the email, please contact us.';
	 }
} 
}
?>
        <?php echo ''.$error['username'].''.$error['password'].''.$success['complete'].''; ?>
        <form method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>" style="width:300px; margin:0 auto;">
        <label>Username<br />
          <input name="username" type="text" class="textBox" id="username" size="40" /></label>
        <label><br />
          Registered Email Address<br />
          <input name="email" type="text" class="textBox" id="email" size="40" /></label>
        <br /><br />
        <input name="reset" type="submit" class="textBox" id="reset" value="Submit" />
        </form>

[KevinM1]

Look at your logic - you have it so if the user enters a username ($username > 0) or if the user already has a valid e-mail address ($email == $row['email']) to trigger an error, thereby ignoring the request to send the e-mail and reset the password.  That seems pretty backwards to me.

[c-o-d-e]

($username > 0)

Should be If username is bigger than 0.

Would it be < ?

I seem not to remember the < and >

[PFMaBiSmAd]

Your query is also failing because there are no single-quotes around the string data in it.

 

Again, what trigger_error() does is dependent on the error_reporting and display_errors settings. Are you developing and debugging your code on a system with error_reporting set to E_ALL and display_errors set to ON in your master php.ini so that ALL php errors will be reported and displayed?

 

You are also double-escaping the string data being put into your query. You should only be using mysql_real_escape_string() and NOT using addslashes().

[c-o-d-e]

	$query = mysql_query("SELECT * FROM Users WHERE Username = '$username'") or trigger_error("Query failed: ".mysql_error());
if(mysql_num_rows($query) > 0) {
	$row = mysql_fetch_array($query);
	if($email == $row['Email']){}{
		$error['email'] = 'The entered Email is not the registered email!';
	}
} else {
	if($username > 0){
		$error['username'] = 'The entered Username is not registered!';
	}
}

 

If there is a row, it checks if the email matches the email of the registered username thats entered, if it matches then no error, so it carries on. If it does not match, report the error, else if there isn't a row by the entered username, and the username has more than 1 character to report the error that its not registered.

 

I changed it so that I am only using mysql_real_escape_string() and I have now put in the single quotes where needed.

I just set the error reporting to E_ALL, although in my php.ini it is always set as on.

 

Although with the error reporting set to E_ALL, it doesn't give me any other error that I should not recieve.

[c-o-d-e]

Oh! Update:

I had an error call above the form for Password, it should be Email. Thats why nothing happened.

When I type in my exact email address that I registered the account with. It comes up as

"The entered Email is not the registered email!" Even though its correct!

 

AND where i has {}{ for the email, Should be {}else{