retreive password from being in md5

[reel_biggy_fish]

when a user forgets his or her password they can retreive it by sending an email to their account and the password is given to them.  unfortunatly the password they recieve is in md5:

 

for example the password 'the' is given in an email like so:

 

Password:6e9b31333e61aad015fa16a3a5fe8e0d

Username:the

Please change your password as soon as you logon

 

could someone please advise me what i am doing wrong so the password would be converted back to plain text.

 

here is the code for the email:

 

$query="Select pw from user where uname='$name'" or die(mysql_error());
$result= mysql_query($query); 

if(mysql_num_rows($result)>0){
for ($i=0; $i<mysql_num_rows($result); $i++) {
$row = mysql_fetch_assoc($result);

$pass= md5($row['pw']);
$to="$em\r\n";
$from="From: [email protected]\r\n";
$msg="Password:$pass\r\n";
$msg .="Username:$name\r\n";
$msg .="Please change your password as soon as you logon\r\n";
$subject="From Admin re:Your Login Password\r\n";

 

thanks in advance

 

i know im doing something really silly by missing something out but i cant see where it is

[Pikachu2000]

MD5 is not encryption, it's a hashing algorithm, and as such cannot be reversed.

[reel_biggy_fish]

ohhh okay, so there is no way to reverse the process.

 

what do you suggest to sort something out? would it be best to instead of just retreiving the password create a new one?

[Pikachu2000]

Yes. Create a new password, store the resulting hash in the db, and send the password that was generated to the user. Then they can change it to whatever they want the next time they log in.

[PFMaBiSmAd]

Whichever method you choose to do this, don't automatically update the existing password in the user table until the user performs some action using information you send him in the email. Otherwise, someone can just go through a list of likely/actual usernames requesting a new password and screw up the accounts of your users.