Forgot Password script - What am I doing wrong, help please :(

[tristan5522]

Hey everyone, this is my first post. Currently this code resets the user's password and replaces it with some random code in the database. Not sure what I am doing wrong, any help would be greatly appreciated. 

<?php
$heading = "Forgot Password";

if(isset($_GET['action']) && $_GET['action'] == "fpwd")
{
if(count($_POST) > 0)
{
if(isset($_POST['user_email']))
{
$email_address = $_POST['user_email'];

$sqlemail = "select user_email from ".TABLE_user." where user_email = '$email_address'";
$resemail = mysql_query($sqlemail);

$password = "user".rand(1000,50000);

$sql_update = "update ".TABLE_user." set 'password' = '".md5($password)."' where 'user_email' = '$email_address'";
$res = mysql_query($sql);


$to = $email_address;
$subject = 'Reset Password';
$message = 'Your new password: '.$password;
$headers = 'From: '.STORE_EMAIL.'' . "\r\n";

if(mail($to, $subject, $message, $headers))
{
fw_goto_page_header(fw_create_link(FILENAME_FORGOT_PWD,'msg=1'));
}

}
}
}

?>

[bsmither]

A few points with this:

$sql_update = "update ".TABLE_user." set 'password' = '".md5($password)."' where 'user_email' = '$email_address'";

 

PHP is treating TABLE_user as a constant -- it is not inside quotes, so it is not literally a string, and it does not have a $ in front, so it is not a variable, and it does not have parentheses after it, so it is not a function.  Where is this defined?

 

SQL statements should have backticks surrounding table and column names -- not apostrophes. The backtick is on the key above the tab key on the keyboard.