Forgot password email link (php) returning error despite email posted in database

Question

In the process of building a login/registration system from scratch in order to teach myself PHP, mysql, etc. I am currently trying to build a "forgot password" email link system using a token in order to reset the forgotten password.

My database columns are set up as follows: id, name, email, username, password (don't worry, not plain text!), date, profile, fill, token (ultimately tagged to sent email for reset), used (ENUM 0,1).

Now for the PHP

<?php
if(!isset($_GET['email'])){
                  echo'<form action="forgotpassword.php">
                      Enter Your Email Id:
                         <input type="text" name="email" />
                        <input type="submit" value="Reset My Password" />
                         </form>'; exit();
                   }

$email=$_GET['email'];

function connect() {
        $link = mysql_connect('localhost', DB_USER, DB_PASS);

        if (!$link) {
            die('Could not connect: ' . mysql_error());
        }

        $db_selected = mysql_select_db(DB_NAME, $link);

        if (!$db_selected) {
            die('Can\'t use ' . DB_NAME . ': ' . mysql_error());
        }
    }

    $q="SELECT email FROM users WHERE email='".$email."'";
    $r=mysql_query($q);
    $n=mysql_num_rows($r);

if($n==0){echo "Email id is not registered";
    die();

}

The code continues on, but I am currently being stopped with the "Email id is not registered". However, I do have a test entry in the database with the email stored. When selecting the "Reset My Password" button, the error is displayed.

I am aware that I am not utilizing prepared statements at the moment. Hope to see this working before I learn how to use those with binds.

Ultimately, the question is, I am trying to select the email that has been registered in the "users" table where email is set to $_GET['email'] and I do not understand why this is not working?

Thanks for any and all help. Please let me know if more information is needed.

Answer 1

//You can use this code : 
<?php
if (!isset($_GET['email'])) {
    echo '<form action="">
    Enter Your Email Id:
    <input type="text" name="email" />
    <input type="submit" value="Reset My Password" />
    </form>';
    exit();
}


define('DB_USER', '');
define('DB_PASS', '');
define('DB_NAME', '');

$email = $_GET['email'];

function connect()
{
    $link = mysql_connect('localhost', DB_USER, DB_PASS);

    if (!$link) {
        die('Could not connect: ' . mysql_error());
    }

    $db_selected = mysql_select_db(DB_NAME, $link);

    if (!$db_selected) {
        die('Can\'t use ' . DB_NAME . ': ' . mysql_error());
    }
}
connect();
$q = "SELECT email FROM users WHERE LCASE(TRIM(email))='" . strtolower(trim($email)) . "'";
$r = mysql_query($q);
$n = mysql_num_rows($r);

if ($n == 0) {
    echo "Email id is not registered";
    die();

}

Answer 2

1. you have db connection inside a function but you are not calling it, try to add connect(); before $q="SELECT email FROM users WHERE email='".$email."'";
2. modify query to: $q="SELECT email FROM users WHERE email='".trim($email)."'"; trim will help remove whitespace (if any)

3. try to use mysqli as mysql is deprecated

   <?php
   if(!isset($_GET['email'])){
       echo'<form action="forgotpassword.php">
       Enter Your Email Id:
       <input type="text" name="email" />
       <input type="submit" value="Reset My Password" />
       </form>'; exit();
   }
   
   $email=$_GET['email'];
   
   function connect() {
       $link = mysql_connect('localhost', DB_USER, DB_PASS);
   
       if (!$link) {
           die('Could not connect: ' . mysql_error());
       }
   
       $db_selected = mysql_select_db(DB_NAME, $link);
   
       if (!$db_selected) {
           die('Can\'t use ' . DB_NAME . ': ' . mysql_error());
       }
   }
   connect();
   $q="SELECT email FROM users WHERE email='".trim($email)."'";
   $r=mysql_query($q);
   $n=mysql_num_rows($r);
   
   if($n==0){echo "Email id is not registered";
   die();
   
   }