Password Reset Link : “TO” email address not working

Question

I have created a password reset function in PHP.

It's working just fine...........except that, for some reason, I'm unable to set the recipient's email address : " TO "

The code works this way :

(a) the user is asked to provide his login/username (b) php sends an sql query to the database; (c) if the username is found, php takes the email-address, and sends a Reset Link via email (d) this reset-link has a unique "token" attached to it (e) the user clicks on the link in his email, and is re-directed to a new page where he resets his password

Everything is working fine...........except for the email structure itself. The email comprises : TO, CC, SUBJECT, BODY, and HEADERS .

Everything is being shown..........except the actual " TO ".

In fact, the only reason I know that the code works is because I'm getting a copy of the email, via the the " CC "

Here is my code :

  if(isset($_POST['submit'])) {

  $login = $_POST['login'];

  $query = "select * from personal_data where login='$login'";
  $result = mysqli_query($conn,$query);
  $count=mysqli_num_rows($result);
  $rows=mysqli_fetch_array($result);


  if($count==0) {

 echo "Sorry; that username does not exist in our database";
 }

else {

 function getRandomString($length) 
   {
$validCharacters = "ABCDEFGHIJKLMNPQRSTUXYVWZ123456789!#+=%&/?*$";
$validCharNumber = strlen($validCharacters);
$result = "";

for ($i = 0; $i < $length; $i++) {
    $index = mt_rand(0, $validCharNumber - 1);
    $result .= $validCharacters[$index];
 }
 return $result;    }

$token=getRandomString(40);
$q="insert into token (token,login) values ('".$token."','".$login."')";
mysqli_query($conn,$q);

function mailresetlink($to,$token){

$to = $rows['email'];
$subject = "Password Reset";
$uri = 'http://'.$_SERVER['HTTP_HOST'] ;
$message = '
<html>
<head>
<title>Password Reset Link</title>
</head>
<body>
<p>We received a Password-Reset request from your account.</p>
<p>Click on the following link to reset your password : <a   
href="'.$uri.'/PHP/password_reset?token='.$token.'">Reset Password</a></p>
</body>
</html>
 ';
 $headers = "MIME-Version: 1.0" . "\r\n";
 $headers .= "Content-type:text/html;charset=iso-8859-1" . "\r\n";
 $headers .= 'From: Support<support@xxxxx.com>' . "\r\n";
 $headers .= 'Bcc: Info<info@xxxxx.com>' . "\r\n";

 if(mail($to, $subject, $message, $headers))     {

  echo "A password reset link has been sent to your email address."

    }
 }

 if(isset($_POST['login'])) { 
    mailresetlink($email,$token);

    exit();
            } 

     }
  }

Answer 1

The reason why your code is not working is due to a few things.

One of which is that $rows needs to reside inside the function mailresetlink($to,$token) function's parameter.

Change that to function mailresetlink($to,$token,$rows) and do the same for the one inside if(isset($_POST['login'])){...}

if(isset($_POST['login'])) { 
    mailresetlink($email,$token,$rows);

    exit();
            } 

Plus, if it isn't a typo or a bad paste; there is also a missing semi-colon in this line:

echo "A password reset link has been sent to your email address."
                                                                 ^ right there

Having done all of the above, successfully sent all of the information to Email during my test.

---

Sidenote: Your present code is open to SQL injection . Use mysqli with prepared statements , or PDO with prepared statements , they're much safer .

Answer 2

You cannot define functions in if or while or whatever scope. Define them before or after you intend to use them. Try with the following code:

<?php
if ( isset($_POST['submit']) ) {

    $login = $_POST['login'];
    $email = $_POST['email'];


    $query = "select * from personal_data where login='$login'";
    $result = mysqli_query($conn, $query);
    $count = mysqli_num_rows($result);
    $rows = mysqli_fetch_array($result);


    if ($count == 0) {

        echo "Sorry; that username does not exist in our database";
    } else {


        if (isset($_POST['login'])) {
            mailresetlink($email, $token, $rows);

            exit();
        }

    }
}

function getRandomString($length)
{
    $validCharacters = "ABCDEFGHIJKLMNPQRSTUXYVWZ123456789!#+=%&/?*$";
    $validCharNumber = strlen($validCharacters);
    $result = "";

    for ($i = 0; $i < $length; $i++) {
        $index = mt_rand(0, $validCharNumber - 1);
        $result .= $validCharacters[$index];
    }
    return $result;
}

$token = getRandomString(40);
$q = "insert into token (token,login) values ('" . $token . "','" . $login . "')";
mysqli_query($conn, $q);

function mailresetlink($to, $token, $rows)
{

    $to = $rows['email'];
    $subject = "Password Reset";
    $uri = 'http://' . $_SERVER['HTTP_HOST'];
    $message = '
        <html>
        <head>
            <title>Password Reset Link</title>
        </head>
        <body>
        <p>We received a Password-Reset request from your account.</p>

        <p>Click on the following link to reset your password : <a
                href="' . $uri . '/PHP/password_reset?token=' . $token . '">Reset Password</a></p>
        </body>
        </html>
        ';
    $headers = "MIME-Version: 1.0" . "\r\n";
    $headers .= "Content-type:text/html;charset=iso-8859-1" . "\r\n";
    $headers .= 'From: Support <support@xxxxx.com>' . "\r\n";
    $headers .= 'Bcc: Info <info@xxxxx.com>' . "\r\n";

    if (mail($to, $subject, $message, $headers)) {

        echo "A password reset link has been sent to your email address.";

    }
}
?>

Also, pay attention to Quentin's advice about preventing SQL injection.

What I did was:

• Moved getRandomString and mailresetlink after the if block
• Added parameter $rows to mailresetlink function, so it can find use of the $rows variable (which was out of the scope)

You also need to define $email , because it's not being set anywhere, so I did it for you (I guess you also have an input field with the name of email somewhere.

Test it, it should work.