send an email from php using a database

Question

I'm trying to setup my php page so that when the user enters their username in the textbox it checks my database for that username, finds their email address and then sends an email to that address. The code I currently have which unfortunately doesn't seem to be working as when i submit the page it refreshes but no email is received at the expected address;

<?php 

require_once 'header.php';
require_once 'my_connect.php';

$user = $_POST['user'];

$my_query="SELECT * from table where user = '$user'";
$result= mysqli_query($connection, $my_query);

while ($myrow = mysqli_fetch_array($result)){

echo $to = $myrow["emailaddress"]; 
$password = $myrow["password"]; 

}

$to = $email;
$password = $password;
$subject = 'Password';
$sender = 'email@mail.com';

$message = <<< EMAIL

The Password registered with account {$user} is {$password}.

EMAIL;

$header = "From:" . $sender;


if ($result):
        mail($to, $subject, $message, $header);
        $feedback = 'Email Sent';
endif;

?>

Answer 1

It has been already established that you didn't (originally) fetch anything from your query.

I am submitting the following as an example (to help you out, because it is way too long for a comment) with what I used to test your code.

Make sure that all values exist in your database. You will need to adjust the table/column names accordingly.

If the following example fails you, then you will need to find out why.

Check for errors and make sure that mail is available for you to use. Check your spam also.

See comments embedded inside code also.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

$DB_HOST = 'xxx';
$DB_USER = 'xxx';
$DB_PASS = 'xxx';
$DB_NAME = 'xxx';

$Link = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);
if($Link->connect_errno > 0) {
  die('Connection failed [' . $Link->connect_error . ']');
}

$_POST['user'] = "john"; // this is a hard-code value. I did not use a form for it

$user = $_POST['user']; // If taken from a form
                        // make sure you have a post method
                        // and that the input has the same
                        // name attribute for it. I.e.: name="user"

$my_query="SELECT * from users where username = '$user'";
$result= mysqli_query($Link, $my_query) or die(mysqli_error($Link));

while($myrow = mysqli_fetch_array($result)){

echo $to = $myrow["email"];

$password = $myrow["password"];

}


$subject = 'Password';
$sender = 'email@example.com'; // replace this with your email address

$message = <<< EMAIL

The Password registered with account {$user} is {$password}.

EMAIL;

$header = "From:" . $sender;


if ($result):
        mail($to, $subject, $message, $header);
        echo $feedback = 'Email Sent';
endif;

---

Plus, the method you are using is insecure as in sending passwords in email and not using a prepared statement and storing passwords as plain text.

Use prepared statements, or PDO with prepared statements, they're much safer.

---

Passwords

I also noticed that you may be storing passwords in plain text. This is not recommended.

Use one of the following:

• PHP 5.5's password_hash() function.
• Compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/

Important sidenote about column length:

If and when you do decide to use password_hash() or the compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/, it is important to note that if your present password column's length is anything lower than 60, it will need to be changed to that (or higher). The manual suggests a length of 255.

You will need to ALTER your column's length and start over with a new hash in order for it to take effect. Otherwise, MySQL will fail silently.

Other links of interest:

• CRYPT_BLOWFISH
• crypt()
• bcrypt()
• scrypt()
• On OPENWALL
• PBKDF2
• PBKDF2 on PHP.net
• PBKDF2 For PHP