0

I want to send an email with a user's email and password to their email account. This is the code I have:

    if ($ct2 == 1){
        while ($row = mysql_fetch_array($sql)){
            $emusername = $row2["username"];
            $empassword = $row2["password"];
            $firstname = $row2["first_name"];
            $to = $row["email"];
            $subject = "User Name And Password";
            $message =  $firstname 
                . "Here is your username and password,\n Username" 
                . $emusername . "\n Password" 
                . $empassword . "\n\n";
            $headers = "From: webmaster@tfcbondfire.com\r\nReply-To: Forgot username and password.";

            mail($to,$subject,$message,$headers);

//The email is sent but none of the $... information in the $message is sent. I can't figure out how to get it to send the info.

Adam Wenger
  • 17,100
  • 6
  • 52
  • 63
James AraSmith
  • 1

3 Answers3

2

Your array variable is $row not $row2. And use single quotes in your index. .... And listen to SLaks. Haha! Bad idea to keep passwords that aren't encrypted.

Higgsy
  • 324
  • 1
  • 14
  • Always something stupid I'm forgetting. However, I may have to rethink how to retrieve forgotten passwords. Perhaps a question/answer… – James AraSmith Dec 06 '11 at 02:20
  • 1
    @JamesAraSmith: You **must not** allow users to retrieve forgotten passwords. Instead, email them a link to set a new password (like all major sites do). It should _never_ be possible for you to find out a user's password. – SLaks Dec 06 '11 at 02:22
  • Ok, I can do that. Thanks again! – James AraSmith Dec 06 '11 at 02:32
0

Not so surprising, you're fetching your rows into $row, and you're trying to retrieve the data out of $row2. Furthermore, as stated by @SLaks, never send password by email. And on a sidenote, since you're retrieving the password out of the database, never store passwords unencrypted. And never store personal information of users unencrypted either, if someone hacks into your database, he'll have all personal information directly.

pbond
  • 1,888
  • 4
  • 19
  • 35
  • Furthermore, if you don't validate the address/subject to be what you expect, you are opening up a giant proxy for spammers to exploit: http://www.phpbuilder.com/columns/ian_gilfillan20060412.php3 – sirbrialliance Dec 06 '11 at 02:11
  • Great attribution @sirbrialliance. And James, you mean how to encrypt your data before storing it in the database? And unencrypt it if necessary? – pbond Dec 06 '11 at 02:14
  • @JamesAraSmith [here](http://stackoverflow.com/questions/1289061/best-way-to-use-php-to-encrypt-and-decrypt) is a good place to start for encrypting passwords. – sooper Dec 06 '11 at 02:19
0

The real answer, as @SLacks points out in the comments, is that you should

  • Never, ever, ever store passwords in your database
    • Store the hashes of passwords instead - use bcrypt, scrypt, or similar.
  • Never, ever, ever email passwords to users
    • Email users a unique token instead that they can use to reset their password.

As for your primary question of "why don't my variables show up in the concatenated string," you probably want to use heredoc syntax for your big string, and to double-check that your SQL query is giving you back the values that you expect.

Brighid McDonnell
  • 4,293
  • 4
  • 36
  • 61