Try adding your data to the database without the encryption to see whats getting added. If the correct password is seen, then the problem is with the encryption part.

dc

I took off the md5 part and the password generated are all the same, but do not match the db.

Here's the code I am using

<?
if (isset($_POST['submit'])) { // Handle the form.

if (empty($_POST['email'])) { // Validate the username.
$u = FALSE;
echo '<p><font color="red" size="+1">You forgot to enter your email address!</font></p>';
} else {
$u = mysql_real_escape_string($_POST['email']);

// Check for the existence of that email.
$query = "SELECT id, email FROM users WHERE email='$u'";
$result = @mysql_query ($query);
$row = mysql_fetch_array ($result, MYSQL_NUM);
if ($row) {
$id = $row[0];
$email = $row[1];
} else {
echo '<p><font color="red" size="+1">The submitted email does not match any currently on file!</font></p>';
$u = FALSE;
}

}

if ($u) { // If everything's OK.

// Create a new, random password.
$p = substr ( md5(uniqid(rand(),1)), 3, 10);

// Make the query.
$query = "UPDATE users SET password=PASSWORD('$p') WHERE id=$id";
$result = @mysql_query ($query); // Run the query.
if (mysql_affected_rows() == 1) { // If it ran OK.

// Send an email.
$body = "Your password to log into SITENAME has been temporarily changed to '$p'. Please log-in using this password and your username. At that time you may change your password to something more familiar.";
mail ($email, 'Your temporary password.', $body, 'From: admin@sitename.com');
echo '<h3>Your password has been changed. You will receive the new, temporary password at the email address with which you registered. Once you have logged in with this password, you may change it by clicking on the "Change Password" link.</h3>';
exit();

} else { // If it did not run OK.

// Send a message to the error log, if desired.
$message = '<p><font color="red" size="+1">Your password could not be changed due to a system error. We apologize for any inconvenience.</font></p>';

}
mysql_close(); // Close the database connection.

} else { // Failed the validation test.
echo '<p><font color="red" size="+1">Please try again.</font></p>';
}

} // End of the main Submit conditional.

?>

<h1>Reset Your Password</h1>
<p>Enter your username below and your password will be reset.</p>
<form action="password.php" method="post">
<fieldset>
<p><b>Email Address:</b> <input type="text" name="email" size="30" maxlength="30" value="<?php if (isset($_POST['email'])) echo $_POST['email'];?>" /></p>
</fieldset>
<div align="center"><input type="submit" name="submit" value="Reset My Password" /></div>
</form><!-- End of Form -->

The registration system generates 32 character hashes, but password system is only generating 16 character ones. Could that be the issue?

Your using the MySQL PASSWORD function to encrypt your random password, so the password stored will be different to when you echo $p after your query.

Try simply using:

$query = "UPDATE users SET password='$p' WHERE id='$id'";

dc

that work'd. the password is same, it seems the encryption is the problem.

How would I change the encryption so that it creates a 32 character hash instead of the 16 currently created by the forgotten password code.

Use md5(). Make your database field a varchar(32).

$query = "UPDATE users SET password='".md5($p)."' WHERE id='$id'";

Remember to check against the hash when a user types in their password.

$password = $_POST['password'];

if (md5($password)==$database_password)
{
true
}
else
{
false
}

dc