I've set up a page to allow folks to reset their Passwords and/or send them-selfs their User-id.
1. Form is displayed.
2. Must Enter E-Mail address.
3. Must select Security Question (1 of 6).
4. Must enter Security answer.
5. check E-Mail address to see if it is valid address in the user table.
(if not display error msg)
6. If valid E-Mail, check Security Question & Answer in user table.
- if Question and Answer correct, reset pw and use php mail fuction to e-mail new pw to E-Mail address.
- If invalid Question or Answer use php mail fuction to e-mail fact to E-Mail address.
I will be passing the E-Mail address to php mail, but I figure since this was checked against the table that some one shouldn't be able to hide a cc address in the field.
Any thing else I should worry about?