I have simple reset password structure for users to update their existing passwords if lost. The user goes to a link where they enter their email, a token is created and stored in a designated table for the user with the forgotten password. A email is sent to the user with a link that has the token attached, when they hit that link it takes them to a page to reset their password. If the token stored in the db matches the one in the $_GET, I allow them to reset their password. simple.

The problem is I can’t update their specific row in the db. I am trying to identify them by checking their email they entered against their email in the db. I am able to update the WHOLE tables password row, but when specify one user it fails.

if(isset($_POST['sub_settings'])){

    $query = "SELECT * FROM `Password_Reset` WHERE `token` = '".$token."' AND `email` = '".$user_email."'";
    $request = mysql_query($query,$connection) or die(mysql_error());
    $result = mysql_fetch_array($request);

    $token = $result['token'];
    $alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
    $rand = str_shuffle($alpha);
    $salt = substr($rand,0,40);
    $hashed_password = sha1($salt . $_POST['password']);
    $user_email = $result['email'];



    if($_GET['token'] == $token) {
        header("Location: index.php");
        exit;

    }else{

    if(empty($_POST['Password'])) {
        $valid = false;
        $error_msgs[] = 'Whoops! You must enter a password.';
    }

    if($_POST['Password'] != $_POST['passwordConfirm'] || empty($_POST['Password'])) {
        $valid = false;
        $error_msgs[] = "Your password entries didn't match...was there a typo?";
    }

    if($valid) {
        $query = "UPDATE `Users` SET `encrypted_password` = '$hashed_password' WHERE `Email` = '$user_email'";

        mysql_query($query,$connection);
    }


    }
}

Thanks so much in advance