Received via email:
"When a customer forgets their password and enters their email address for password recovery the database or script just emails them even if the email address doesn't exist in the DotNetDb."
Response:
The script runs the following SQL, which only sends an email if it exists in the DB:
select top 1 *
from [dbo] .[dni_clients] (nolock)
where email = @email
The page does always display the confirmation message that says "Your password has been sent," whether or not it's actually sent a password. This is a securirty precaution, because it doesn't allow a hacker to come to the site and enter email addresses until he finds one that exists in the database.
---
Rob
DotNetInvoice Support