--- old/lostpassword.php	2012-04-15 23:28:23.916568200 +0200
+++ new/lostpassword.php	2012-04-16 00:08:26.318389400 +0200
@@ -42,37 +42,27 @@
 includeLang('lostpassword');
 
 $username = NULL;
-if (!empty($_POST)) {
-    if(isset($_POST['pseudo']) && !empty($_POST['pseudo'])) {
+if (!empty($_POST))
+{
+    if(isset($_POST['pseudo']) AND !empty($_POST['pseudo']) AND isset($_POST['email']) AND !empty($_POST['email']))
+	{
         $username = mysql_real_escape_string($_POST['pseudo']);
+		$email = mysql_real_escape_string($_POST['email']);
+		
         $sql =<<<EOF
 SELECT users.email, users.username
   FROM {{table}} AS users
-  WHERE users.username="{$username}"
+  WHERE users.username="{$username}" AND users.email="{$email}"
   LIMIT 1
 EOF;
-        if (!($result = doquery($sql, 'users', true))) {
-            message("Cet utilisateur n'existe pas", 'Erreur', 'lostpassword.php');
-            die();
-        }
-        list($mailData['recipient'], $username) = $result;
-    } else if(isset($_POST['email']) && !empty($_POST['email'])) {
-        $email = mysql_real_escape_string($_POST['email']);
-        $sql =<<<EOF
-SELECT users.email, users.username
-  FROM {{table}} AS users
-  WHERE users.email="{$email}"
-  LIMIT 1
-EOF;
-        if (!($result = doquery($sql, 'users', true))) {
-            message("Cet email n'est utilisé par aucun joueur", 'Erreur', 'lostpassword.php');
-            die();
-        }
-        list($mailData['recipient'], $username) = $result;
-    } else {
-        message('Veuillez entrer votre login ou votre email.', 'Erreur', 'lostpassword.php');
-        die();
-    }
+		$result = doquery($sql, 'users', true);
+		
+		if (empty($result))
+            message("Le pseudonyme et l'adresse e-mail ne sont associé à votre compte", 'Erreur', 'lostpassword.php');
+		else	
+			list($mailData['recipient'], $username) = $result;
+    } else
+        message('Veuillez entrer votre login et votre email.', 'Erreur', 'lostpassword.php');
 
     if (!is_null($mailData['recipient'])) {
         $characters = 'abcdefghijklmnopqrstuvwxyz0123456789';
@@ -100,13 +90,12 @@
 
         $sql =<<<EOF
 UPDATE {{table}} AS users
-  SET users.password="{$randomPass}"
+  SET users.password=MD5("{$randomPass}")
   WHERE users.username="$username"
 EOF;
 
         doquery($sql, 'users');
         message('Mot de passe envoyé ! Veuillez regarder votre boite e-mail ou dans vos spam.', 'Nouveau mot de passe', 'index.php');
-        die();
     }
 }