Hi,

You know that nifty little option "enter your email address to recieve your password".

I don't understand how that can be done, without posing a security risk.

Even if i just send them a link -- then what do i do? How can i confirm that it isn't someone who has sniffed out the info from the receivers email ?

If the user enters the correct email address I'll send the user an email with a link to my site. The link will contain a unique string that I have just set in the user's table row along with the id of that record. Something like the md5 of the current time() + their username or something. When they click on the link check to make sure the unique string matches what is in the table then allow the user to change their password. I never send out their current password mainly because I never store it as normal text in the db anyways. I use some form of encryption.

Hope this helps.

I should probably do that, too.

I should probably do that, too.
When inserting the data into your database you could make use on inbuilt password functions:

$sql = "INSERT INTO users (username, password) VALUES ('$username', PASSWORD('$password'))";

Or make use of one of the various inbuilt, one-way hashing algorithms before storing data:
$password = 'secret';
$md5 = md5($password); // 5ebe2294ecd0e0f08eab7690d2a6ee69
$sha1 = sha1($password); // e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4

my list of usernam/passwords where, they would have to dictionary attack me using many different ecryption options.

I will use your advice. thanks !