Editing the code for you last script (putting the code and the html together), something like this:-
<?php
include "session.php";
include "database/db.php";
$Message = "";
$mode_allowed = array('username','password');
if(isset($_POST['email']) === true && empty($_POST['email']) === false)
{
if(email_exists($_POST['email']) === false)
{
echo "Sorry, we can't find this email";
exit();
}
}
if(isset($_POST['answer']))
{
$answer = $_POST['answer'];
if(!empty($answer))
{
$sql = mysql_query("SELECT `username` FROM `users` WHERE `email` ='".mysql_real_escape_string($_SESSION['email'])."' AND `answer`='".mysql_real_escape_string($answer)."'");
if(mysql_num_rows($sql) == 1)
{
header('location:last.php?success');
}
else
{
$Message = "Wrong answer";
}
}
else
{
echo "<script type='text/javascript'>alert('you must answer this question');</script>";
}
}
?>
<form action="security.php" method="POST" enctype="multipart/form-data">
<p> Answer this question </p>
<select type="text" selected="selected" name="security_question" value="<?php $security_question?>">
<option name="security_question" value="<?php $security_question =mysql_query("SELECT `security_question` FROM `users` WHERE `email`='".mysql_real_escape_string($_POST['email'])."' ");
$array = mysql_fetch_array($security_question);
echo $array[0];
?>">
<?php $security_question =mysql_query("SELECT `security_question` FROM `users` WHERE `email`='".mysql_real_escape_string($_POST['email'])."' ");
$array = mysql_fetch_array($security_question);echo $array[0]; ?>
</option>
</select> <br>
<input type="text" name="answer"/> <br>
<input type='hidden' name='email' value='<?php $_POST['email']?>'>
<input type="submit" value="submit">
<?php if ($Message != '') echo "<br /> $Message";?>
</form>