Recover forgot password using PHP and MySQL

In this article, you will learn how to recover forgot password using PHP and MySQL (MySQLi improved version).

There are more and more organizations that providing online internet services. This requires users to create many accounts on many different platforms to get online services. It is also not recommended for them to use the same password and it becomes a burden for them to remember password for different accounts. So, it is mandatory to provide forgot password option in login system. It helps the user to easily recover the password they have forgotten.

For this, we have created a forgot password form in HTML. This file contains three fields for username, new password and confirm new password and a Submit button. When user submits the form, this form will be redirected to handler.php page.

Suppose, we have a 'users' TABLE in Database with one user record as follows. You can use your database if you have OR you can copy paste this code for practice purpose.

CREATE TABLE IF NOT EXISTS `users` (
  `userid` int(11) NOT NULL AUTO_INCREMENT,
  `name` varchar(100) NOT NULL,
  `username` varchar(100) NOT NULL,
  `password` varchar(100) NOT NULL,
  PRIMARY KEY (`userid`)
)
INSERT INTO `users` (`userid`, `name`, `username`, `password`) VALUES
(1, 'John', 'msjohn', 'ed9e5563452feebf93b94f8b00f74280');

Here is the main PHP file 'index.php' that we will call on the browser. At the top of this page, we have started the session to show the successful password set message.

1. index.php

This HTML code shows the forgot password form -

<?php 
session_start();
if($_SESSION['msg']) {
echo $_SESSION['msg'].'<br/>';
}
?>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" />
<div class="wrapper" style="width: 35%; margin: 0 auto;">
<form class="form-signin" action='handler.php' method="post">       
<h2 class="form-signin-heading">Forgot Password</h2><br/>
<input type="text" class="form-control" name="username" placeholder="Email Your Username" required="" autofocus="" />
<br/>
<input type="password" class="form-control" name="newpassword" placeholder="New Password" required=""/><br/>
<input type="password" class="form-control" name="confirmpassword" placeholder="Confirm New Password" required=""/>
<br/>
<button class="btn btn-small btn-primary btn-block" type="submit">Submit</button>   
<input type="hidden" name="object" value="forgot"/>
</form>
</div>

Once this forgot password form is submitted, the entered data is sent in post to 'handler.php' file.

On handler.php file, we have written code to first match the entered new password and confirm password. If both will be same, the script will encrypt the entered password using 'sodium_crypto_pwhash_str()' hashing method and update the database. This method generates an ASCII encoded hash for password storage.

If you think to use md5() and crypt() functions for password encryption. Please don't use them, both are deprecated in latest PHP versions and also they are not much more secure. PHP7 Sodium Cryptography Library is a modern hash function that considered more secure. To know more about this, please visit -
PHP7 Password Hashing

2. handler.php

<?php 
$req = $_POST; 
$username = $req['username'];
$conn = mysqli_connect('hostname', 'username', 'password', 'database');
session_start();
if($req['object'] == 'forgot'){ 
if($req['newpassword'] == $req['confirmpassword']) {
		$hash = sodium_crypto_pwhash_str(
			$password,
			SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
			SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE
		); 
        $update = "UPDATE `users` SET 'password' = '$hash' WHERE username = '$username' ";
        $result = mysqli_query($conn, $update);
        $_SESSION['msg'] = 'Your new password has reset successfully, you can now login.';
        header("Location: index.php");
    } else {
        $_SESSION['msg'] = 'Password does not match';
        header("Location: index.php");
    }
}
?>

The above code gets the user details from the database, update the encrypted password and sets value in 'msg' session variable. Please make sure to replace 'hostname', 'username', 'password' and 'database' with your database credentials.

Related Articles