Recover forgot password using PHP and MySQL

In this article, you will learn how to recover forgot password using PHP and MySQL (MySQLi improved version).

For this, we have created a forgot password form in HTML. This file contains three fields for username, new password and confirm new password and a Submit button. When user submits the form, this form will be redirected to handler.php page.

Suppose, we have a 'users' TABLE in Database as follows. You can use your database if you have OR you can copy paste this code for practice purpose.

CREATE TABLE IF NOT EXISTS `users` (
  `userid` int(11) NOT NULL AUTO_INCREMENT,
  `name` varchar(100) NOT NULL,
  `username` varchar(100) NOT NULL,
  `password` varchar(100) NOT NULL,
  PRIMARY KEY (`userid`)
)
INSERT INTO `users` (`userid`, `name`, `username`, `password`) VALUES
(1, 'John', 'msjohn', 'ed9e5563452feebf93b94f8b00f74280');

Create the main PHP file 'index.php' that we will call on the browser. At the top of this page, we have started the session to show the successful password set message.

1. index.php

<?php 
session_start();
if($_SESSION['msg']) {
echo $_SESSION['msg'].'<br/>';
}
?>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" />
<div class="wrapper" style="width: 35%; margin: 0 auto;">
<form class="form-signin" action='handler.php' method="post">       
<h2 class="form-signin-heading">Forgot Password</h2><br/>
<input type="text" class="form-control" name="username" placeholder="Email Your Username" required="" autofocus="" />
<br/>
<input type="password" class="form-control" name="newpassword" placeholder="New Password" required=""/><br/>
<input type="password" class="form-control" name="confirmpassword" placeholder="Confirm New Password" required=""/>
<br/>
<button class="btn btn-small btn-primary btn-block" type="submit">Submit</button>   
<input type="hidden" name="object" value="forgot"/>
</form>
</div>

Once this forgot password form is submitted, the entered data is sent in post to 'handler.php'.

On handler.php page, we have written code to first match the entered new password and confirm password. If both will be same, the script will encrypt the entered password using 'sodium_crypto_pwhash_str()' hashing method, it generates an ASCII encoded hash for password storage, and update the database.

If you think to use md5() and crypt() functions for password encryption. Please don't use them, both are deprecated in latest PHP versions and also they are not much more secure. PHP7 Sodium Cryptography Library is a modern hash function that considered more secure. To know more about this, please visit -
PHP7 Password Hashing

2. handler.php

<?php 
$req = $_POST; 
$username = $req['username'];
$conn = mysqli_connect('hostname', 'username', 'password', 'database');
session_start();
if($req['object'] == 'forgot'){ 
if($req['newpassword'] == $req['confirmpassword']) {
		$hash = sodium_crypto_pwhash_str(
			$password,
			SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
			SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE
		); 
        $update = "UPDATE `users` SET 'password' = '$hash' WHERE username = '$username' ";
        $result = mysqli_query($conn, $update);
        $_SESSION['msg'] = 'Your new password has reset successfully, you can now login.';
        header("Location: index.php");
    } else {
        $_SESSION['msg'] = 'Password does not match';
        header("Location: index.php");
    }
}
?>

The above code gets the user details from the database, update the encrypted password and sets value in 'msg' session variable. Please make sure to replace 'hostname', 'username', 'password' and 'database' with your database credentials.

Related Articles