Recover forgot password using PHP and MySQL

In this article, you will learn how to recover the forgot password using PHP and MySQL (MySQLi improved version).

There are more and more organisations that provide online internet services. This requires users to create many accounts on many different platforms to get online services. It is also not recommended for them to use the same password, and it becomes a burden for them to remember different passwords for different accounts. So, it is mandatory to provide a forgot password option in the login system. It helps the user easily recover the password they have forgotten.

For this, we have created a forgotten password form in HTML. This file contains three fields for username, new password, and confirm new password, and a Submit button. When the user submits the form, the form will be redirected to the handler.php page.

Suppose we have a 'users' table in the database with one user record as follows. You can use your database if you have one, or you can copy and paste this code for practise purposes.

  `userid` int(11) NOT NULL AUTO_INCREMENT,
  `name` varchar(100) NOT NULL,
  `username` varchar(100) NOT NULL,
  `password` varchar(100) NOT NULL,
  PRIMARY KEY (`userid`)
INSERT INTO `users` (`userid`, `name`, `username`, `password`) VALUES
(1, 'John', 'msjohn', 'ed9e5563452feebf93b94f8b00f74280');

Here is the main PHP file, 'index.php' that we will call on the browser. At the top of this page, we have started the session to show the successful password set message.

1. index.php

This HTML code shows the forgot password form.

if($_SESSION['msg']) {
echo $_SESSION['msg'].'<br/>';
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" />
<div class="wrapper" style="width: 35%; margin: 0 auto;">
<form class="form-signin" action='handler.php' method="post">       
<h2 class="form-signin-heading">Forgot Password</h2><br/>
<input type="text" class="form-control" name="username" placeholder="Email Your Username" required="" autofocus="" />
<br/> <input type="password" class="form-control" name="newpassword" placeholder="New Password" required=""/><br/> <input type="password" class="form-control" name="confirmpassword" placeholder="Confirm New Password" required=""/>
<br/> <button class="btn btn-small btn-primary btn-block" type="submit">Submit</button> <input type="hidden" name="object" value="forgot"/> </form> </div>

Once this forgotten password form is submitted, the entered data is sent in post to the 'handler.php' file.

In the handler.php file, we have written code to first match the newly entered new password and the confirm password. If both are the same, the script will encrypt the entered password using the 'sodium_crypto_pwhash_str()' hashing method and update the database. This method generates an ASCII encoded hash for password storage.

If you intend to use the md5() and crypt() functions to encrypt passwords, please don't use them. They are both deprecated in the latest PHP versions, and they are also not much more secure. The PHP7 Sodium Cryptography Library is a modern hash function that is considered more secure. To know more about this, please visit-
PHP7 Password Hashing

2. handler.php

$req = $_POST; 
$username = $req['username'];
$conn = mysqli_connect('hostname', 'username', 'password', 'database');
if($req['object'] == 'forgot'){ 
if($req['newpassword'] == $req['confirmpassword']) {
		$hash = sodium_crypto_pwhash_str(
        $update = "UPDATE `users` SET 'password' = '$hash' WHERE username = '$username' ";
        $result = mysqli_query($conn, $update);
        $_SESSION['msg'] = 'Your new password has reset successfully, you can now login.';
        header("Location: index.php");
    } else {
        $_SESSION['msg'] = 'Password does not match';
        header("Location: index.php");

The above code gets the user details from the database, updates the encrypted password, and sets the value in 'msg' session variable. Please make sure to replace 'hostname', 'username', 'password' and 'database' with your database credentials.

Related Articles

PHP get IP address of visitor
Preventing Cross Site Request Forgeries(CSRF) in PHP
PHP code to send email using SMTP
PHP pagination
Simple PHP File Cache
PHP Connection and File Handling on FTP Server
Sending form data to an email using PHP
Print section of page using javascript
Submit a form data without page refresh using PHP, Ajax and Javascript
How to display PDF file in PHP from database
How to read CSV file in PHP and store in MySQL
Create And Download Word Document in PHP
PHP SplFileObject Standard Library
Simple File Upload Script in PHP
Complete HTML Form Validation in PHP
How to send emojis in email subject and body using PHP
PHP7.3 New Features, Functions and Deprecated Functions

Read more articles

General Knowledge

Learn Popular Language