PHP Password Reset

General PHP Help
#1

I have a PHP and database setup and now I am wanting to know if there is a way to make a PHP page to reset the password and send a security code to the there email.

If you have any advice plz let me know

i can ass the code if you ask.

#2

There are a few ways to do this. You mentioned security code which to me means MFA. Is that what you want or do you just want a link to be emailed to the email on file to reset the password?

#3

There is but there are a few steps to make.

  • When someone want to reset his pw let him enter his email-address in a form. after submit check if the email exist in the database.
  • When the email-address is a known one then you can generate a random token and store it in the user table in the “token” column. Also if you want to expire the token after eg 1 day you can store current date + 1 day as well in the “token_expires_at” column.
  • Next step is to send a email to the email-address that you got. Inside the mail you will provide a link to another page on your website and in the link you will add the token. eg
https://mysite.com/password-reset/verify-token.php?token=abcdefghijklmnopqrstuvw1234567890
  • Now if the users presses the link inside the email he will land on verify-token.php and inside your php script you can try to retrieve the token out of the $_GET array.
  • When you got a token you will query your user table to find any records WHERE token = ‘abcdefghijklmnopqrstuvw1234567890’. If you got one row back from the database then you will show the user a reset-password form and if the passwords entered are equal and valid (eg for example minimal 6 characters and one special character) then you store the new password in the database and give your user a message that the password has been updated.

important thing:

The reset-password form and the submit action of the reset-password form should only be executed or shown when you have a valid token and a valid user. The best thing is in my opinion to keep the token into the url until the password has been updated AND to verify that token on every request.

1 Like
#4

I am sending you a copy of my files by dropbox maybe you could look over the code and tell me where i would enter that.

I have a system in place but it says it sent the email but is never recived, there is not errors

#5
#6

Start with a new form where you can only enter a mailaddress and after submission try to write some code that checks if the given mailaddress exists in your user database table

Sponsor our Newsletter | Privacy Policy | Terms of Service