Forgot Password Recovery Script using PHP and MySQLi

Forgot Password Recovery using PHP and MySQLi

[button-blue url=”http://demos.eggslab.net/forgot-password-recovery-script/” target=”_blank” position=””]LIVE DEMO[/button-blue][button-green url=”http://demos.eggslab.net/downloads/14″ target=”_blank” position=””]DOWNLOAD[/button-green]

Recently I have cover few topics on user authentication like PHP Login System, Register new user and Email verification when new user register on site. So here I am going to deal with “Forgot Password Utility” that most of websites have. There are some people exist on this world who always forget their password. For those mates we should have “forgot password utility” on our website. This is very useful feature. And I am sure after reading this article you will be able to add this functionality your website.

I am sure you have already user authentication system on your website, that’s why you are reading this article. If not yet, then read my following articles that cover user authentication system.

  1. PHP Login Script with Session
  2. Creating Registration Form with PHP and MySQLi
  3. Email Verification Script using PHP and MySQLi

 

Concept

When user open forgot password page, he will be asked to enter his email. When he enter his email the script will look database if that email exist in database or not. If it exist then script will generate a token and store it to database and send an email with the same token to user. When user open that email and click on link inside that email, he will come back to our website and asked for new password. This is just a little concept behind this script. Let’s see how to do this:

Database

CREATE TABLE `recovery_keys` (

  `rid` int(11) NOT NULL AUTO_INCREMENT,

  `userID` int(11) NOT NULL,

  `token` varchar(50) NOT NULL,

  `valid` tinyint(4) NOT NULL DEFAULT '1',

  PRIMARY KEY (`rid`)

);

Form

Forgot Password Recovery Form
Forgot Password Recovery Form

I have used bootstrap to build my layout. It’s up to you what you prefer while designing your page. Here is my HTML code for the above layout:

<div class="container">

<div class="row">

<div class="col-lg-4">

<form class="form-horizontal" role="form" method="post">

<h2>Forgot Password</h2>

<p>

Forgot your password? No problem, we will fix it. Just type your email below and we will send you password recovery instruction to your email. Follow easy steps to get back to your account.

</p>

<div class="row">

<div class="col-lg-12">

<label class="control-label">Your Email</label>

</div>

</div>



<div class="row">

<div class="col-lg-12">

<input class="form-control" name="uemail" type="email" placeholder="Enter your email here..." required>

</div>

</div>



<div class="row">

<div class="col-lg-12">

<button class="btn btn-success btn-block" name="submit" style="margin-top:8px;">Submit</button>

</div>

</div>

</form>

</div>



</div>

</div>

Note: I am very new to bootstrap, so don’t mind my rough code 😛

 Now let’s move to PHP code. The first and foremost thing is a connection to database. So here is config.php

define('DB_SERVER', 'localhost');

define('DB_USERNAME', 'root');

define('DB_PASSWORD', '');

define('DB_DATABASE', 'database');

$db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);

Now get back to our index.php, that is where our real form is. Now we will see when user hit submit button we have to process form data. We will look to our database if that email actually exist in database or not. If it exist then we will simple generate a random string and store this string to our recover_keys table along with user unique ID (we will fetch from user’s table) and then email a link to our page forget.php (discussed below).

When user hit submit button.

if(isset($_POST['submit']))

{

                // Code goes here…

}

Now we will process our form data.

$uemail = $_POST['uemail'];

$uemail = mysqli_real_escape_string($db, $uemai);



if(checkUser($uemail) == "true")

{

$userID = UserID($uemail);

$token = generateRandomString();



$query = mysqli_query($db, "INSERT INTO recovery_keys (userID, token) VALUES ($userID, '$token') ");

if($query)

{

$send_mail = send_mail($uemail, $token);



if($send_mail === 'success')

{

$msg = 'A mail with recovery instruction has sent to your email.';

$msgclass = 'bg-success';

}else{

$msg = 'There is something wrong.';

$msgclass = 'bg-danger';

}

}else

{

$msg = 'There is something wrong.';

$msgclass = 'bg-danger';

}



}else

{

$msg = "This email doesn't exist in our database.";

$msgclass = 'bg-danger';

}

I have used $msgclass here to change the notification color as per message type. I have used some custom-build functions in above code like checkUser(), userID(), generateRandomString() and mail_send(). These are as follow:

Function 1: checkUser()

This function check our database if the given email is existing in database or not. If it exist, it will return true and if not then false.

function checkUser($email)

{
          global $db;
          $query = mysqli_query($db, "SELECT uid FROM users WHERE email = '$email'");
          if(mysqli_num_rows($query) > 0)
          {
              return 'true';
          }else
          {
              return 'false';
          }
}

Function 2: UserID()

This function will return user unique ID if given email exist in database.

function UserID($email)

{

             global $db;

            $query = mysqli_query($db, "SELECT uid FROM users WHERE email = '$email'");

             $row = mysqli_fetch_assoc($query);

              return $row['uid'];

}

Function 2: generateRandomString()

This function generate a random string that can be used as a password recovery token.

function generateRandomString($length = 20) {

                // This function has taken from stackoverflow.com



                $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';

                 $charactersLength = strlen($characters);

                $randomString = '';

                for ($i = 0; $i < $length; $i++)

{

                                $randomString .= $characters[rand(0, $charactersLength - 1)];

                }

    return md5($randomString);

}

Function 4: send_mail()

This function is very important function, it is use to send email to user. It’s a PHPMailer class that use to send secure emails. I already have covered an article on PHPMailer. You can read it from here.

function send_mail($to, $token)

{

                require 'PHPMailer/PHPMailerAutoload.php';



                $mail = new PHPMailer;



                $mail->isSMTP();

                $mail->Host = 'smtp.gmail.com';

                $mail->SMTPAuth = true;

                $mail->Username = 'your_gmail@gmail.com';

                $mail->Password = 'your_gmail_password_';

                $mail->SMTPSecure = 'ssl';

                $mail->Port = 465;



                $mail->From = 'your_gmail@gmail.com;

                $mail->FromName = 'Sender’s Name';

                $mail->addAddress($to);



                $mail->isHTML(true);



                $mail->Subject = 'Demo: Password Recovery Instruction';

                $link = 'http://demos.eggslab.net/forgot-password-recovery-script/forget.php?email='.$to.'&token='.$token;

                $mail->Body    = "<b>Hello</b><br><br>You have requested for your password recovery. <a href='$link' target='_blank'>Click here</a> to reset your password. If you are unable to click the link then copy the below link and paste in your browser to reset your password.<br><i>". $link."</i>";



                $mail->AltBody = 'This is the body in plain text for non-HTML mail clients';



                if(!$mail->send()) {

                                return 'fail';

                } else {

                                return 'success';

                }

}

Email Sample
This is how email look like.

Function 5: verifytoken()

When user submit his email to our form. An email will be send to his email account with a link to password recovery page. When user land on this page we need to validate that token with which user land on recovery page. So for this purpose following function will help us to verify that code.

function verifytoken($userID, $token)

{             

        global $db;

        $query = mysqli_query($db, "SELECT valid FROM recovery_keys WHERE userID = $userID AND token = '$token'");

        $row = mysqli_fetch_assoc($query);     

        if(mysqli_num_rows($query) > 0)
        {

            if($row['valid'] == 1)
            {
              return 1;
            }else
            {
              return 0;
            }
        }else
        {
             return 0;
        }
}

The above function will check whether token code and email exist in our database or not. If it exist then it will ask user to set new password otherwise it will prompt that your “Invalid or Broken Token”.

Reset Password Landing Page
Reset Password Landing Page
Invalid or Broken Landing Page
Invalid or Broken Landing Page

After your password change successfully, its time to change recovery_key table to avoid any bad situation. So here is the code in forget.php file that will update recovery_key table and change valid column to 0 and it will never be use again. That’s all.

[button-blue url=”http://demos.eggslab.net/forgot-password-recovery-script/” target=”_blank” position=””]LIVE DEMO[/button-blue][button-green url=”http://demos.eggslab.net/downloads/14″ target=”_blank” position=””]DOWNLOAD[/button-green]

I have done my best to explain this article. If you find any bug or mistake in article or code you can feel free to inform though comment or by email at abdullah@eggslab.net.


31 responses to “Forgot Password Recovery Script using PHP and MySQLi”

  1. dakshbhatt Avatar

    Hi Abdullah, why you use PHP mailer instead of PHP mail() function? Which is more better to use in websites.

    Thanks.

  2. Abdullah Majid Avatar

    Because PHPMailer is more secure than mail() function. I have written an article on PHP Mailer you can check it on website.

  3. dakshbhatt Avatar

    sure I will check it out, thank for the quick reply!

  4. Nayem Avatar

    Abdullah bro where are you from?
    I need your help please replay me…

  5. CHONG CHEE YUEN Avatar
    CHONG CHEE YUEN

    Sorry,why i get ‘There is something wrong.’ after i submit my email.

  6. Abdullah Majid Avatar

    Check your database connection and other database queries 🙂

  7. Abdullah Majid Avatar

    Hi Nayem. I am from Pakistan but living in Dubai. Let me know how can I help you. You can write me an email at abdullah@eggslab.net

  8. Karibusanavincenzo Avatar

    Hi thanks for your script, how can i make it SQL injection free? Many thanks

  9. Hax Avatar
    Hax

    Download not work

  10. Abdullah Majid Avatar

    Sorry, can you please try again?

  11. dre Avatar
    dre

    All your download links doesnt work..kindly fix them

  12. Peter Avatar
    Peter

    @dre: Right click -> Open in new Window 🙂

  13. bantayehu Avatar
    bantayehu

    all dounload link are doesnt work please check it

  14. Abdullah Majid Avatar

    Working fine 🙂

  15. kandie Avatar

    hello,gives me There is something wrong. error

  16. kandie Avatar

    hello,gives me “There is something wrong”. error when i enter the correct email address.how can i correct that?

  17. Carlos Avatar

    I still not figure out the There is something wrong. msg the token are generated but still not able to get an email notification.

  18. Andrés Avatar
    Andrés

    $query = mysqli_query($db, “INSERT INTO recovery_keys (userID, token) VALUES ($userID, ‘$token’) “);

    should be:

    $query = mysqli_query($db, “INSERT INTO recovery_keys (userID, token) VALUES (‘$userID’, ‘$token’) “);

  19. Adam Younis Avatar
    Adam Younis

    Hi Abdullah. I’m also getting the ‘There is something wrong message’ it seems to relate to this line: $send_mail = send_mail($uemail, $token);

    I was wondering if it should be ‘$send_mail = send_mail($$userID, $token);’ as you earlier defined $userID = UserID($uemail);

    I tried this change but it didn’t make any difference – I was still getting the same ‘There is something wrong message’ so I changed back to ‘$send_mail = send_mail($$userID, $token);’

    Also – I was wondering, I am testing this on my local development server using WAMP. Could this be the cause of the issue at all?

    Many thanks,

    Adam

  20. Adam Younis Avatar
    Adam Younis

    Sorry – I meant to use just 1 ‘$’ in ‘$send_mail = send_mail($userID, $token);’

  21. Adam Younis Avatar
    Adam Younis

    Should there be a form action for the form above? Is that why it is perhaps not working??

  22. Christopher Reyna Avatar
    Christopher Reyna

    Thanks for the code! I am getting an error after I hit submit. It sends the token over and puts the correct UserID in the database but errors out with “There is something wrong” message. Can you please give some insight on why this may be happening? i have looked over the gmail settings and made sure they are correct.
    Thanks for your help!

  23. suhail Avatar

    getting There is something wrong.error

  24. harshj21793 Avatar

    is there any one have solution about ‘There is something wrong message’ ?

  25. Hesham Arebi Avatar

    hello,gives me “There is something wrong”. error when i enter the correct email address.how can i correct that?

  26. Hesham Arebi Avatar

    is there any one have solution about ‘There is something wrong message’ ?

  27. test87 Avatar

    I want to make the link expire.

  28. Abdullah Majid Avatar

    You can do that by multiple ways. One of them is to store link generation time in database, and then when user click on that link compare that link with current time.

  29. Facebook PVA Avatar
    Facebook PVA

    What’s up i am kavin, its my first time to commenting anyplace, when i read this article
    i thought i could also create comment due to this good
    post.

Leave a Reply

Your email address will not be published. Required fields are marked *