PHP Tutorial: Reset Password form.

This is a short tutorial on how to create a simple Reset Password form with PHP and MySQL. In this article, I will go over the basics of what is involved, as well as the security principals that need to be taken into consideration.

Database tables.

For the purposes of this guide, I have created two MySQL tables.

Our users table, which stores the user’s name, email address and password.

As you can see, I have taken the liberty of creating a user called “Joseph Sellars” with the email address “test@test.com”. We will assume that this is the email address that John used when he was signing up with our website. Note that the password column is filled with random nonsense that I typed in when creating the user row.

I have also created a table called password_reset_request, which will store information about any “forgot password” requests that have been made.

In the table above, we are storing three key pieces of information:

  1. The ID of the user that this “forgot password” request is for.
  2. The date and time that this request was made. This is important if you want to limit the amount of requests that can be made for a particular user account over a certain period of time.
  3. A cryptographically secure token that will help us to verify the user making the request. Without this token, our “forgot password” form would be extremely easy to hack.

Note that data is only inserted into the password_reset_request table if a valid email address has been found in our users table.

PHP.

Here are some PHP samples that you can use for your Reset Password system. In these examples, I will be using the PDO extension, as it gives us the ability to use prepared statements. I am not going to create the HTML forms as I am assuming that you are experienced enough to handle that part by yourself.

An example of handling a “forgot password” request using the PDO object in PHP:

A drilldown of the code sample above:

  1. We connect to our MySQL database using the PDO extension.
  2. We retrieve the email address that was entered into our “Forgot Password” address. For the purposes of this example, I am assuming that it can be found in a POST variable called “email”.
  3. We check to see if the email address can be found in our users table. If it is not found, we print out a simple message and kill the script. Obviously, you will probably want to handle this error in a more user-friendly manner. See: Form validation with PHP.
  4. We generated a random token using PHP’s openssl_random_pseudo_bytes function.
  5. We inserted the user’s ID, the current date and time and our random token into theĀ password_reset_request table.
  6. We constructed a HTTP link using the token, the user’s ID and the primary key of the row that we just inserted. We used PDO:lastInsertId to get the ID of the row that we just inserted.
  7. We printed the link out onto the page.

Obviously, you will want to send this link to the user’s email address. How you wish to send the email or format it’s display is completely up to you.

When the user opens their email and clicks on the link that we sent them, they will be brought to our forgot-pass.php script. It is here that we will validate the request and allow them to change their password or not:

In the code above:

  1. We retrieved the user’s ID, the password request ID and the secure token from the URL. If the user clicks on the link that we sent them, then these variables should be present in the $_GET array.
  2. We queried our MySQL table to make sure that these variables are valid and that they match up with a valid Forgot Password request. If the request is not valid, we simply kill the script.
  3. If the request is valid, we assign their user ID to a session variable called “user_id_reset_pass” before redirecting them to a session-protected page that will allow them to create a new password. On that page, you can have a create password form. Once the user submits their new password, simply update the password field for the user ID found in “user_id_reset_pass” and then ask them to login with their new password.

Hopefully, you found this tutorial to be useful!

Comments

comments