PHP - reset password program

Question

I am making a php program for users to reset their password if they forget it and I am wondering how I should send the user the url to their email to click. I thought about encrypting their user id and decrypt it to know which user to update the password for but I am wondering if there is a better way.

for example: if the user id is 25 I would encrypt 25 to something like f63bfjf7eh3 then send the user an email containing a url such as http://example-domain.com/resetpass.php?code=f63bfjf7eh3 then decrypt that code when they click on the link and update the password to that user id.

sorry if this doesn't make sense I am not very good at explaining.

Answer 1

f in PHP you need to make a table, for example tbl_reset_pass

with fields id (unique, int(2), primary key and auto incremental), user_id (int(2), foreign key related with user table) and token (varchar)

When user asks for reset password, verify that request by email etc... after you should generate a token, which is encoded string which will be used to send with the link, sending user id encoded is not safe

so link should be same...

but in resetpass.php need to get the code like

$code = (!empty($_GET['code'))?base64_decode($_GET['code']):'';

then you can use SQL query like...

SELECT * FROM tbl_reset_pass WHERE token = '$code'; 

to get for which user the reset password is to be done

if result number of rows for above query is exactly 1 then you can redirect your user to change password page.

Don't forgot to use MySQL escape facility in $code before using it in the SQL query as it can contain SQL injection.

When user changes new password, delete the record from tbl_reset_pass

Answer 2

Make a unique hash using a good algorithm, such as SHA256. Needs to be unique, and unpredictable. Can use things like microtime(true), existing password hash (it is hashed right?). It is also good to have password reset