Recently I have cover few topics on user authentication like PHP Login System, Register new user and Email verification when new user register on site. So here I am going to deal with “Forgot Password Utility” that most of websites have. There are some people exist on this world who always forget their password. For those mates we should have “forgot password utility” on our website. This is very useful feature. And I am sure after reading this article you will be able to add this functionality your website.

I am sure you have already user authentication system on your website, that’s why you are reading this article. If not yet, then read my following articles that cover user authentication system.

  1. PHP Login Script with Session
  2. Creating Registration Form with PHP and MySQLi
  3. Email Verification Script using PHP and MySQLi



When user open forgot password page, he will be asked to enter his email. When he enter his email the script will look database if that email exist in database or not. If it exist then script will generate a token and store it to database and send an email with the same token to user. When user open that email and click on link inside that email, he will come back to our website and asked for new password. This is just a little concept behind this script. Let’s see how to do this:



Forgot Password Recovery Form
Forgot Password Recovery Form

I have used bootstrap to build my layout. It’s up to you what you prefer while designing your page. Here is my HTML code for the above layout:

Note: I am very new to bootstrap, so don’t mind my rough code 😛

 Now let’s move to PHP code. The first and foremost thing is a connection to database. So here is config.php

Now get back to our index.php, that is where our real form is. Now we will see when user hit submit button we have to process form data. We will look to our database if that email actually exist in database or not. If it exist then we will simple generate a random string and store this string to our recover_keys table along with user unique ID (we will fetch from user’s table) and then email a link to our page forget.php (discussed below).

When user hit submit button.

Now we will process our form data.

I have used $msgclass here to change the notification color as per message type. I have used some custom-build functions in above code like checkUser(), userID(), generateRandomString() and mail_send(). These are as follow:

Function 1: checkUser()

This function check our database if the given email is existing in database or not. If it exist, it will return true and if not then false.

Function 2: UserID()

This function will return user unique ID if given email exist in database.

Function 2: generateRandomString()

This function generate a random string that can be used as a password recovery token.

Function 4: send_mail()

This function is very important function, it is use to send email to user. It’s a PHPMailer class that use to send secure emails. I already have covered an article on PHPMailer. You can read it from here.

Email Sample
This is how email look like.

Function 5: verifytoken()

When user submit his email to our form. An email will be send to his email account with a link to password recovery page. When user land on this page we need to validate that token with which user land on recovery page. So for this purpose following function will help us to verify that code.

The above function will check whether token code and email exist in our database or not. If it exist then it will ask user to set new password otherwise it will prompt that your “Invalid or Broken Token”.

Reset Password Landing Page
Reset Password Landing Page
Invalid or Broken Landing Page
Invalid or Broken Landing Page

After your password change successfully, its time to change recovery_key table to avoid any bad situation. So here is the code in forget.php file that will update recovery_key table and change valid column to 0 and it will never be use again. That’s all.


I have done my best to explain this article. If you find any bug or mistake in article or code you can feel free to inform though comment or by email at


  1. I still not figure out the There is something wrong. msg the token are generated but still not able to get an email notification.

  2. $query = mysqli_query($db, “INSERT INTO recovery_keys (userID, token) VALUES ($userID, ‘$token’) “);

    should be:

    $query = mysqli_query($db, “INSERT INTO recovery_keys (userID, token) VALUES (‘$userID’, ‘$token’) “);

  3. Hi Abdullah. I’m also getting the ‘There is something wrong message’ it seems to relate to this line: $send_mail = send_mail($uemail, $token);

    I was wondering if it should be ‘$send_mail = send_mail($$userID, $token);’ as you earlier defined $userID = UserID($uemail);

    I tried this change but it didn’t make any difference – I was still getting the same ‘There is something wrong message’ so I changed back to ‘$send_mail = send_mail($$userID, $token);’

    Also – I was wondering, I am testing this on my local development server using WAMP. Could this be the cause of the issue at all?

    Many thanks,


  4. Thanks for the code! I am getting an error after I hit submit. It sends the token over and puts the correct UserID in the database but errors out with “There is something wrong” message. Can you please give some insight on why this may be happening? i have looked over the gmail settings and made sure they are correct.
    Thanks for your help!

  5. You can do that by multiple ways. One of them is to store link generation time in database, and then when user click on that link compare that link with current time.

  6. What’s up i am kavin, its my first time to commenting anyplace, when i read this article
    i thought i could also create comment due to this good

Leave a Reply