How to get actual password through forgot password mail in php?

Question

My code is working fine but the actual problem is that the password retrieved from MySQL database after clicking submit button is same as stored in database in MD5 format like e10adc3949ba59abbe56e057f20f883e and well delivered to user's inbox. But is it useless because of hash format.

Here is my working code; can I decrypt it before sending it back to users? I store password in MD5 format in MySQL database. I got email like "Your password : e10adc3949ba59abbe56e057f20f883e"

Html Code :

 <body>
 <h1>Forgot Password<h1>
 <form action='#' method='post'>
 <table cellspacing='5' align='center'>
 <tr><td>Email id:</td><td><input type='text' name='email'/></td></tr>
 <tr><td></td><td><input type='submit' name='submit' value='Submit'/></td></tr>
 </table>
 </form>

Php code :

 <?php
 if(isset($_POST['submit']))
 { 
  $servername = "localhost";
  $username = "username";
  $password = "password";
  $dbname = "testdb";

  // Create connection
  $conn = mysqli_connect($servername, $username, $password, $dbname);
 // Check connection
 if (!$conn) 
 {
  die("Connection failed: " . mysqli_connect_error());
 }

 $email=$_POST['email'];

 $sql = "select * from users where email='".$email."' ";
 $q = mysqli_query($conn, $sql);

 $p=mysqli_affected_rows();
 if($p!=0) 
 {
  $res=mysqli_fetch_array($q);
  $to=$res['email'];
  $subject='Remind password';
  $message='Your password : '.$res['password']; 
  $headers='From:Admin120@xxx.com';
  $m=mail($to,$subject,$message,$headers);
  if($m)
 {
   echo'Check your inbox in email';
 }
 else
 {
  echo'email is not send';
 }
}
 else
 {
   echo'You entered email id is not present';
 }
 }
 ?>
 </body>

Instead of sending the old password send a password reset link to set a new password — Mayank Pandeyz, Aug 30 '16 at 06:39
Don't remind user his old password. Just generate a new one time password for the user and give him link to reset his password using that one time password. — Sidharth Gusain, Aug 30 '16 at 06:40
`md5` isn't secure, use `password_hash` and `password_verify`. — tkausl, Aug 30 '16 at 06:41
Your email SQL query is wide open to SQL injection attacks. Please switch to PDO with prepared statements and bound parameters. Read through http://www.phptherightway.com/ for best practices. — jedifans, Aug 30 '16 at 06:43
Here are some [notes on a password change process](http://stackoverflow.com/a/6585668/472495). — halfer, Aug 30 '16 at 10:08
Just google your hash (`e10adc3949ba59abbe56e057f20f883e`) if you wanna know why md5 is considered insecure... Use a better hash function with a salt. — hurb, Nov 03 '16 at 09:35

score 2 · Accepted Answer · edited Jun 12 '22 at 13:06

2

You can not decrypt a hashed password. The process you can follow is:

Send an email to the user with a link
Open that link with a new form after checking if the customer is using the verfiied using email id and token.
Give 2 textboxes to update his password/ set a new password.

Hope this helps!

edited Jun 12 '22 at 13:06

Your Common Sense

156,878
40
214
345

answered Aug 30 '16 at 06:42

Harwinder Singh

42
1
6

Yes sounds good i think i want to google something because of less duration i want to implement it as soon as possible. any way, can you tell me any link or some information that how to implement it ? – John120 Aug 30 '16 at 06:48
1

Try this: http://www.phpgang.com/how-to-create-forget-password-form-in-php_381.html – Harwinder Singh Aug 30 '16 at 06:57
1

Thanks @Harwinder Singh I just solve my forgot password problem from watching some youtube videos, study some tutorials and obiviously your suggested link. – John120 Aug 30 '16 at 12:39

How to get actual password through forgot password mail in php?

1 Answers1