Password reset function inasaidia:
User ku-reset password bila kuingiza password ya zamani.
Kuepuka ku-expose passwords wazi.
Kuongeza security kwa kutumia token-based system badala ya ku-reset directly.
Mfumo huu unatumia:
Token ya kipekee (unique key) kwa reset.
Email verification (optional) kwa salama zaidi.
Expiration time ya token.
βοΈ 2. Database Setup
Tengeneza table ya password_resets:
CREATE TABLE password_resets (
id INT AUTO_INCREMENT PRIMARY KEY,
email VARCHAR(100) NOT NULL,
token VARCHAR(255) NOT NULL,
expires_at DATETIME NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
π‘ Maelezo:
token inatumiwa kudhibitisha reset request.
expires_at inazuia token kutumika baada ya muda fulani.
𧩠3. Generating Reset Token
<?php
include 'config.php';
if($_SERVER['REQUEST_METHOD'] === 'POST'){
$email = trim($_POST['email']);
// Check if user exists
$stmt = $pdo->prepare("SELECT * FROM users WHERE email=:email");
$stmt->execute(['email'=>$email]);
$user = $stmt->fetch(PDO::FETCH_ASSOC);
if($user){
// Generate token
$token = bin2hex(random_bytes(50));
$expires_at = date("Y-m-d H:i:s", strtotime('+1 hour'));
// Insert token into database
$stmt = $pdo->prepare("INSERT INTO password_resets (email, token, expires_at) VALUES (:email, :token, :expires_at)");
$stmt->execute(['email'=>$email, 'token'=>$token, 'expires_at'=>$expires_at]);
// Send email with reset link (pseudo code)
$reset_link = "https://yourdomain.com/reset_password.php?token=$token";
echo "β
Password reset link: <a href='$reset_link'>$reset_link</a>";
// Use mail() function or PHPMailer to send actual email
} else {
echo "β Email not found!";
}
}
?>
<h2>Reset Password</h2>
<form method="POST">
<input type="email" name="email" placeholder="Enter your email" required><br><br>
<button type="submit">Send Reset Link</button>
</form>
π 4. Reset Password Page (reset_password.php)
<?php
include 'config.php';
$token = $_GET['token'];
$stmt = $pdo->prepare("SELECT * FROM password_resets WHERE token=:token AND expires_at > NOW()");
$stmt->execute(['token'=>$token]);
$reset = $stmt->fetch(PDO::FETCH_ASSOC);
if(!$reset){
die("β Invalid or expired token.");
}
if($_SERVER['REQUEST_METHOD'] === 'POST'){
$password = $_POST['password'];
$confirm_password = $_POST['confirm_password'];
if($password !== $confirm_password){
$error = "β Passwords do not match!";
} else {
$hash = password_hash($password, PASSWORD_DEFAULT);
// Update user password
$stmt = $pdo->prepare("UPDATE users SET password=:password WHERE email=:email");
$stmt->execute(['password'=>$hash, 'email'=>$reset['email']]);
// Delete reset token
$stmt = $pdo->prepare("DELETE FROM password_resets WHERE email=:email");
$stmt->execute(['email'=>$reset['email']]);
$success = "β
Password updated successfully! <a href='login.php'>Login</a>";
}
}
?>
<h2>Set New Password</h2>
<?php
if(isset($error)) echo "<p style='color:red;'>$error</p>";
if(isset($success)) echo "<p style='color:green;'>$success</p>";
?>
<form method="POST">
<input type="password" name="password" placeholder="New Password" required><br><br>
<input type="password" name="confirm_password" placeholder="Confirm Password" required><br><br>
<button type="submit">Reset Password</button>
</form>
π§ 5. Vidokezo vya Security
Token uniqueness β tumia random_bytes() au bin2hex() kwa security.
Token expiration β hakikisha inafanya expire baada ya muda mfupi (1 hour recommended).
Password hashing β hakikisha password mpya inahashwa.
Email verification β token inapaswa kutumwa kwa email ya owner.
Delete token after use β kuzuia reuse ya token.
β
6. Hitimisho
Password reset system ni muhimu kwa user account management.
Inahakikisha user anaweza kubadilisha password bila ku-expose old password.
Best practices: unique token, expiration, hashing, and email verification.
π Tembelea:
π https://www.faulink.com/
Kwa mafunzo zaidi ya PHP, password security, na web application development.