I am new to PHP and so far created a login, register and a forgot password where currently the user is sent their password from the MySQL table. I have now encrypted the password using sha1 . I am currently writing code so:
When the user clicks on forget password link they enter username and email address (validated).
I am currently finding it difficult to then send them a url link in the sent email to direct them to a page to reset.
Any help would be much appreciated (code snippets, tutorials, links to methods ect.)
Ta
You shouldn't even store (unsalted) hashes of your user's passwords: you should first generate a random string (the "salt"), concatenate it with their password, hash the result (using SHA1, or whichever algorithm you prefer) and store both the hash and the salt in your database. This defeats precomputed dictionary ("rainbow table") attacks should an attacker ever gain access to the hashes in your database.
Having done that, you shouldn't store the temporary token for password resets in your database either: should an attacker gain access to your users table, they merely need complete your "I've forgotten my password" form and read the token from the database in order to then reset that user's password without ever seeing the generated email. As such, the token is known as a "password equivalent" and should be protected in exactly the same way as a password itself: salted and hashed.
Having stored the salted hash of the reset token, you can now send a link to your user with the user's ID and reset token in the querystring of the URL e.g. http://www.example.com/resetpassword.php?user=235747&token=347659864124567532256.
Upon following that link, the provided user and token will be available to your PHP script as $_GET['user'] and $_GET['token']; you can then retrieve the salt from the database, concatenate with the provided token, compute the expected hash and compare with that in the database record. If they match, you have confidence that the user received the email that you sent and you can then prompt them for their desired new password.