My advice is to plan exactly what you want to do and then think of the steps. There are many ways to do forgot password. The simplest is not encrypted password and send it. Encrypted you either use a reset password link with a key or set a temporary password and send it. Additional security measures could include answering a security question first. How you do it depends on what you want to do and whether you are able to use mySQL or need mySQLi.