Suppose a user forgot his password and he wants to know his password. He has to provide an answer for his security question. After providing the correct answer, I want php to send an email to the user's email address and display his password.

So, what mail configurations should I do in php so that it interacts with many email addressess o开发者_如何学Cf respective users?

okay, this is my php.ini file, what do i change? I'm using wamp 2.0 in windows 7 ultimate.

[mail function]
; For Win32 only.
SMTP = localhost
smtp_port = 25

; For Win32 only.
;sendmail_from = me@example.com

; For Unix only.  You may supply arguments as well (default: "sendmail -t -i").
;sendmail_path =

; Force the addition of the specified parameters to be passed as extra parameters
; to the sendmail binary. These parameters will always replace the value of
; the 5th parameter to mail(), even in safe mode.
;mail.force_extra_parameters =

You don't want to store passwords in plaintext, you should hash them.

What you can do is send someone who has forgotten his or her password a link with a one-time secret key, which they can use to change their password.

You can send mail with mail().

As for configuring your mail server: you could try using your ISP's SMTP server if you're not running one on your webserver.

NO

You are doing it wrong! Don't EVER store passwords in a recoverable format, either plain text or encrypted.

No, don't send him his password. Just generate new one and DO NOT EVEN STORE PASSWORDS IN PLAIN FORMAT

The most basic way to send emails from PHP is using the mail function (http://php.net/manual/en/function.mail.php), so to send them an email when they request one would be as easy as calling mail($user_email, 'Reset Password', 'Visit '.$reset_url.' to reset your password');

However, as everyone has already posted, it is a very bad idea to store your passwords in a way that can be retrieved. What you need to do is store the hash of your passwords (see this tutorial for a walkthrough on how to set that up - it's a very important concept). After you have that setup, you need to have user's request a password reset, and have the system generate a unique code to authenticate them, send that code to them in an email, and let them set a new password using that code. They, or anyone else for that matter, should never be able to recover their password once you have stored the hash of it.

Do not store users' passwords in plain text. It's a really bad practice.

Correct way to do this is to hash AND salt passwords, e. g. via hash_hmac function:

hash_hmac('sha256', $password, $salt);

Salt can be anything that is specific to the particular user, for example his e-mail address.

While logging in, you can check the validity of entered credentials by hashing the entered password the same way you do while creating (registering) new user and then compare the hash with hashes in your database.

Best practice for "I forgot my password" functionality is to generate a one-time link you send to the user via e-mail. After visiting the link, he can set his new password. Until then, his old password still works. This prevents attackers to reset password of all users of your application without their knowing.

It's always a mistake to store or send plain password. I do agree that you have to send an email containing forget password link. But I believe your question is mostly about how to send email. PHP Mail function is great. But you can use third party libraries like swift.