You implement this thing like this:
- Create a password change page, with a text field for submitting email id.
- After user submit email, either check via ajax if email exist in database or not, and update the same page, OR, redirect him to same page if email doesnot exist else redirect to another page asking security question, when user submits answer, check whether answer is correct or not, if correct send him the mail with the links of changepassword page.
for checking email is correct or not you can execute following query:
mysql_query(SELECT email FROM user WHERE email = "$email");
where $email
is email submitted by user.
if it returns 1 then email exists, else email doesnot found.
Same can be applied for answer check.
Thanks.