MD5 was designed to be hash, which is one way only, otherwise it would not be a hash. You should not send user his password, but give possibility to change it. You should generate a token, send link to change password to user's mail with token in GET parameter. If user change the passwords remove the token. Also, you should remember that token must have expiry time.

Something like:

myurl.com/passwordrecovery?token=someGeneratedToken

In database, you can look for token, and get user id. So for example, your table structure can look like:

user_id | token | expiry_time

If you would keep only tokens and expiry time in database, don't do this. Associate token with user, otherwise user can request password change, and he will get following link(Don't do this):

myurl.com/passwordrecovery?token=token&user_id=number

This way he can change someone else's password by replacing user_id. And get access to his account. Expiry time should not be longer than 24 hours.

Important

Don't use plain md5, it's easy to crack. Use pbkdf2 for example.

PHP implementations: PHP-Crypt-Lib, Pbkdf2 by inanimatt