prepare("SELECT email FROM password_resets WHERE token = ? AND expires_at > NOW()");
$stmt->execute([$token]);
$reset_request = $stmt->fetch(PDO::FETCH_ASSOC);
if ($reset_request) {
$valid_token = true;
$email = $reset_request['email'];
} else {
$error = "Invalid or expired reset token.";
}
} catch (PDOException $e) {
$error = "An error occurred. Please try again.";
}
}
if ($valid_token && $_SERVER['REQUEST_METHOD'] === 'POST') {
$csrf_token = sanitize_input($_POST['csrf_token'] ?? '');
if (!validate_csrf_token($csrf_token)) {
$error = "Invalid CSRF token.";
} else {
$password = $_POST['password'];
$confirm_password = $_POST['confirm_password'];
if (empty($password) || empty($confirm_password)) {
$error = "Please fill in all fields.";
} elseif (strlen($password) < 8) {
$error = "Password must be at least 8 characters long.";
} elseif ($password !== $confirm_password) {
$error = "Passwords do not match.";
} else {
try {
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
// Update user password
$stmt = $DBcon->prepare("UPDATE users SET password = ? WHERE email = ?");
$stmt->execute([$hashed_password, $email]);
// Delete used token
$stmt = $DBcon->prepare("DELETE FROM password_resets WHERE token = ?");
$stmt->execute([$token]);
$success = "Password reset successfully! You can now login with your new password.";
$valid_token = false; // Hide form after success
} catch (PDOException $e) {
$error = "An error occurred. Please try again.";
}
}
}
}
?>
Reset Password
