prepare("SELECT * FROM password_resets WHERE token = ? AND expires_at > NOW()");
$stmt->execute([$token]);
$reset_request = $stmt->fetch();
if ($reset_request) {
$show_form = true;
} else {
$message = 'Invalid or expired password reset token.';
}
} catch (PDOException $e) {
$message = 'Database error: ' . $e->getMessage();
}
}
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$password = $_POST['password'] ?? '';
$password_confirm = $_POST['password_confirm'] ?? '';
if (empty($password) || empty($password_confirm)) {
$message = 'Please enter and confirm your new password.';
} elseif ($password !== $password_confirm) {
$message = 'Passwords do not match.';
} else {
try {
$pdo = db();
$stmt = $pdo->prepare("SELECT * FROM password_resets WHERE token = ? AND expires_at > NOW()");
$stmt->execute([$token]);
$reset_request = $stmt->fetch();
if ($reset_request) {
$email = $reset_request['email'];
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
// Update user's password
$stmt = $pdo->prepare("UPDATE users SET password = ? WHERE email = ?");
$stmt->execute([$hashed_password, $email]);
// Delete the reset token
$stmt = $pdo->prepare("DELETE FROM password_resets WHERE token = ?");
$stmt->execute([$token]);
$message = 'Your password has been reset successfully. You can now login with your new password.';
$show_form = false;
} else {
$message = 'Invalid or expired password reset token.';
}
} catch (PDOException $e) {
$message = 'Database error: ' . $e->getMessage();
}
}
}
require_once __DIR__ . '/includes/header.php';
?>