35491-vm/update_password.php

<?php
session_start();
require_once 'db/config.php';

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $token = $_POST['token'] ?? '';
    $password = $_POST['password'] ?? '';
    $password_confirm = $_POST['password_confirm'] ?? '';
    $error = '';

    if (empty($token) || empty($password) || empty($password_confirm)) {
        $error = "All fields are required.";
    } elseif ($password !== $password_confirm) {
        $error = "Passwords do not match.";
    } elseif (strlen($password) < 8) {
        $error = "Password must be at least 8 characters long.";
    } else {
        try {
            $pdo = db();
            $stmt = $pdo->prepare("SELECT * FROM password_resets WHERE token = ?");
            $stmt->execute([$token]);
            $reset_request = $stmt->fetch();

            if ($reset_request && $reset_request['expires'] >= date("U")) {
                $email = $reset_request['email'];
                $hashed_password = password_hash($password, PASSWORD_DEFAULT);

                $stmt = $pdo->prepare("UPDATE users SET password = ? WHERE email = ?");
                $stmt->execute([$hashed_password, $email]);

                // Delete the used token
                $stmt = $pdo->prepare("DELETE FROM password_resets WHERE email = ?");
                $stmt->execute([$email]);

                $_SESSION['message'] = 'Your password has been successfully reset. Please log in with your new password.';
                $_SESSION['message_type'] = 'success';
                header("Location: login.php");
                exit;
            } else {
                $error = "Invalid or expired password reset token.";
            }
        } catch (PDOException $e) {
            $error = "Database error: " . $e->getMessage();
            error_log($error);
        }
    }

    // If there was an error, redirect back to the reset form with the token
    $_SESSION['error'] = $error;
    header("Location: reset_password_form.php?token=" . urlencode($token));
    exit;
}