Example #1
0
<?php

require_once "../../includes/initialize.php";
// Rather than require setting up a real database,
// we can fake one instead.
$message = "";
$token = $_GET['token'];
// Confirm that the token sent is valid
$user = User::find_by_reset_token($token);
if (!isset($user) || !$user) {
    // Token wasn't sent or didn't match a user.
    $session->message("Did not find you try again");
    redirect_to('login_forgot_password_username.php');
}
if (request_is_post() && request_is_same_domain()) {
    if (!csrf_token_is_valid() || !csrf_token_is_recent()) {
        $message = "Sorry, request was not valid.";
    } else {
        // CSRF tests passed--form was created by us recently.
        // retrieve the values submitted via the form
        $password = trim($_POST['password']);
        $password_confirm = trim($_POST['password_confirm']);
        $valid = new FormValidation();
        $valid->validate_presences(array('password', 'password_confirm'));
        if ($password !== $password_confirm) {
            $valid->errors['password_confirmation'] = "Password confirmation does not match password.";
        }
        if (empty($valid->errors)) {
            $user->password = $password;
            $user->save();
            $user->delete_reset_token();