<?php require_once "../../includes/initialize.php"; // Rather than require setting up a real database, // we can fake one instead. $message = ""; $token = $_GET['token']; // Confirm that the token sent is valid $user = User::find_by_reset_token($token); if (!isset($user) || !$user) { // Token wasn't sent or didn't match a user. $session->message("Did not find you try again"); redirect_to('login_forgot_password_username.php'); } if (request_is_post() && request_is_same_domain()) { if (!csrf_token_is_valid() || !csrf_token_is_recent()) { $message = "Sorry, request was not valid."; } else { // CSRF tests passed--form was created by us recently. // retrieve the values submitted via the form $password = trim($_POST['password']); $password_confirm = trim($_POST['password_confirm']); $valid = new FormValidation(); $valid->validate_presences(array('password', 'password_confirm')); if ($password !== $password_confirm) { $valid->errors['password_confirmation'] = "Password confirmation does not match password."; } if (empty($valid->errors)) { $user->password = $password; $user->save(); $user->delete_reset_token();