prepare("SELECT id FROM users WHERE email = ? AND is_active = 1"); $stmt->execute([$email]); $user = $stmt->fetch(); // IMPORTANT: Always show the same generic success message regardless of user existence if ($user) { $user_id = $user['id']; $token = generate_secure_token(32); // 64-char token (3.3) $expires_at = date('Y-m-d H:i:s', time() + 3600); // Expires in 1 hour $now = date('Y-m-d H:i:s'); // 4. Invalidate old tokens and insert new token $pdo->prepare("DELETE FROM password_resets WHERE user_id = ? AND used_at IS NULL")->execute([$user_id]); $stmt = $pdo->prepare("INSERT INTO password_resets (user_id, token, expires_at, created_at, ip) VALUES (?, ?, ?, ?, ?)"); $stmt->execute([$user_id, $token, $expires_at, $now, $client_ip]); // 5. Send Email with Reset Link $reset_link = BASE_URL . '/reset-password?token=' . $token; $subject = APP_NAME . ': Password Reset Request'; $body = "

Password Reset Request

You requested a password reset for your " . APP_NAME . " account.

Click the link below to set a new password:

Reset Password

This link will expire in 1 hour.

If you did not request this, please ignore this email.

"; send_email($email, $subject, $body); } $_SESSION['success_message'] = 'If your email is registered, a password reset link has been sent.'; redirect('/forgot-password'); } catch (PDOException $e) { error_log("Password Reset Request Error: " . $e->getMessage()); $errors['database'] = 'A server error occurred. Please try again.'; } } } render_form: $csrf_token = generate_csrf_token(); // Include the HTML template include 'templates/auth_template.php'; ?>