tankernn-eu/login/reset.php

<?php
  require_once('app.php');

  if (isset($_POST['key'])) {
    $key = $conn->escape_string($_POST['key']);
    $sql = "SELECT userid FROM PasswordReset WHERE `key`='$key'";
    if ($query = $conn->query($sql)) {
      $userid = $query->fetch_array()['userid'];
    } else {
      queue_message(new Message("SQL error: " . $conn->error, "danger"));
      header('Location: /');
    }

    $rawPass = $_POST['pass'];
    $rawRepeat = $_POST['pass_repeat'];

    if (changePassword($userid, $rawPass, $rawRepeat)) {
      $conn->query("DELETE FROM PasswordReset WHERE `key`='$key'");
    }
  } else if (isset($_POST['email'])) {
    $email = $conn->escape_string($_POST['email']);
    $sql = "SELECT UID FROM Users WHERE Email='$email'";
    if ($query = $conn->query($sql)) {
      $userid = $query->fetch_array()['UID'];
    } else {
      queue_message(new Message("No account has that e-mail address registered.", "danger"));
      header('Location: /');
    }
    $key = generateKey(32);
    $sql = "INSERT INTO PasswordReset VALUES ('$userid', '$key')";
    if ($conn->query($sql)) {
      $external_url = Config::$external_url;
      mail($email, Config::$sitename . " password reset", "To reset your password, navigate to this address: $external_url/login/?reset&key=$key");
    } else {
      echo $conn->error;
    }
  } else {
    if (isset($_GET['key'])) {
      $key = $_GET['key'];
      ?>
      <div class="login-panel panel panel-default">
          <div class="panel-heading">
              <h3 class="panel-title"><i class="fa fa-lock"></i> <?php echo Config::$sitename . " password reset" ?></h3>
          </div>
          <div class="panel-body">
              <form role="form" action="" method="post">
                  <fieldset>
                      <div class="form-group">
                          <input class="form-control" placeholder="New password" name="pass" autofocus="" type="password">
                      </div>
                      <div class="form-group">
                          <input class="form-control" placeholder="Repeat password" name="pass_repeat" value="" type="password">
                      </div>
                      <input type="hidden" name="key" value="<?php echo $key ?>" />
                      <input class="btn btn-primary btn-lg btn-block" type="submit" value="Reset password"/>
                  </fieldset>
              </form>
          </div>
      </div>
      <?php
    } else {
      ?>
      <div class="login-panel panel panel-default">
          <div class="panel-heading">
              <h3 class="panel-title"><i class="fa fa-lock"></i> <?php echo Config::$sitename . " password reset" ?></h3>
          </div>
          <div class="panel-body">
              <form role="form" action="" method="post">
                  <fieldset>
                      <div class="form-group">
                          <input class="form-control" placeholder="Account E-mail address" name="email" autofocus="" type="email">
                      </div>
                      <input class="btn btn-primary btn-lg btn-block" type="submit" value="Send reset link"/>
                  </fieldset>
              </form>
          </div>
      </div>
      <?php
    }
    die();
  }
  header('Location: /');
?>