No code delivered. nothing to do here.');
}
$userid = $_GET['userid'];
$code = $_GET['code'];
$statement = $pdo->prepare("SELECT * FROM users WHERE id = :userid");
$result = $statement->execute(array('userid' => $userid));
$user = $statement->fetch();
//check if theres a code for the user delivered
if($user === null || $user['passwordcode'] === null) {
die('
No User matching your request.
');
}
if($user['passwordcode_time'] === null || strtotime($user['passwordcode_time']) < (time()-24*3600) ) {
die('
Ooops. This code isnt valid anymore.
');
}
if(sha1($code) != $user['passwordcode']) {
die('
Thats not your code. Naughty user!
');
}
if(isset($_GET['send'])) {
$password = $_POST['password'];
$password_confirm = $_POST['password_confirm']; //we need to do the whole "is your password secure enough" thingy again here:
//regexes for passvalidation:
$REuppercase = preg_match('@[A-Z]@', $password);
$RElowercase = preg_match('@[a-z]@', $password);
$REnumber = preg_match('@[0-9]@', $password);
$REspecialChars = preg_match('@[^\w]@', $password);
if($password != $password_confirm) {
echo "password or confirmed password wrong";
}
if(!$REuppercase || !$RElowercase || !$REnumber || !$REspecialChars || strlen($password) < 8) {
echo 'Password needs to be more complex.
';
echo 'Please implement at least 8 chars, upper & downer caser, one number & one special char.
';
$error = true;
} else {
$passwordhash = password_hash($password, PASSWORD_DEFAULT);
$statement = $pdo->prepare("UPDATE users SET password = :passwordhash, passwordcode = NULL, passwordcode_time = NULL WHERE id = :userid");
$result = $statement->execute(array('passwordhash' => $passwordhash, 'userid'=> $userid ));
//done. the rest is the same
if($result) {
die('Changed password. Going to login now.');
}
}
}
?>
Set new password