owasp seems to have some good suggestions, some I had already been doing others I will use from now on.
MD5 was more just to help with a random string generator, I knew it was out of date for security maybe a bad idea overall
rehash I a new one to me, thanks
The sql "works" now, by works I mean if I hard code in the row I want to edit and submit It's ok I think it has something to do with the url now, I will have to read more about it
https://gotsocial.co.uk/passwordreset.php?reset=b2ceee47f0fe9569804f76c8c7f9a826&user=1
<?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
require ("classes/Register.php");
require ("classes/Database.php");
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
$getPassword = new Validation();
$activecode = isset($_GET['reset']) ? $_GET['reset'] : '';
$usId = isset($_GET['user']) ? $_GET['user'] : '';
$password = $repassword = "";
$post = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
$password = $post['password'];
$repassword = $post['repassword'];
$errors = array();
$fields = array(
'password' => array(
'validate' => 'validatePassword',
'message' => 'Password must be least 8 chars, at least one upper, one lower and one number and a special character',
'value' => $password
)
);
if(!Validation::validateRepeatPassword($password, $repassword))
{
$errors[] = ["name" => "repassword", "error" => "Passwords must match"];
}
foreach($fields as $key => $value)
{
$validation_result = $getPassword->{$value['validate']}($value['value']);
if(!$validation_result)
{
$errors[] = ['name' => $key, 'error' => $value['message']];
}
}
if(empty($errors))
{
try
{
$db = new Database;
$setPassword = "
UPDATE
users
SET
`password` = :password
WHERE
userId = (SELECT `userId` FROM passwordHash WHERE userId = '1' AND `hash` = :activecode);
";
$stmt = $db->prepare($setPassword);
$stmt->bindValue(':password', password_hash($post['password'], PASSWORD_DEFAULT));
$stmt->bindValue(':activecode', $activecode);
// $stmt->bindValue(':usId', $usId);
$stmt->execute();
return (bool) $stmt->rowCount();
if(!$results = $stmt->fetch())
{
// id did not match
$errors[] = ["name" => "password", "error" => "Password update failed"];
}
else
{
$success = ["message" => "Password has been updated"];
/*delete here */
}
}
catch(Exception $e)
{
$errors[] = ["name" => "password", "error" => "Something went wrong contact the administrator or try again later"];
}
}
}
header('Content-Type: application/json');
if (empty($errors))
{
echo json_encode($success);
}
else
{
echo json_encode(["errors" => $errors]);
}