From 4ebdd378a65be9fe671f9a5157863c8d20f241d4 Mon Sep 17 00:00:00 2001
From: Marijn Jansen <marijn@jansen.onl>
Date: Wed, 25 Jan 2017 16:21:17 +0100
Subject: [PATCH] Password change

---
 website/public/resetpassword.php    | 10 +++++++---
 website/queries/requestpassword.php |  9 ++++-----
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/website/public/resetpassword.php b/website/public/resetpassword.php
index c2f9221..54b706b 100644
--- a/website/public/resetpassword.php
+++ b/website/public/resetpassword.php
@@ -8,16 +8,19 @@ if ($_SERVER["REQUEST_METHOD"] == "GET") {
             echo "Ongeldige link.";
         }
     } else {
-        echo "Ongeldige link";
+        echo "Ongeldige link.";
     }
 } elseif ($_SERVER["REQUEST_METHOD"] == "POST") {
     if (verifyLink($_POST["u"], $_POST["h"])) {
         if ($_POST["password"] == $_POST["password-confirm"]) {
             changePassword();
+            echo "Wachtwoord is veranderd";
+        } else {
+            echo "Wachtwoorden zijn niet hetzelfde";
         }
     }
 } else {
-    echo "Ongeldige link";
+    echo "Ongeldige link.";
 }
 
 function changePassword() {
@@ -29,7 +32,7 @@ function changePassword() {
         WHERE
             `userID` = :userID
     ");
-    $stmt->bindParam(":password", $_POST["password"]);
+    $stmt->bindValue(":password", password_hash($_POST["password"], PASSWORD_DEFAULT));
     $stmt->bindParam(":userID", $_POST["u"]);
     $stmt->execute();
 }
@@ -44,6 +47,7 @@ function verifyLink(int $userID, string $hash) {
             `userID` = :userID
         ");
     $stmt->bindParam(":userID", $userID);
+    $stmt->execute();
     $password = $stmt->fetch()["password"];
     return password_verify($password, $hash);
 }
\ No newline at end of file
diff --git a/website/queries/requestpassword.php b/website/queries/requestpassword.php
index abf87c7..c0ff462 100644
--- a/website/queries/requestpassword.php
+++ b/website/queries/requestpassword.php
@@ -15,7 +15,6 @@ function sendPasswordRecovery(string $email) {
         $stmt->bindParam(":email", $email);
         $stmt->execute();
         if (!$stmt->rowCount()) {
-            // TODO: Just stop.
             return;
         }
         $result = $stmt->fetch();
@@ -25,8 +24,6 @@ function sendPasswordRecovery(string $email) {
         $hashedHash = password_hash($hash, PASSWORD_DEFAULT);
         setHashToDatabase($userID, $hash);
         doSendPasswordRecovery($userID, $email, $username, $hashedHash);
-
-
     } else {
         // TODO: Be angry!
     }
@@ -46,10 +43,12 @@ function setHashToDatabase(int $userID, string $hash) {
     UPDATE
         `user`
     SET
-        `password` = $hash
+        `password` = :hash
     WHERE
-        `userID` = $userID
+        `userID` = :userID
     ");
+    $stmt->bindParam(":hash", $hash);
+    $stmt->bindParam(":userID", $userID);
     $stmt->execute();
     return $stmt->rowCount();
 }
\ No newline at end of file