From d10e573e3e1b4806f9da22aae584a6d75efeb5f2 Mon Sep 17 00:00:00 2001
From: h5p9sl <21267024+h5p9sl@users.noreply.github.com>
Date: Sun, 24 Jan 2021 10:54:25 -0700
Subject: Add basic password changing functionality

---
 change_passw.php | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 change_passw.php

diff --git a/change_passw.php b/change_passw.php
new file mode 100644
index 0000000..aa8de88
--- /dev/null
+++ b/change_passw.php
@@ -0,0 +1,71 @@
+<?php include_once 'header.php';?>
+
+<section>
+<?php
+	// FIXME
+	if (!isset($_SESSION) or empty($_SESSION['signed_in']) or !$_SESSION['signed_in']) {
+		echo '<h2>You must be logged in to change your password.</h2>';
+	} else {
+		echo '
+			<h2>Change your password</h2>
+			<form action="change_passw.php" method="post">
+			<label for="user_pass">Password: </label><br>
+			<input type="password" name="user_pass"><br>
+			<label for="user_pass_check">Re-enter password: </label><br>
+			<input type="password" name="user_pass_check"><br>
+			<input type="submit" name="submit">
+			</form>
+			<br>';
+	}
+?>
+
+<?php
+include_once 'includes/db_inc.php';
+
+if ($_SERVER['REQUEST_METHOD'] == 'POST' and $_SESSION['signed_in']) {
+	$errors = array();
+	$user_pass = "";
+
+	if (empty($_POST['user_pass'])) {
+		$errors[] = "You must provide a password.";
+	} else {
+		$user_pass = $_POST['user_pass'];
+		$pass_check = $_POST['user_pass_check'];
+
+		if (preg_match("/^[a-zA-Z0-9\W]*$/", $user_pass) === false) {
+			$errors[] = "Password contains invalid characters!";
+		}
+
+		if ($user_pass !== $pass_check) {
+			$errors[] = "The two passwords do not match.";
+		}
+	}
+
+	if (!empty($errors)) {
+		echo 'Please check the following problems: <ul>';
+		foreach ($errors as $err) {
+			echo '<li>' . $err . '</li>';
+		}
+		echo '</ul>';
+	} else {
+		$sql = "UPDATE users SET user_pass = ? WHERE user_id = ?;";
+		$stmt = mysqli_stmt_init($dbc);
+
+		if (!mysqli_stmt_prepare($stmt, $sql)) {
+			die('Could not create account due to internal error: ' . mysqli_error($dbc));
+		}
+
+		$pass_hash = password_hash($user_pass, PASSWORD_DEFAULT);
+
+		mysqli_stmt_bind_param($stmt, "ss", $pass_hash, $_SESSION['user_id']);
+		mysqli_stmt_execute($stmt);
+		mysqli_stmt_close($stmt);
+
+		echo 'Password successfully changed!';
+	}
+}
+?>
+
+</section>
+
+<?php include_once 'footer.php';?>
-- 
cgit v1.2.3