--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/user/uk/resetPassword.php	Thu Feb 16 22:29:02 2017 +0000
@@ -0,0 +1,120 @@
+<?php
+require "PasswordHash.php";
+
+include "../../private/db.php";  
+include "passGen.php";
+
+// emailname and password sent from form
+$userID=$_GET['userID'];
+$email=$_GET['email'];
+$mypassword=$_GET['pwd'];
+$oldpass=$_GET['oldpwd'];
+
+// To protect MySQL injection 
+$userID = stripslashes($userID);
+$userID = mysqli_real_escape_string($link,$userID);
+//echo $userID;
+$email = stripslashes($email);
+$mypassword = stripslashes($mypassword);
+$email = mysqli_real_escape_string($link,$email);
+$mypassword = mysqli_real_escape_string($link,$mypassword);
+
+$forgotten = 0;
+
+if( $mypassword == "regen" )
+{
+	$mypassword = generatePassword(9);
+	$forgotten = 1;
+	$check = 1;
+}
+
+//echo $mypassword;
+//echo $check;
+//echo $forgotten;
+
+if($forgotten == 1)
+{
+	$query1 = "select UserID from user where Email = '$email'";
+	//echo $query1;
+	$data1 = mysqli_query($link, $query1);
+	if($data1){
+		$count=mysqli_num_rows($data1);
+		if($count==1){
+			$rows=mysqli_fetch_array($data1, MYSQLI_ASSOC);
+			$userID=$rows['UserID'];
+		}
+	}
+}
+else
+{
+	$query1 = "select Email from user where UserID = $userID";
+	//echo $query1;
+	$data1 = mysqli_query($link, $query1);
+	if($data1){
+		$count=mysqli_num_rows($data1);
+		if($count==1){
+			$rows=mysqli_fetch_array($data1, MYSQLI_ASSOC);
+			$email=$rows['Email'];
+		}
+
+	}
+}
+//echo $check;
+if ( mysqli_num_rows( $data1 ) == 1 )
+{
+	$t_hasher = new PasswordHash(8, FALSE);
+	if($forgotten == 0)
+	{
+		$query2 = "select Password from user where UserID = $userID";
+		$data2 = mysqli_query($link, $query2);
+
+		while($line = mysqli_fetch_assoc($data2))
+		{
+			$passHash = $line['Password'];
+		}
+
+		$check = $t_hasher->CheckPassword($oldpass, $passHash);
+	}
+
+	if( $check )
+	{
+		$hashpwd = $t_hasher->HashPassword($mypassword);
+		$update="UPDATE user set Password = '$hashpwd' where UserID = $userID"; 
+		echo $update;
+		$run = mysqli_query($link, $update);
+		
+		// if suceesfully inserted data into database, send confirmation link to email
+		if($run && $forgotten == 1){
+			// ---------------- SEND MAIL FORM ----------------
+			$to=$email;
+			$subject="BookWhack confirmation";
+			$header="from: BookWhack <noreply@bookwhack.com>";
+			$message="BookWhack Confirmation\r\n";
+			$message.="Your password has been reset to: $mypassword\r\n";
+			$message.="This can be changed once logged in";	
+		}
+		else if($run && $forgotten == 0){
+			$to=$email;
+			$subject="BookWhack confirmation";
+			$header="from: BookWhack <noreply@bookwhack.com>";
+			$message="BookWhack Confirmation\r\n";
+			$message.="Your password has successfully been reset\r\n";
+		}
+		else {
+			echo "Error Updating Password";
+		}
+	}
+	else
+	{
+			$to=$email;
+			$subject="BookWhack - Error resetting password";
+			$header="from: BookWhack <noreply@bookwhack.com>";
+			$message="BookWhack - Error resetting password\r\n";
+			$message.="Your password reset has been unsuccessful: Incorrect password provided \r\n";
+			$message.="Please try again under 'Edit Preferences' and ensure you enter the correct password under 'Current Password'\r\n";
+	}
+	$sentmail = mail($to,$subject,$message,$header);
+}
+else
+	echo "Incorrect Email address"
+?>
\ No newline at end of file