<?php
if(isset($_POST['password']) && $_POST['reset'] && $_POST['email'])
{
    include "db.php";
    include "config.php";
    
    $email = $_POST['email'];
    $key = $_POST['reset'];
    
    $password = $_POST['password'];
    $cpassword = $_POST['cpassword'];

    if($cpassword == $password){
        // Hash the new password
        $hashedPassword = password_hash($password, PASSWORD_DEFAULT);

        // Optional: check if user exists first (your old code)
        $query = mysqli_query($db,"SELECT * FROM `logins` WHERE `reset`='".$key."' and `email`='".$email."'");
        $row = mysqli_num_rows($query);

        // Update with hashed password
        mysqli_query($db,"UPDATE logins SET password='" . $hashedPassword . "', reset=NULL, exp_date=NULL WHERE email='" . $email . "'");

        header('location: change-password.php?success=passChanged');
        exit;
    } else {
        header('location: change-password.php?error=passNotMatch');
        exit;
    }
} else {
    header('location: change-password.php?error=dataEmpty');
    exit;
}
?>