$needle] ); if (!$rows) { echo "No members match '{$args['find']}'.\n"; exit(0); } echo "Matches:\n"; foreach ($rows as $r) { printf( " #%-4d %-40s %-25s %s / %s\n", $r['id'], $r['email'], $r['business_name'], $r['role'], $r['status'] ); } exit(0); } // ---- Mode 2: reset ---- $email = strtolower(trim($args['email'] ?? '')); if (!$email) { fwrite(STDERR, "Usage:\n"); fwrite(STDERR, " php db/reset-password.php --email=USER --password=NEW_PW\n"); fwrite(STDERR, " php db/reset-password.php --email=USER --generate\n"); fwrite(STDERR, " php db/reset-password.php --find=SEARCH\n"); exit(1); } if (!filter_var($email, FILTER_VALIDATE_EMAIL)) { fwrite(STDERR, "Error: '$email' is not a valid email\n"); exit(1); } $member = db_row( 'SELECT id, email, first_name, last_name, business_name, role, status FROM members WHERE email = :e', ['e' => $email] ); if (!$member) { fwrite(STDERR, "Error: no member found with email $email\n"); fwrite(STDERR, "Use --find=partial to search by partial email.\n"); exit(1); } // Decide the new password $new_password = $args['password'] ?? ''; $was_generated = false; if (!empty($args['generate'])) { // 18 chars of hex = 72 bits of entropy. Enough for an admin account. $new_password = bin2hex(random_bytes(9)); $was_generated = true; } if (!$new_password) { fwrite(STDERR, "Error: provide either --password=NEW or --generate\n"); exit(1); } if (strlen($new_password) < 8) { fwrite(STDERR, "Error: password must be at least 8 characters\n"); exit(1); } // ---- Confirm destination before wiping ---- echo "About to reset password for:\n"; printf( " #%d %s (%s %s, %s, role=%s)\n", $member['id'], $member['email'], $member['first_name'], $member['last_name'], $member['business_name'], $member['role'] ); // Prompt for confirmation (skippable with --yes for scripted use) if (empty($args['yes'])) { echo "Continue? [y/N] "; $reply = strtolower(trim((string)fgets(STDIN))); if ($reply !== 'y' && $reply !== 'yes') { echo "Aborted. No changes made.\n"; exit(0); } } // ---- Apply ---- $hash = password_hash($new_password, PASSWORD_BCRYPT, ['cost' => AUTH_BCRYPT_COST]); db_exec( 'UPDATE members SET password_hash = :h WHERE id = :id', ['h' => $hash, 'id' => $member['id']] ); // Invalidate any outstanding reset tokens for this member db_exec( 'UPDATE password_resets SET used_at = NOW() WHERE member_id = :id AND used_at IS NULL', ['id' => $member['id']] ); echo "\nPassword updated for {$member['email']}.\n"; if ($was_generated) { echo "\n NEW PASSWORD: {$new_password}\n\n"; echo "Copy it now — it is not stored anywhere in plaintext.\n"; } echo "\nThey can sign in at " . (defined('SITE_URL') ? SITE_URL : '') . "/login.php\n";