prepare("SELECT password_hash FROM users WHERE id = ?"); $stmt->execute([$user['id']]); $current_pwd_hash = $stmt->fetchColumn(); if (!password_verify($old_pwd, $current_pwd_hash)) { $error = "Old password incorrect"; } elseif ($new_pwd !== $confirm_pwd) { $error = "Passwords do not match"; } elseif (strlen($new_pwd) < 6) { $error = "Password must be at least 6 characters"; } else { $new_hash = password_hash($new_pwd, PASSWORD_DEFAULT); $stmt = db()->prepare("UPDATE users SET password_hash = ? WHERE id = ?"); $stmt->execute([$new_hash, $user['id']]); $success = "Login password changed successfully"; } } elseif ($action === 'set_trade_password') { $trade_pwd = $_POST['trade_password'] ?? ''; $confirm_trade_pwd = $_POST['confirm_trade_password'] ?? ''; if ($trade_pwd !== $confirm_trade_pwd) { $error = "Passwords do not match"; } elseif (strlen($trade_pwd) < 6) { $error = "Transaction password must be at least 6 characters"; } else { // Store plain or hashed? Usually hashed but user might want simple numeric. // I'll hash it for security. $trade_hash = password_hash($trade_pwd, PASSWORD_DEFAULT); $stmt = db()->prepare("UPDATE users SET transaction_password = ? WHERE id = ?"); $stmt->execute([$trade_hash, $user['id']]); $success = "Transaction password updated successfully"; } } } $stmt = db()->prepare("SELECT transaction_password FROM users WHERE id = ?"); $stmt->execute([$user['id']]); $hasTradePwd = !empty($stmt->fetchColumn()); ?>