I’m working on a PHP script to reset a user’s password. I have an email and a token check setup so that those two must be valid before the user is allowed to reset. So far, everything works up to the point where I insert the password into the database. Here’s the code for my PDO (I broke the SQL query at those parts so it’s easier to glance over):

try {
    $sql = "UPDATE users 
            SET password=:password, sessionTime=:sessionTime, sessionID=:sessionID 
            WHERE sessionID=:sessionID";
    $update = $con->prepare($sql);
    $update->bindValue("password", hash("sha256", $password . $salt), PDO::PARAM_STR);
    $update->bindValue("sessionID", "0", PDO::PARAM_STR );
    $update->bindValue("sessionTime", "0", PDO::PARAM_STR );
    $update->execute();
    echo "<br /> Successfully updated the password!";
} catch(PDOException $e) {
     throw new Exception('something went wrong with the password reset', 0, $e);  
}

$salt and $password are defined prior to this, and when I run the script, it outputs Successfully updated the password!, however, nothing changes in my database. When I copy and paste the query into phpMyAdmin and change the :name parameters to actual strings, it works perfectly (updating my database) and doesn’t return any errors – also, I’m not getting anything in php_error.log, so I’m not really sure why this isn’t working.

Any help would be appreciated, thank you.