-1

Possible Duplicate:
PHP/MySQL - SQL syntax error?

I am trying to update a user password with the below script, however I am just getting the following error. I have been using PHP and MySQL for only about 2 months now so am still a beginner so I would really appreciate any comments regarding my below code. Thank you in advance for your help.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(password, salt) VALUES ( 'fcf829e6c3478752799b7d49798a14640f110dd4f8767' at line 1

<?php

//Pull in form info

$pass1 = $_POST['pass1'];
$pass2 = $_POST['pass2'];

//Chrck if the 2 password fields match
if($pass1 != $pass2) {
    header('Location: ../admin/pass-change.php?pw=notmatched');
    die();
}

//encrypts the password

$hash = hash('sha256', $pass1);

//creates a 3 character sequence

function createSalt()
{
    $string = md5(uniqid(rand(), true));
    return substr($string, 0, 3);
}
$salt = createSalt();
$hash = hash('sha256', $salt . $hash);

//initialise connection with databse

require_once('../Connections/EliteGrooming.php');

mysql_select_db($database_EliteGrooming, $EliteGrooming);

//Execute the query

$username = $_SESSION['username'];

$query = "UPDATE admin_users (password, salt)
        VALUES ( '$hash', '$salt' )
        WHERE username = '$username';";
mysql_query($query) or die(mysql_error());;
mysql_close();
header('Location: ../admin/pass-change.php?PassChanged');

?>
Community
  • 1
  • 1
AppleTattooGuy
  • 1,145
  • 8
  • 17
  • 39

2 Answers2

3

no, it should be

UPDATE admin_users 
   SET password = '$hash', 
        salt = '$salt' 
WHERE username = '$username'

beware, your query is vulnerable with SQL Injection, please the article below

Community
  • 1
  • 1
John Woo
  • 258,903
  • 69
  • 498
  • 492
  • Thank you for your help, I have added $username = mysql_real_escape_string($username); to my code, is this enough to prevent SQL injection? – AppleTattooGuy Nov 16 '12 at 17:07
-1

Looks to me like the input password somehow has ' added before and after the entry. Translated you are putting into the database:

 $query = "UPDATE admin_users (password, salt)
    VALUES ( ''f124782349023589270365fhjdhf2893'', '$salt' )
    WHERE username = '$username';";

The reason I say this is because it only returns one value input. That or your salt is not being found.

EDIT: Above has it right. your missing the SET command.

Sam Bowyer
  • 60
  • 7