Updating account details using php and mySQL

Question

I am trying to create a form to update the users details stored in the database, but I am getting an error Parse error: syntax error, unexpected '"' in update.php on line 18. Im trying to say Update the user with the username that matches the session (the session stores the username) Im not sure why its wrong because i've used the comparison to session username before and it worked fine. also will I have to then update the session with the new username??

update.php

<?php

session_start();

function updateAccount(){
    $pdo=new PDO('mysql:host=localhost;dbname', 'name', 'password');

    $name=$_POST['Name'];
    $surname=$_POST['Surname'];
    $email=$_POST['Email'];
    $username=$_POST['Username'];
    $password=$_POST['Password'];

//Execute the query

$hashPass = hash('sha512', $password);

$st = $pdo->prepare('UPDATE Users SET Name = :Name, Surname = :Surname, Email = :Email, Username = :Username, Password = :Password WHERE Username = '".$_SESSION['userName']."'');

    if(!isset($error)){
        //no error
        $st->execute(array('Name' => $name, 'Surname'=>$surname, 'Email'=>$email, 'Username'=> $username, 'Password' => $hashPass));



        header("Location: user.php");

    }else {
        echo "Error";
    }

}
}

if(isset($_POST['update'])){
    newAccount();
}

?>

Form where users enter details (not sure this makes a difference)

<form id="update" method="post"  action="update.php">
            <h2>Account Update:</h2>
                <br>Name:
            <input type="text" name="Name" placeholder="Name">
                <br>Surname:
            <input type="text" name="Surname" placeholder="Surname">
                <br>Email:
            <input type="email" name="Email" placeholder="Email">
                <br>Username:
            <input type="text" name="Username" placeholder="Username">
                <br>Password:
            <input type="password" name="Password" placeholder="Password">
                <br>Re-enter Password:
            <input id="pass2" type="password" name="Password_check" placeholder="Password Check">
            <br><input id="updates" type="submit" name="update" value="Update"> <br>
            </form>

Possible duplicate of [PHP Parse/Syntax Errors; and How to solve them?](http://stackoverflow.com/questions/18050071/php-parse-syntax-errors-and-how-to-solve-them) — u_mulder, Jun 04 '16 at 14:08

score 0 · Accepted Answer · answered Jun 04 '16 at 14:16

0

Write this way

 $st = $pdo->prepare("UPDATE Users SET Name = :Name, Surname = :Surname, Email = :Email, Username = :Username, Password = :Password WHERE Username = '{$_SESSION['userName']}'");

answered Jun 04 '16 at 14:16

Moldavianheart

36
3

score 0 · Answer 2 · answered Jun 04 '16 at 14:16

Try to change this:

$st = $pdo->prepare('UPDATE Users SET Name = :Name, Surname = :Surname, Email = :Email, Username = :Username, Password = :Password WHERE Username = '".$_SESSION['userName']."'');

with this:

$st = $pdo->prepare("UPDATE Users SET Name = :Name, Surname = :Surname, Email = :Email, Username = :Username, Password = :Password WHERE Username = ".$_SESSION['userName']);

score 0 · Answer 3 · answered Jun 04 '16 at 14:44

Here is line 18 from update PHP:

st = $pdo->prepare('UPDATE Users SET Name = :Name, Surname = :Surname, Email = :Email, Username = :Username, Password = :Password WHERE Username = '".$_SESSION['userName']."'');

Here the single quote Username = 'is closing the string: UPDATE Users SET Name = :Name, Surname = :Surname, Email = :Email, Username = :Username, Password = :Password WHERE Username = then immediately followed by a double quote here: ".$_SESSION..." thus, creating another string without using the concat operator, because the dot is inside the new string, php treats it like a part of the string (a simple character) and not as a string operator. the dot operator must go between those strings. Username = '."$_SESSION. The same problem arise here: $_SESSION['userName']."''); it should go as $_SESSION['userName']".''). Please note that, although concatenating '' at the of the string is legal, it makes no sense.

You can simply have this instead.

st = $pdo->prepare('UPDATE Users SET Name = :Name, Surname = :Surname, Email = :Email, Username = :Username, Password = :Password WHERE Username = '.$_SESSION['userName']);

Or, since PHP's double quoted strings resolve variables.

st = $pdo->prepare("UPDATE Users SET Name = :Name, Surname = :Surname, Email = :Email, Username = :Username, Password = :Password WHERE Username = $_SESSION['userName'].");

Your pick.

Updating account details using php and mySQL

3 Answers3