0

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE Username=''' at line 1

Code below:

$sql="UPDATE users SET Password=$pass_word WHERE Username='$_POST[username]'";
Cœur
  • 37,241
  • 25
  • 195
  • 267
Adam taylor
  • 7
  • 2
  • Never use this code in production. It's vulnerable to SQL Injection. Look up how to use stored procedures before you use SQL queries in php. – Niels Nov 23 '17 at 22:41
  • Please read more about sql injection: http://php.net/manual/en/security.database.sql-injection.php – Jay Harris Nov 23 '17 at 22:50
  • **Danger**: "Not hashing at all" is [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php); you need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. – Quentin Dec 15 '17 at 10:07

1 Answers1

0

This is very risky coding. What if someone (traditionally referred to as Little Bobby Tables) changed his password to

 hello';--

and your query became

UPDATE users SET Password='hello';-- ' WHERE Username='$_POST[username]'";

which -- being a comment, gets interpreted as a very broad

UPDATE users SET Password='hello';

Your error now was that you forgot the quotes around the password -- but what you should do is move to PDO. Then your query might become

$stmt = $dbh->prepare('UPDATE users SET Password=? WHERE Username=?');
$stmt->execute($pass_word, $_POST['username']);

with the PDO layer taking care of avoiding troubles.

The same thing applies to $_POST[username], and I suggest you write it as "{$_POST['username']}" - it's more easily parsed by several PHP tools, and allows you more flexibility with complex arrays.

LSerni
  • 55,617
  • 10
  • 65
  • 107