0

I am stuck on updating values from my SQL table. It works prefectly when instead of ...WHERE username = $username I put an actual value from table ...WHERE username = 'Jane', but in other case it's just not updating values in the database at all. Here is part of my code:

if(isset($_POST['reset'])){
  $username = $_POST['username'];
  $password = $_POST['password'];
  $sql = "UPDATE users SET password ='$password' WHERE username = $username";
  $stmtupdate = $db->prepare($sql);
  $result = $stmtupdate->execute([$password]);
  print_r($result);
  if($result){
    echo 'Successfully updated.';
  }else{
    echo 'There were errors while updating the data.';
  }

}
  • Please read about **[SQL injection](https://en.wikipedia.org/wiki/SQL_injection)**. Instead of building queries with string concatenation, use **[prepared statements](https://secure.php.net/manual/en/pdo.prepare.php)** with **[bound parameters](https://secure.php.net/manual/en/pdostatement.bindparam.php)**. See **[this page](https://phptherightway.com/#databases)** and **[this post](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)** for some good examples. – John Conde May 21 '20 at 18:48
  • **Never store plain text passwords!** Please use [PHP's built-in functions](//php.net/manual/en/function.password-hash.php) to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() [compatibility pack](https://github.com/ircmaxell/password_compat) (and you should consider upgrading to a supported version of PHP). Make sure you [don't escape passwords](//stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding. – John Conde May 21 '20 at 18:48
  • You also don't check for errors in your code. – John Conde May 21 '20 at 18:49

0 Answers0