0

I got a problem with login into CMS account after database server update - now on this server mysql 8.028 is running. Now I have info fatal error like this:

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(?))' at line 1'  Stack trace: #0 : PDO->prepare('SELECT * FROM s...') #1 {main}

This my connect.php:

$db = new PDO("mysql:host=".$dbhost.";dbname=".$dbname.";charset=utf8", $user, $pass, [
    PDO::ATTR_EMULATE_PREPARES => false,
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
]);
$db->exec("set names utf8");
$db->exec("SET SESSION sql_mode = ''");

and my login.php where to the error leads:

$sql = $db->prepare("SELECT * FROM ".$tbl_user." WHERE (user=:user) AND (pass=".$mysql_pass_type."(:pass))");
$sql->bindValue(':user', $f_user, PDO::PARAM_STR);
$sql->bindValue(':pass', $f_pass, PDO::PARAM_STR);
$sql->execute();

I've tested on different database version like 10.6.5-MariaDB and everything was OK.

Thank you in advance.

jj1990
  • 11
  • Can you provide the full error message with full query? Or take your query and echo/log it. I'm going to guess that the `$mysql_pass_type` is throwing it off, but without seeing the full query, it's hard to tell. – aynber Apr 28 '22 at 14:03
  • You can print the query and check what's wrong – Ergest Basha Apr 28 '22 at 14:03
  • What value is in `$mysql_pass_type`? You try to call some function here? – Justinas Apr 28 '22 at 14:10
  • PLease describe what you are doing here `(pass=".$mysql_pass_type."(:pass))` as it looks wrong! What is in `$mysql_pass_type`? If you want to prefix `$f_pass` with something, do it into a variable and use that in the bind – RiggsFolly Apr 28 '22 at 14:14
  • $mysql_pass_type = 'password'; $f_pass = $_POST['pass']; $f_user = $_POST['user']; – jj1990 Apr 28 '22 at 14:26
  • You need to parameterise that just the same as the other inputs to the query – ADyson Apr 28 '22 at 14:28
  • So it looks like you are also using "Plain Text Passwords" **V.Bad** – RiggsFolly Apr 28 '22 at 14:39
  • I also somehow doubt that __after database server update__ has got anything to do with this at all – RiggsFolly Apr 28 '22 at 14:41
  • 1
    There also would appear to be no benefit in doing `FROM ".$tbl_user."` Where else are you possibly going to get user login information from other than this single table, whatever its called – RiggsFolly Apr 28 '22 at 14:43
  • Thanks for help. It turned out that mysql 8 does not support password() function anymore. I created new function for password encryption and it works. – jj1990 Apr 29 '22 at 14:59

0 Answers0