0

I have this project where i have to create an events website using a mysql database and php. I'm having some toruble with some code that will allow users that change their password. I know it's a problem with the mysql syntax in my query but i can't figure out what the excat problem is. Please help. Thanks

Error code

Failed to run query3: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE username = chris' at line 1

$query ="SELECT password, salt FROM users WHERE username = :username";
        $query_params = array(':username' => $username);
        try 
        {
            $stmt = $db->prepare($query);
            $result = $stmt->execute($query_params);
        }
        catch(PDOException $ex) 
        {
            die("Failed to run query2: " . $ex->getMessage()); 
        }
        $row = $stmt->fetch();
        if($row)
        {
            $check_password = hash('sha256', $_POST['currentPassword'] . $row['salt']);
            for($round = 0; $round < 65536; $round++)
            {
                $check_password = hash('sha256', $check_password . $row['salt']); 
            }

            if($check_password == $row['password'])
            {
                $password_ok = true;
            }

            if($password_ok = true)
            {
                $newPassword = $_POST['newPassword'];
                $confirmPassword = $_POST['confirmPassword'];
                if($newPassword == $confirmPassword)
                {
                    $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
                    $password = hash('sha256', $_newPassword . $salt);
                    for($round = 0; $round <65536; $round++)
                    {
                        $password = hash('sha256', $password . $salt);
                    }
                    $query ="INSERT INTO users (password, salt) VALUES (:password, :salt)";
                    $query .= "WHERE username = $username";
                    $query_params = array(':password' => $password, ':salt' => $salt);
                    try
                    {
                        $stmt = $db->prepare($query);
                        $result = $stmt->execute($query_params);
                    }
                    catch(PDOException $ex)
                    {
                        die("Failed to run query3: " . $ex->getMessage()); 
                    }
                }
            $passwordChanged = true;
            }
        }

Any help in this problem would be much appreciated.

Thanks

2
Contributors
3
Replies
16
Views
3 Years
Discussion Span
Last Post by twiggy145
1

INSERT INTO does not use a WHERE clause like that. Remove it (line 39) or use an UPDATE statement.

Edited by pritaeas

0

I have changed the code to

$query ="UPDATE users SET password = :password, salt = :salt WHERE username = '$username'";

now i have a different issue. The password changes and goes through the sha256 algorithm and has the salt added. but when i log the test account out and test the new password it doesn't work and neither does the new one. Any ideas. The code for the salt and the hasing alroithm is the same.

0

Found the issue. one newpassword was defined as $newpassword the other was defined as $_newpassword

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.