I have this project where i have to create an events website using a mysql database and php. I'm having some toruble with some code that will allow users that change their password. I know it's a problem with the mysql syntax in my query but i can't figure out what the excat problem is. Please help. Thanks

Error code

Failed to run query3: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE username = chris' at line 1

$query ="SELECT password, salt FROM users WHERE username = :username";
        $query_params = array(':username' => $username);
        try 
        {
            $stmt = $db->prepare($query);
            $result = $stmt->execute($query_params);
        }
        catch(PDOException $ex) 
        {
            die("Failed to run query2: " . $ex->getMessage()); 
        }
        $row = $stmt->fetch();
        if($row)
        {
            $check_password = hash('sha256', $_POST['currentPassword'] . $row['salt']);
            for($round = 0; $round < 65536; $round++)
            {
                $check_password = hash('sha256', $check_password . $row['salt']); 
            }

            if($check_password == $row['password'])
            {
                $password_ok = true;
            }

            if($password_ok = true)
            {
                $newPassword = $_POST['newPassword'];
                $confirmPassword = $_POST['confirmPassword'];
                if($newPassword == $confirmPassword)
                {
                    $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
                    $password = hash('sha256', $_newPassword . $salt);
                    for($round = 0; $round <65536; $round++)
                    {
                        $password = hash('sha256', $password . $salt);
                    }
                    $query ="INSERT INTO users (password, salt) VALUES (:password, :salt)";
                    $query .= "WHERE username = $username";
                    $query_params = array(':password' => $password, ':salt' => $salt);
                    try
                    {
                        $stmt = $db->prepare($query);
                        $result = $stmt->execute($query_params);
                    }
                    catch(PDOException $ex)
                    {
                        die("Failed to run query3: " . $ex->getMessage()); 
                    }
                }
            $passwordChanged = true;
            }
        }

Any help in this problem would be much appreciated.

Thanks

INSERT INTO does not use a WHERE clause like that. Remove it (line 39) or use an UPDATE statement.

I have changed the code to

$query ="UPDATE users SET password = :password, salt = :salt WHERE username = '$username'";

now i have a different issue. The password changes and goes through the sha256 algorithm and has the salt added. but when i log the test account out and test the new password it doesn't work and neither does the new one. Any ideas. The code for the salt and the hasing alroithm is the same.

Found the issue. one newpassword was defined as $newpassword the other was defined as $_newpassword

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.