I have this project where i have to create an events website using a mysql database and php. I'm having some toruble with some code that will allow users that change their password. I know it's a problem with the mysql syntax in my query but i can't figure out what the excat problem is. Please help. Thanks
Error code
Failed to run query3: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE username = chris' at line 1
$query ="SELECT password, salt FROM users WHERE username = :username";
$query_params = array(':username' => $username);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query2: " . $ex->getMessage());
}
$row = $stmt->fetch();
if($row)
{
$check_password = hash('sha256', $_POST['currentPassword'] . $row['salt']);
for($round = 0; $round < 65536; $round++)
{
$check_password = hash('sha256', $check_password . $row['salt']);
}
if($check_password == $row['password'])
{
$password_ok = true;
}
if($password_ok = true)
{
$newPassword = $_POST['newPassword'];
$confirmPassword = $_POST['confirmPassword'];
if($newPassword == $confirmPassword)
{
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
$password = hash('sha256', $_newPassword . $salt);
for($round = 0; $round <65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
$query ="INSERT INTO users (password, salt) VALUES (:password, :salt)";
$query .= "WHERE username = $username";
$query_params = array(':password' => $password, ':salt' => $salt);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query3: " . $ex->getMessage());
}
}
$passwordChanged = true;
}
}
Any help in this problem would be much appreciated.
Thanks