Error trying to UPDATE php/mysql code for changing to a new password
As described in the title, I am running into an SQL injection error:
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '1' at line 1
How do I fix this? Provided below is my php code and html code
PHP:
if($_POST['submit']=='Change')
{
$err = array();
if(!$_POST['password1'] || !$_POST['passwordnew1'])
$err[] = 'All the fields must be filled in!';
if(!count($err))
{
$_POST['password1'] = mysql_real_escape_string($_POST['password1']);
$_POST['passwordnew1'] =
mysql_real_escape_string($_POST['passwordnew1']);
$row = mysql_fetch_assoc(mysql_query("SELECT id,username FROM
members WHERE username='{$_SESSION['username']}' AND
pass='".md5($_POST['password1'])."'"));
if($row['username'])
{
$querynewpass = mysql_query("UPDATE members SET
pass='".md5($_POST['passwordnew1'])."' WHERE
username='{$_SESSION['username']}'");
$result = mysql_query($querynewpass) or die(mysql_error());
}
else $err[]='Wrong Password To Start With!';
}
if($err)
$_SESSION['msg']['passwordchange-err'] = implode('<br />',$err);
header("Location: members.php?id=" . $_SESSION['username']);
exit;
}
HTML:
<form action="" method="post">
<?php
if($_SESSION['msg']['passwordchange-err'])
{
echo '<div
class="err">'.$_SESSION['msg']['passwordchange-err'].'</div>';
unset($_SESSION['msg']['passwordchange-err']);
}
if($_SESSION['msg']['passwordchange-success'])
{
echo '<div
class="success">'.$_SESSION['msg']['passwordchange-success'].'</div>';
unset($_SESSION['msg']['passwordchange-success']);
}
?>
<label class="grey" for="password1">Current Password:</label>
<input class="field" type="password" name="password1" id="password1"
value="" size="23" />
<label class="grey" for="password">New Password:</label>
<input class="field" type="password" name="passwordnew1"
id="passwordnew1" size="23" />
<input type="submit" name="submit" value="Change" class="bt_register"
style="margin-left: 382px;" />
</form>
I have it working where a user is able to change/update their password,
however, when they click the Change button on the form, they are directed
to that error message I posted above, and if they click the refresh
button, only then they are redirected back to their profile and the
changes have been made. So my main question at hand is, how do I get this
to fully work without that mysql error message? Any help would be much
appreciated!
No comments:
Post a Comment