What's gone wrong?

[Snatch]

Hi, i'm creating a user login system using the exact code from beginning PHP5, apache, MySQL web development. It all seems to work fine apart from the update details page, I get the following error message:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 3

 

The code for the page is:

<?php
session_start();
include "auth_user.inc.php";
include "conn.inc.php";
?>
<html>
<head>
     <title>Beginning PHP, Apache, MySQL Web Development</title>
</head>
<body>
<h1>Update Account Information</h1>
Here you can update your account information for viewing in your profile.<br><br>
<?php
if ($_POST['submit'] == "Update")
{
     $query_update = "UPDATE user_info SET email = '" . $_POST['email'] . "', city
          = '" . $_POST['city'] . "', state = '" . $_POST['state'] . "', hobbies =
          '" . implode(", ", $_POST['hobbies']) . "' WHERE username = '" .
          $_SESSION['user_logged']. "' AND password = (password('" .
          $_SESSION['user_password'] . "';";
     $result_update = mysql_query($query_update) or die(mysql_error());

     $query = "SELECT * FROM user_info WHERE username = '" .
          $_SESSION['user_logged']. "' AND password = (password('" .
          $_SESSION['user_password'] . "'));";
     $result = mysql_query($query) or die(mysql_error());

     $row = mysql_fetch_array($result);
     $hobbies = explode(", ", $row['hobbies'])
?>
     <b>Your account information has been updated.</b><br>
     <a href="user_personal.php">Click here</a> to return to your account.
     <form action="update_account.php" method="post">
     Email: <input type="text" name="email" value="<?php echo $row['email']; ?>"><br>
     City: <input type="text" name="city" value="<?php echo $row['city']; ?>"><br>
     State: <input type="text" name="state" value="<?php echo $row['state']; ?>"><br>
     Hobbies/Interests: (choose at least one)<br>
     <select name="hobbies[]" size="10" multiple>
     <option value="Golfing"<?php if (in_array("Golfing", $hobbies)) echo " selected";
?>>Golfing</option>
     <option value="Hunting"<?php if (in_array("Hunting", $hobbies)) echo " selected";
          ?>>Hunting</option>
     <option value="Reading"<?php if (in_array("Reading", $hobbies)) echo " selected";
          ?>>Reading</option>
     <option value="Dancing"<?php if (in_array("Dancing", $hobbies)) echo " selected";
          ?>>Dancing</option>
     <option value="Internet"<?php if (in_array("Internet", $hobbies)) echo "
          selected"; ?>>Internet</option>
     <option value="Flying"<?php if (in_array("Flying", $hobbies)) echo " selected";
          ?>>Flying</option>
     <option value="Traveling"<?php if (in_array("Traveling", $hobbies)) echo "
          selected"; ?>>Traveling</option>
     <option value="Exercising"<?php if (in_array("Exercising", $hobbies)) echo "
          selected"; ?>>Exercising</option>
     <option value="Computers"<?php if (in_array("Computers", $hobbies)) echo "
          selected"; ?>>Computers</option>
     <option value="Other Than Listed"<?php if (in_array("Other Than Listed",
          $hobbies)) echo " selected"; ?>>Other Than Listed</option>
     </select><br><br>
     <input type="submit" name="submit" value="Update">   <input type="button"
          value="Cancel" onClick="history.go(-1);">
     </form>
<?php
}
else
{
     $query = "SELECT * FROM user_info WHERE username = '" .
$_SESSION['user_logged']. "' AND password = (password('" . $_SESSION['user_password'] . "'));";
     $result = mysql_query($query) or die(mysql_error());

     $row = mysql_fetch_array($result);
     $hobbies = explode(", ", $row['hobbies'])
?>
     <form action="update_account.php" method="post">
     Email: <input type="text" name="email" value="<?php echo $row['email']; ?>"><br>
     City: <input type="text" name="city" value="<?php echo $row['city']; ?>"><br>
     State: <input type="text" name="state" value="<?php echo $row['state']; ?>"><br>
     Hobbies/Interests: (choose at least one)<br>
     <select name="hobbies[]" size="10" multiple>
     <option value="Golfing"<?php if (in_array("Golfing", $hobbies)) echo " selected";
?>>Golfing</option>
     <option value="Hunting"<?php if (in_array("Hunting", $hobbies)) echo " selected";
?>>Hunting</option>
     <option value="Reading"<?php if (in_array("Reading", $hobbies)) echo " selected";
?>>Reading</option>
     <option value="Dancing"<?php if (in_array("Dancing", $hobbies)) echo " selected";
?>>Dancing</option>
     <option value="Internet"<?php if (in_array("Internet", $hobbies)) echo "
selected"; ?>>Internet</option>
     <option value="Flying"<?php if (in_array("Flying", $hobbies)) echo " selected";
?>>Flying</option>
     <option value="Traveling"<?php if (in_array("Traveling", $hobbies)) echo "
selected"; ?>>Traveling</option>
     <option value="Exercising"<?php if (in_array("Exercising", $hobbies)) echo "
selected"; ?>>Exercising</option>
     <option value="Computers"<?php if (in_array("Computers", $hobbies)) echo "
selected"; ?>>Computers</option>
     <option value="Other Than Listed"<?php if (in_array("Other Than Listed"
, $hobbies)) echo " selected"; ?>>Other Than Listed</option>
     </select><br><br>
     <input type="submit" name="submit" value="Update">   <input type="button"
value="Cancel" onClick="history.go(-1);">
     </form>
<?php
}
?>
</body>
</html>

 

If anyone could shed any light on this i'd be most grateful, thanks!

[PFMaBiSmAd]

It would help if you tell us which one of the queries in that code is the one that is generating the error.

[revraz]

The first thing you'll want to do is not insert your $_POST data directly into your DB.  You want to make sure it contains information you expect and you also want to make sure there is nothing harmful in it.

 

 

[trq]

Its always a good idea to echo your queries when debuging. this will make any issues clearer.

 

$query_update = "UPDATE user_info SET email = '" . $_POST['email'] . "', city
         = '" . $_POST['city'] . "', state = '" . $_POST['state'] . "', hobbies =
         '" . implode(", ", $_POST['hobbies']) . "' WHERE username = '" .
         $_SESSION['user_logged']. "' AND password = (password('" .
         $_SESSION['user_password'] . "';";
    $result_update = mysql_query($query_update) or die(mysql_error() . "<br />$query_update");

 

PS: I find it hard to believe that a book would recommend using mysql's password function over md5. Mysql's password function is actually an internal function and is NOT intended for use in client code. It will break code when mysql upgrades occure.

[redarrow]

   $query_update = "UPDATE user_info SET email = '" . $_POST['email'] . "', city
          = '" . $_POST['city'] . "', state = '" . $_POST['state'] . "', hobbies =
          '" . implode(", ", $_POST['hobbies']) . "' WHERE username = '" .
          $_SESSION['user_logged']. "' AND password = (password('" .
          $_SESSION['user_password'] . "';";
     $result_update = mysql_query($query_update) or die(mysql_error());

 

dont use $_POST[''] in a query it bad php programming..........

 

example

 

$city=mysql_real_escape($_POST['city']);

 

then update, ur way is a very bad way................

[Snatch]

Ok, as you can no doubt tell i'm pretty new to PHP. It seems as though this book isn't going to be much good then (I always thought wrox were fairly good!). Can anyone direct me to a good login system tutorial (preferably with admin features) that uses md5 please?

[aschk]

Rule of thumb #1 : Escape input, filter output

 

Google it 

[Snatch]

I've tried google but it seems hard top find one that isn't too simple or overly complex. Was just wondering if anyone knew of some good ones?

[revraz]

Check this one out

 

http://www.roscripts.com/PHP_login_script-143.html