Updating a password

[Xeven]

Ok so I have another question for you friendly people at PHP Freaks.

 

I am trying to make a sort of control panel page for user accounts.  On this page I am trying to allow the user to change their current password.  This is being done by the browser using the session, which holds the name of the user logged in.  So it checks who the user is and updates my MySQL database that way.

 

Here is what I have done so far

<?php session_start(); // sessions are started?>
<? include ("info.inc");

    $connect = mysql_connect($host,$account,$password);
    $db = mysql_select_db("database")
    or die("Can't connect to database");

$password1 = $_POST['password1'];
$password2 = $_POST['password2'];


// start the query
$query = mysql_query("UPDATE user SET password1=MD5('$password1'), password2=MD5('$password2') 
		WHERE emailaddress1 = '".$_SESSION['sessioname']."'");
		$result = mysql_query($query) or die(mysql_error());



?>

 

The only problem is, it is not updating anything but is giving me the following error:

 

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1"

 

If anyone has any idea's as to what I can try to fix this I would be very grateful.

[revraz]

echo $query and it should give you a indication of why.

[discomatt]

I'm no mysql guru, but try escapting all mysql field names. Sometimes you can be using a reserved name without knowing it

 

$query = mysql_query("

 

UPDATE `user` SET `password1` = MD5('" . mysql_escape_string($password1) . "'), `password2` = MD5('" . mysql_escape_string($password2) . "')

WHERE `emailaddress1` = '" . $_SESSION['sessioname'] . "'

 

");

[soycharliente]

I concur with discomatt. In the past I've used 'date' as a column name and didn't even realize it. Using backticks (`) to escape all table and column names is always a great idea.

[Xeven]

I did reply to this thread last night but for some reason my last post has gone missing.

 

Ok so I have put an echo around:

	echo $query = mysql_query("UPDATE user SET password1=MD5('$password1'), password2=MD5('$password2') 
		WHERE emailaddress1 = '".$_SESSION['sessioname']."'");

 

and now I seem to get a "1" at the start of the sentence like so:

 

1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1

 

Thanks for helping guys.

[Agricola]

this is proberbly the offending part

'".$_SESSION['sessioname']."'");

 

what you have here is a syntax when building a query as a string, not calling it direct

EDIT

you be better off just doing it this way in long run.

<?php
$pw_update = "UPDATE user SET password1=MD5('$password1'), password2=MD5('$password2') 
		WHERE emailaddress1 = '".$_SESSION['sessioname']."'  ";

$query = mysql_query($pw_update);

?>

 

 

 

EDIT:

 

AS for missing post, the dababase died or somthing like that, as i registered yesterday and replied to a few things but when come to log on came up with username not in database, so had to re register.  appears the database was rolled back prior to my signing up.

[Xeven]

That has solved the problem.  Thanks a lot for your help!

 

 

[soycharliente]

Thanks hackers. That was what I suggested as well but it got deleted. Sorry we couldn't help you solve your problem earlier.

 

I always have my query in a variable and then pass the variable to the mysql_query function. That way it's much easier to echo out if I'm having problems with errors or things just not updating.