Trouble with SQL Update function

Minor_Threat

Im having trouble updating passwords in the DB:
Heres the code:

<?PHP
// MAKE CONNECTION
include ('db_connect.php');

// CHECK FIELDS
if (isset( $_POST['cpass']) && isset ($_POST['npword']) && isset ($_POST['npword2'] ) && $_POST['npword'] == $_POST['npword2'] ) {
    echo "Hello $igname<br />";
    echo changepass($_POST);
}elseif ($_POST['npword'] =! $_POST['npword2']){
	echo "Your passwords did not match. Please try again.";
}else{
    echo "You did not fill in a required field.";  

}


// INSERT INTO TABLE
function changepass($postArr){
$sql = "SELECT * FROM `users` WHERE `userid` = $_COOKIE[userid]";
$result1 = mysql_query($sql) or die('Query failed: ' . mysql_error());


while ($line = mysql_fetch_array($result1)) {


   $opwfdb = $line['password'];
 $cpass = md5($postArr['cpass']);
   if ($opwfdb == $cpass){
   echo "Your current password is correct";

}else{
die ("Your current password is incorrect, Try again");
   }

}

$query = "UPDATE users SET password = '$cpass' WHERE userid = $_COOKIE[userid]";
$result = mysql_query($query) or die('Query 2 failed: ' . mysql_error());
}



?>

This doesnt come up with an error, but it also doesnt update the password.

Thanks in advance

wempy

Hi,

try changing this line:

$query = "UPDATE users SET password = '$cpass' WHERE userid = $_COOKIE[userid]";

to read:

$query = "UPDATE users SET password = '" . $cpass . "' WHERE userid = $_COOKIE[userid]";

form what I understand any variable inside double quotes will be expanded by the parser, but not when it is inside single quotes, though that isn't really the case in your example as the single quotes are inside the double quotes, but I have always found it to work this way every time.

Minor_Threat

Wempy,

I did what you said, now i get this error:

Query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

dalecosp

wempy wrote:
try changing this line:
to read:
$query = "UPDATE users SET password = '" . $cpass . "' WHERE userid = $_COOKIE[userid]";

Standard practice would be to concatenate the superglobal and single quote the array key:

$query = "UPDATE users SET password = '$cpass' WHERE userid = ".$_COOKIE['userid'];

However, on my PHP5 setup, I don't see where either usage gives an invalid SQL syntax. See the manual for further details; ATM I can't even think exactly why this is true...late, I guess.

The OP should probably tell his script to echo() the $query and see what it really looks like.

Minor_Threat

OMG I am an idiot! I was using the current password variable as the new password variable... Sorry for that lol

dalecosp

Happens to all once in a while. Mark this one "RESOLVED" if you please (see "thread tools", above).