Help with updating a SQL field

afinch

Hi,

I downloaded a game script which im now editing to what i want to have. However the script didnt have a change password feature. I have tried to make one but with little luck i get the following error:

QUERY ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''md5('') WHERE userid=6' at line 1
Query was UPDATE users SET userpass='md5('') WHERE userid=6

this is my code:

Can anyone shed any light on why this isnt working???

dagon

look at the quote's you have in the query.

bradgrafelman

Also note that your code is vulnerable to SQL injection attacks; user-supplied data should never be placed directly into a SQL query. Instead, you should first sanitize it with a function such as [man]mysql_real_escape_string/man (in the case of integers, however, note you can simply cast the value to an int to ensure that it has been sanitized).

Also note that you could simply [man]md5/man the password submitted and then place that hash into the query string in a simple comparison.

Also note that MD5 has long since been "cracked" and isn't very safe at all when it comes to preventing unauthorized access. You might consider using SHA256 or better instead.

grallis

afinch;10906382 wrote:
Hi,

$oq=$db->query("SELECT * FROM users WHERE userid={$POST['userid']}");
$rm=$db->fetch_row($oq);
$db->query("UPDATE users SET userpass='md5('{$POST['userpass']}') WHERE userid={$POST['userid']}");
stafflog_add("Edited password {$POST['username']} [{$_POST['userid']}]");
print "User edited....";
}

Can anyone shed any light on why this isnt working???

A quick example for you to build on would be something like this:

// sanitize and alias as bradgrafelman stated
$pass = md5($POST['userpass']);
$user = mysql_real_escape_string($POST['userid']);

// an example of typecasting as bradgrafelman once again stated
$value = (int)$value; // casts $value as an integer. You can do this with other datatypes as well such as (boolean)

$db->query("UPDATE users SET userpass='".$pass."' WHERE userid='".$user."'");

Those quotes are like so: ' " . $variable . " '

That's just a personal preference for syntax that I have - I find it makes reading the variables and colour coding easier.

Also, depending on the circumstances, a quick way to sanitize your data would be to do something like this(again something to build on):

foreach($POST as $k=>$v){
$POST[$k] = mysql_real_escape_string($_POST[$k]);
}

Hope this helps.