I've defined a user settings page in my website, and there are several forms that appears on that page, I'v written a query for these fields to be updated upon clicking on "submit" button, but some how I end up having this error below;
User Could Not Be Updated Because:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SHA1(5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8)', ' WHERE id =' at line 1
this is profile settings page codes for the form:
<?php
$uid = $_SESSION['user_id'];
$query = mysqli_query($dbc, "SELECT * FROM users WHERE id = $uid ")or die(mysql_error());
$arr = mysqli_fetch_assoc($query);
?>
<form action="?page=profileset&id=<?php echo $arr['id']; ?>" method="post" role="form">
<label for="first">First Name</label>
<input class="form-control" type="text" name="first" id="first" value="<?php echo $arr['first']; ?>" placeholder="First Name" autocomplete="off">
</div>
<div class="from-group">
<label for="last">Last Name</label>
<input class="form-control" type="text" name="last" id="last" value="<?php echo $arr['last']; ?>" placeholder="Last Name" autocomplete="off">
</div>
<br>
<div class="from-group">
<label for="email">Email Address</label>
<input class="form-control" type="text" name="email" id="email" value="<?php echo $arr['email']; ?>" placeholder="Email Address" autocomplete="off">
</div>
<div class="from-group">
<label for="password">Password</label>
<input class="form-control" type="password" name="password" id="password" value="<?php echo $arr['password']; ?>" placeholder="Password" autocomplete="off">
</div>
<button id="profile-btn-change" type="submit" class="btn">Submit Changes</button>
<input type="hidden" name="submitted" value="1">
</form>
and this is the query which updates this form;
if(isset($_POST['submitted']) == 1){
$first = mysqli_real_escape_string($dbc, $_POST['first']);
$last = mysqli_real_escape_string($dbc, $_POST['last']);
$password = SHA1($_POST['password']);
$action = 'Updated';
$q = "UPDATE users SET first = '".$first."', last = '".$last."', email = '".$_POST['email']."', password = '".$password."' WHERE id = '".$_POST['id']."'";
$r = mysqli_query($dbc, $q);
if($r){
$message = '<p class="alert alert-success">User Was '.$action.'!</p>';
} else {
$message = '<p class="alert alert-danger">User Could Not Be '.$action.' Because:'.mysqli_error($dbc);
}
}
any consideration is appreciated
You are repeating the password = part in the UPDATE query.
do
$password = sha1($_POST[password]);
instead of
$password = " password = 'SHA1($_POST[password])', ";
make sure you try the update query like
$q = "UPDATE users SET first = '".$first."', last = '".$last."', email = '".$_POST['email']."', password = '".$password."' WHERE id = '".$_POST['id']."'";
and try to sanitize the variables while you use them.