Home > Software design >  : Uncaught exception 'PDOException' with message 'SQLSTATE[42000]:
: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]:

Time:11-29

This is my php code :

if(isset($_POST['change_password'])){
    $newpassword=$_POST['newpassword'];
    $password2=$_POST['password2'];
    $oldpassword=$_POST['oldpassword'];
    $status = "OK";
    $msg="";
    
    $count=$db->prepare("SELECT password FROM hr_record WHERE emp_id=:emp_id");
    $count->bindParam(":emp_id",$_SESSION['emp_id'],PDO::PARAM_STR);
    $count->execute();
    $row = $count->fetch(PDO::FETCH_OBJ);
    //  echo $row->password;
    //  echo $oldpassword;
    if($row->password<>($oldpassword)){
         echo $row->password;

    $msg=$msg."Your old password  is not matching as per our record.<BR>";
    $status= "NOTOK";
    }   
    
    if ( strlen($newpassword) <= 8 or strlen($newpassword) > 15 ){
        $msg=$msg."Password must be more than 8 char legth and maximum 15 char lenght<BR>";
        $status= "NOTOK";}
    
        if ( $newpassword <> $password2 ){
            $msg=$msg."Both passwords are not matching<BR>";
            $status= "NOTOK";}
    
            if($status<>"OK"){ 
                echo "<font face='Verdana' size='2' color=red>$msg</font>
                <br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";
                }else{ // if all validations are passed.
                $newpassword=md5($newpassword); // Encrypt the password before storing
                //if(mysql_query("update hr_record set password='$password' where emp_id='$_SESSION[emp_id]'")){
                $sql=$db->prepare("UPDATE hr_record SET :password = $newpassword WHERE emp_id='$_SESSION[emp_id]'");
                $sql->bindParam(':password', $newpassword, PDO::PARAM_STR);
                if($sql->execute()){
                echo "<font face='Verdana' size='2' ><center>Thanks <br> 
                Your password changed successfully. Please keep changing your password for better security</font></center>";
                }else{
                echo "<font face='Verdana' size='2' color=red><center>Sorry <br>
                Failed to change password Contact Site Admin</font></center>";
                }
            }
        }

I get the following error from the provided code block above :

Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax 
error or access violation: 1064 You have an error in your SQL syntax; 
check the manual that corresponds to your MariaDB server version for the 
right syntax to use near '? = a99442d2a736365f5fe637e299b0e339 WHERE 
emp_id='239-22-1002'' at line 1' in 
/var/www/html/loginregister/staffarea/profile.php:47

Can you please tell me what could be the problem ?

CodePudding user response:

Your SQL syntax in the update statement is wrong. It should look like:

$sql = $db->prepare("UPDATE hr_record SET password = :password WHERE emp_id = :emp_id");
$sql->bindParam(':password', $newpassword, PDO::PARAM_STR);
$sql->bindParam(':emp_id', $_SESSION['emp_id'], PDO::PARAM_STR);
  • Related