This is my php code :
if(isset($_POST['change_password'])){
$newpassword=$_POST['newpassword'];
$password2=$_POST['password2'];
$oldpassword=$_POST['oldpassword'];
$status = "OK";
$msg="";
$count=$db->prepare("SELECT password FROM hr_record WHERE emp_id=:emp_id");
$count->bindParam(":emp_id",$_SESSION['emp_id'],PDO::PARAM_STR);
$count->execute();
$row = $count->fetch(PDO::FETCH_OBJ);
// echo $row->password;
// echo $oldpassword;
if($row->password<>($oldpassword)){
echo $row->password;
$msg=$msg."Your old password is not matching as per our record.<BR>";
$status= "NOTOK";
}
if ( strlen($newpassword) <= 8 or strlen($newpassword) > 15 ){
$msg=$msg."Password must be more than 8 char legth and maximum 15 char lenght<BR>";
$status= "NOTOK";}
if ( $newpassword <> $password2 ){
$msg=$msg."Both passwords are not matching<BR>";
$status= "NOTOK";}
if($status<>"OK"){
echo "<font face='Verdana' size='2' color=red>$msg</font>
<br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";
}else{ // if all validations are passed.
$newpassword=md5($newpassword); // Encrypt the password before storing
//if(mysql_query("update hr_record set password='$password' where emp_id='$_SESSION[emp_id]'")){
$sql=$db->prepare("UPDATE hr_record SET :password = $newpassword WHERE emp_id='$_SESSION[emp_id]'");
$sql->bindParam(':password', $newpassword, PDO::PARAM_STR);
if($sql->execute()){
echo "<font face='Verdana' size='2' ><center>Thanks <br>
Your password changed successfully. Please keep changing your password for better security</font></center>";
}else{
echo "<font face='Verdana' size='2' color=red><center>Sorry <br>
Failed to change password Contact Site Admin</font></center>";
}
}
}
I get the following error from the provided code block above :
Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '? = a99442d2a736365f5fe637e299b0e339 WHERE emp_id='239-22-1002'' at line 1' in /var/www/html/loginregister/staffarea/profile.php:47
Can you please tell me what could be the problem ?
CodePudding user response:
Your SQL syntax in the update statement is wrong. It should look like:
$sql = $db->prepare("UPDATE hr_record SET password = :password WHERE emp_id = :emp_id");
$sql->bindParam(':password', $newpassword, PDO::PARAM_STR);
$sql->bindParam(':emp_id', $_SESSION['emp_id'], PDO::PARAM_STR);