-4

Here is the given error:

Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '

Warning: Undefined variable $id in C:\xampp\htdocs\food-or...' at line 1 in C:\xampp\htdocs\food-order\Backend\update-password.php:53 Stack trace: #0 C:\xampp\htdocs\food-order\Backend\update-password.php(53): mysqli_query(Object(mysqli), 'SELECT* FROM tb...') #1 {main} thrown in C:\xampp\htdocs\food-order\Backend\update-password.php on line 53

And here is the line 53 there seems to be an error in:

$sql = "SELECT* FROM tbl_admin WHERE id=$id AND password='$current_password'";//line51
    
//Execute the Query //line52
$res = mysqli_query($conn, $sql); //line53

if ($res == true){ //line54
ADyson
  • 51,527
  • 13
  • 48
  • 61
Beast
  • 1
  • 2
    **Warning:** Your code is vulnerable to SQL Injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. **Never** insert unsanitised data directly into your SQL. The way your code is written now, someone could easily steal, incorrectly change, or even delete your data. – ADyson Jun 01 '22 at 10:18
  • https://phpdelusions.net/mysqli also contains good examples of writing safe SQL using mysqli. See also the [mysqli documentation](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) and this: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) . Parameterising your queries will also **greatly reduce the risk of accidental syntax errors** as a result of un-escaped or incorrectly quoted input values. If you learnt your current technique from a tutorial or book, please don't use it again. – ADyson Jun 01 '22 at 10:19
  • 3
    Also, please don't store passwords in plain text or using obsolete algorithms such as md5 or sha-1 - that is another security risk. Learn about [password hashing](https://www.php.net/manual/en/faq.passwords.php) instead. See also [How to use PHP's password_hash to hash and verify passwords](https://stackoverflow.com/questions/30279321/how-to-use-phps-password-hash-to-hash-and-verify-passwords) – ADyson Jun 01 '22 at 10:19
  • `Undefined variable $id` ...is the root of your problem in this case. Since it's not defined, the SQL query ends up as `SELECT* FROM tbl_admin WHERE id= AND....` which clearly makes no sense. We can't tell you why $id is undefined because you didn't show any relevant code leading up to this point. You need to do some debugging and work out why it's not populated. Did you not google this (very common) error or do any [basic debugging](https://www.atatus.com/blog/debugging-in-php/) before asking here? – ADyson Jun 01 '22 at 10:22
  • 1
    It looks like you are using some really bad tutorial. I highly encourage you to find something better. If you are only starting to learn PHP then you should learn PDO instead of mysqli. PDO is much easier and more suitable for beginners. Start here https://phpdelusions.net/pdo & https://websitebeaver.com/php-pdo-prepared-statements-to-prevent-sql-injection. Here are some good video tutorials https://youtu.be/2eebptXfEvw & https://www.youtube.com/watch?v=sVbEyFZKgqk&list=PLr3d3QYzkw2xabQRUpcZ_IBk9W50M9pe- – Dharman Jun 01 '22 at 10:22
  • 1
    `tbl_admin`...please tell me you don't also have `tbl_users` or something? What are you going to do when you need a 3rd type of user, and a 4th? Will you add more tables and repeat all your login code all over again? Clearly this not sustainable. It's not even particularly sensible for just two types of user. Instead, have a single users table and a single login point. In the users table, have a column to record the user's role (admin, user or whatever else), and use that to decide what they can do in the system and which pages they should redirect to, etc. – ADyson Jun 01 '22 at 10:24
  • 1
    If you need more guidance about how to debug "undefined" errors, see ["Notice: Undefined variable", "Notice: Undefined index", "Warning: Undefined array key", and "Notice: Undefined offset" using PHP](https://stackoverflow.com/questions/4261133/notice-undefined-variable-notice-undefined-index-warning-undefined-arr) (this would easily come in your results already if you google the error message...) – ADyson Jun 01 '22 at 10:26
  • Also for future reference to improve your experience on Stackoverflow please take the [tour], and then read [ask] - especially the bits about writing a meaningful title and creating a [mre] of your problem. – ADyson Jun 01 '22 at 10:37

0 Answers0