Click here to Skip to main content
14,429,828 members
Rate this:
Please Sign up or sign in to vote.
See more:
ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE id = '7'' at line 1


My code:

<?php include "db.php";?>
<?php include "functions.php"; ?>

<?php

if(isset($_POST['submit'])){
    
    $username = $_POST['username'];
    $password = $_POST['password'];
    $id = $_POST['id'];
    
    $query = "UPDATE users SET username = '$username', password = '$password', WHERE id = '$id' ";
    
    $result = mysqli_query($connection, $query);
if(!$result){
    die("ERROR".mysqli_error($connection));
}
}


What I have tried:

I have tried a lot of advice online but couldnt resolve this error.
Posted
Updated 3-Jan-20 7:33am
Rate this:
Please Sign up or sign in to vote.

Solution 1

Seems that you have an extra comma in the end of the SET clause. Remove the comma before WHERE

As a side note, it's an extremely bad idea to store password as plain text. You should use one way hashing to ensure that the passwords stay safe. Have a look at Password Storage: How to do it.[^]
   
v2
Comments
Saleh Mohammad Aria 9-Aug-19 15:39pm
   
Thanks a lot!
Wendelius 9-Aug-19 15:41pm
   
You're welcome!
Richard Deeming 13-Aug-19 13:21pm
   
Since you're using PHP, it's fairly easy to fix your password storage. Use password_hash[^] when the user registers, and password_verify[^] when they log in. This will take care of generating and verifying a secure salted hash of the password for you.
Wendelius 14-Aug-19 0:05am
   
Good info, thank you!
Rate this:
Please Sign up or sign in to vote.

Solution 2

$query = "UPDATE users SET username = '$username', password = '$password' WHERE id = '$id' ";

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
How can I explain SQL injection without technical jargon? - Information Security Stack Exchange[^]
   
Comments
Saleh Mohammad Aria 9-Aug-19 15:39pm
   
Thank you, it helped me a lot!
Patrice T 9-Aug-19 15:55pm
   
You're welcome!
Rate this:
Please Sign up or sign in to vote.

Solution 4

Remove the comma before WHERE clause.
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
OriginalGriff 5,513
Richard MacCutchan 2,354
Patrice T 1,315
phil.o 1,280
MadMyche 1,185



CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100