Click here to Skip to main content
15,868,016 members
Please Sign up or sign in to vote.
1.00/5 (2 votes)
See more:
ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE id = '7'' at line 1


My code:

<?php include "db.php";?>
<?php include "functions.php"; ?>

<?php

if(isset($_POST['submit'])){
    
    $username = $_POST['username'];
    $password = $_POST['password'];
    $id = $_POST['id'];
    
    $query = "UPDATE users SET username = '$username', password = '$password', WHERE id = '$id' ";
    
    $result = mysqli_query($connection, $query);
if(!$result){
    die("ERROR".mysqli_error($connection));
}
}


What I have tried:

I have tried a lot of advice online but couldnt resolve this error.
Posted
Updated 15-Nov-22 5:37am

Seems that you have an extra comma in the end of the SET clause. Remove the comma before WHERE

As a side note, it's an extremely bad idea to store password as plain text. You should use one way hashing to ensure that the passwords stay safe. Have a look at Password Storage: How to do it.[^]
 
Share this answer
 
v2
Comments
Saleh Mohammad Aria 9-Aug-19 15:39pm    
Thanks a lot!
Wendelius 9-Aug-19 15:41pm    
You're welcome!
Richard Deeming 13-Aug-19 13:21pm    
Since you're using PHP, it's fairly easy to fix your password storage. Use password_hash[^] when the user registers, and password_verify[^] when they log in. This will take care of generating and verifying a secure salted hash of the password for you.
Wendelius 14-Aug-19 0:05am    
Good info, thank you!
Dulangi Sirimanne 9-Apr-22 5:03am    
Thanks a lot!
SQL
$query = "UPDATE users SET username = '$username', password = '$password' WHERE id = '$id' ";

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
How can I explain SQL injection without technical jargon? - Information Security Stack Exchange[^]
 
Share this answer
 
Comments
Saleh Mohammad Aria 9-Aug-19 15:39pm    
Thank you, it helped me a lot!
Patrice T 9-Aug-19 15:55pm    
You're welcome!

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month


CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900