Failed to run query: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax

0
votes

Failed to run query: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'telephone = '952 123 123' mobiletelephone = '655 000 000' ' at line 4

Can anyone help ?

 <?php 

// First we execute our common code to connection to the database and start the session 
require("common.php"); 

// At the top of the page we check to see whether the user is logged in or not 
if(empty($_SESSION['user'])) 
{ 
    // If they are not, we redirect them to the login page. 
    header("Location: login.php"); 

    // Remember that this die statement is absolutely critical.  Without it, 
    // people can view your members-only content without logging in. 
    die("Redirecting to login.php"); 
} 

// This if statement checks to determine whether the edit form has been submitted 
// If it has, then the account updating code is run, otherwise the form is displayed 
if(!empty($_POST)) 
{ 
    // Make sure the user entered a valid E-Mail address 
    if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) 
    { 
        die("Invalid E-Mail Address"); 
    } 

    // If the user is changing their E-Mail address, we need to make sure that 
    // the new value does not conflict with a value that is already in the system. 
    // If the user is not changing their E-Mail address this check is not needed. 
    if($_POST['email'] != $_SESSION['user']['email']) 
    { 
        // Define our SQL query 
        $query = " 
            SELECT 
                1 
            FROM users 
            WHERE 
                email = :email AND
                telephone = :telephone AND
                mobiletelephone = :mobiletelephone
        "; 

        // Define our query parameter values 
        $query_params = array( 
            ':email' => $_POST['email'] 
        ); 

        try 
        { 
            // Execute the query 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
        } 
        catch(PDOException $ex) 
        { 
            // Note: On a production website, you should not output $ex->getMessage(). 
            // It may provide an attacker with helpful information about your code.  
            die("Failed to run query: " . $ex->getMessage()); 
        } 

        // Retrieve results (if any) 
        $row = $stmt->fetch(); 
        if($row) 
        { 
            die("This E-Mail address is already in use"); 
        } 
    } 

    // If the user entered a new password, we need to hash it and generate a fresh salt 
    // for good measure. 
    if(!empty($_POST['password'])) 
    { 
        $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 
        $password = hash('sha256', $_POST['password'] . $salt); 
        for($round = 0; $round < 65536; $round++) 
        { 
            $password = hash('sha256', $password . $salt); 
        } 
    } 
    else 
    { 
        // If the user did not enter a new password we will not update their old one. 
        $password = null; 
        $salt = null; 
    } 

    // Initial query parameter values 
    $query_params = array( 
        ':email' => $_POST['email'], 
        ':telephone' => $_POST['telephone'],
        ':mobiletelephone' => $_POST['mobiletelephone'],
        ':user_id' => $_SESSION['user']['id'], 
    ); 

    // If the user is changing their password, then we need parameter values 
    // for the new password hash and salt too. 
    if($password !== null) 
    { 
        $query_params[':password'] = $password; 
        $query_params[':salt'] = $salt; 
    } 

    // Note how this is only first half of the necessary update query.  We will dynamically 
    // construct the rest of it depending on whether or not the user is changing 
    // their password. 
    $query = " 
        UPDATE users 
        SET 
            email = :email,
            telephone = :telephone,
            mobiletelephone = :mobiletelephone


    "; 

    // If the user is changing their password, then we extend the SQL query 
    // to include the password and salt columns and parameter tokens too. 
    if($password !== null) 
    { 
        $query .= " 
            , password = :password 
            , salt = :salt 
        "; 
    } 

    // Finally we finish the update query by specifying that we only wish 
    // to update the one record with for the current user. 
    $query .= " 
        WHERE 
            id = :user_id 
    "; 

    try 
    { 
        // Execute the query 
        $stmt = $db->prepare($query); 
        $result = $stmt->execute($query_params); 
    } 
    catch(PDOException $ex) 
    { 
        // Note: On a production website, you should not output $ex->getMessage(). 
        // It may provide an attacker with helpful information about your code.  
        die("Failed to run query: " . $ex->getMessage()); 
    } 

    // Now that the user's E-Mail address has changed, the data stored in the $_SESSION 
    // array is stale; we need to update it so that it is accurate. 
    $_SESSION['user']['email'] = $_POST['email']; 
    $_SESSION['user']['telephone'] = $_POST['telephone'];
    $_SESSION['user']['mobiletelephone'] = $_POST['mobiletelephone'];

    // This redirects the user back to the members-only page after they register 
    header("Location: members.php"); 

    // Calling die or exit after performing a redirect using the header function 
    // is critical.  The rest of your PHP script will continue to execute and 
    // will be sent to the user if you do not die or exit. 
    die("Redirecting to members.php"); 
} 

?>
1
php
Have you even tried to fix the error yourself or was the first thing you did come here and paste the entire PHP code that has NOTHING to do with SQL syntax error?N.B.
I noticed that you tried to suggest an edit to David's answer asking for a clarification to the answer, which was not approved. Instead of editing other people's answers, you can post a comment to their answer instead.Qantas 94 Heavy

1 Answers

1
votes

As stated by the error message, you have a syntax error in your SQL query:

SELECT 
    1 
FROM users 
 WHERE 
    email = :email 
    telephone = :telephone
    mobiletelephone = :mobiletelephone

You need to combine your WHERE clauses with some logical operator. For example, if all three of these clauses must be true in the query then you would use the AND operator:

SELECT 
    1 
FROM users 
 WHERE 
    email = :email AND
    telephone = :telephone AND
    mobiletelephone = :mobiletelephone

Similarly, your UPDATE query needs to separate fields being updated with a comma:

UPDATE users 
SET 
    email = :email,
    telephone = :telephone,
    mobiletelephone = :mobiletelephone

(Note: Following that query, it looks like you then append more fields to the SET clause. You'll want to make sure by the time the whole query is constructed that each one is separated by a comma.)