#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2006
    Posts
    65
    Rep Power
    8

    Failed to run query


    Hi,
    i've been using E-Oreo's login script and am trying to remove the edit email from the edit account, i have remove everything to do with the email and got the edit password to change the password. But my problem is if i leave it blank and hit the update account button i get this error.
    Failed to run query: SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens
    Any help would be great on fixing this error and removing any code that is not needed thanks.
    PHP Code:
    <?php
    require("common.php");
    if(empty(
    $_SESSION['user']))
    {
       
    header("Location: login.php");
       die(
    "Redirecting to login.php");
    }
    if(!empty(
    $_POST))
    {
    if(!empty(
    $_POST['password']))
    {
      
    $salt dechex(mt_rand(02147483647)) . dechex(mt_rand(02147483647));
      
    $password hash('sha256'$_POST['password'] . $salt);
      for(
    $round 0$round 65536$round++)
     {
      
    $password hash('sha256'$password $salt);
     }
    }
    else
    {
      
    $password null;
      
    $salt null;
    }
    $query_params = array(
       
    ':user_id' => $_SESSION['user']['id'],
    );
    if(
    $password !== null)
    {
      
    $query_params[':password'] = $password;
      
    $query_params[':salt'] = $salt;
    }
    $query "
       UPDATE users
       SET
          password = :password
    "
    ;
    if(
    $password !== null)
    {
    $query .= "
       , password = :password
       , salt = :salt
    "
    ;
    }
    $query .= "
       WHERE
        id = :user_id
    "
    ;
    try
    {
      
    $stmt $db->prepare($query);
      
    $result $stmt->execute($query_params);
    }
      catch(
    PDOException $ex)
    {
      die(
    "Failed to run query: " $ex->getMessage());
    }
     
    header("Location: p.php");
     die(
    "Redirecting to p.php");
    }
    ?>
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,868
    Rep Power
    368
    your query is very confusing, I would suggest you re-write it first.. echo out your query on screen to see how it looks, to me there seems to be an error.
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,920
    Rep Power
    1045
    Hi,

    the error message couldn't be clearer in my opinion: The prepared statement has too many or too little placeholders. It's too many, actually. The query always has the placeholder : password, but if no password has been sent, this placeholder never gets a value.

    The underlying problem is that the application logic just doesn't work. What do you wanna do in case of an empty password? Nothing? Then don't do an UPDATE. Show an error message? Then do that.

    You should generally get clear about what you wanna do before starting to write the code. Draw a diagram, write down pseudo code. And then implement the procedure. Doing it the other way round is a bad idea, especially when you're not very experienced. You'll get lost in all kinds of weird bugs, and you'll need others to untangle your code.

    Apart from that, your code has several security holes. mt_rand() is not suitable for generating salts. You must not display your queries in the error messages. Whether the hashing procedure is secure or not I don't know.

    E-Oreo's script is great for understanding the idea behind iterative hashing, but when it comes to real life, you want an established and easy-to-use library like password_compat.

    So I suggest the following: Write down the procedure you're trying to program. Use pseudo code, diagrams or plain English. Download the library above. And only then start writing the code.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2006
    Posts
    65
    Rep Power
    8
    ok thanks guy

IMN logo majestic logo threadwatch logo seochat tools logo