Multi tool use

nr. bound variables, missmatch number tokens

Hi I have been scanning the answers on this subject but they seem to be individual at most, so here goes. My code is from a free repository and it works when I remove the addition I have maid.

I added "uname" because I wanted the users to be greeted by their name and not their username. It may be stupied but I like it this way. But I am missing something. My code is here:

<?php

// First we execute our common code to connection to the database and start the session
require("common.php");

// At the top of the page we check to see whether the user is logged in or not
if(empty($_SESSION['username']))
{
// If they are not, we redirect them to the login page.
header("Location: login.php");

// Remember that this die statement is absolutely critical. Without it,
// people can view your members-only content without logging in.
die("Redirecting to login.php");
}

// This if statement checks to determine whether the edit form has been submitted
// If it has, then the account updating code is run, otherwise the form is displayed
if(!empty($_POST))
{
// Make sure the user entered a valid E-Mail address
if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
{
die("Invalid E-Mail Address");
}

// If the user is changing their E-Mail address, we need to make sure that
// the new value does not conflict with a value that is already in the system.
// If the user is not changing their E-Mail address this check is not needed.
if($_POST['email'] != $_SESSION['username']['email'])
{
// Define our SQL query
$query = "
SELECT
*
FROM admin_users
WHERE
email = :email
";

// Define our query parameter values
$query_params = array(
':email' => $_POST['email'],
':uname' => $_POST['uname']
);

try
{
// Execute the query
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to run query: " . $ex->getMessage());
}

// Retrieve results (if any)
$row = $stmt->fetch();
if($row)
{
die("This E-Mail address is already in use");
}
}

// If the user entered a new password, we need to hash it and generate a fresh salt
// for good measure.
if(!empty($_POST['password']))
{
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
$password = hash('sha256', $_POST['password'] . $salt);
for($round = 0; $round < 65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
}
else
{
// If the user did not enter a new password we will not update their old one.
$password = null;
$salt = null;
}

// Initial query parameter values
$query_params = array(
':email' => $_POST['email'],
':uname' => $_POST['uname'],
':user_id' => $_SESSION['username']['id'],
);

// If the user is changing their password, then we need parameter values
// for the new password hash and salt too.
if($password !== null)
{
$query_params[':password'] = $password;
$query_params[':salt'] = $salt;
}

// Note how this is only first half of the necessary update query. We will dynamically
// construct the rest of it depending on whether or not the user is changing
// their password.
$query = "
UPDATE admin_users
SET
uname = :uname
email = :email
username = :username
";

// If the user is changing their password, then we extend the SQL query
// to include the password and salt columns and parameter tokens too.
if($password !== null)
{
$query .= "
, password = :password
, salt = :salt
";
}

// Finally we finish the update query by specifying that we only wish
// to update the one record with for the current user.
$query .= "
WHERE
id = :user_id
";

try
{
// Execute the query
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to run query: " . $ex->getMessage());
}

// Now that the user's E-Mail address has changed, the data stored in the $_SESSION
// array is stale; we need to update it so that it is accurate.
$_SESSION['username']['email'] = $_POST['email'];

// This redirects the user back to the members-only page after they register
header("Location: private.php");

// Calling die or exit after performing a redirect using the header function
// is critical. The rest of your PHP script will continue to execute and
// will be sent to the user if you do not die or exit.
die("Redirecting to private.php");
}

?>
<?php include("header.php"); ?>
<?php include("menu.php"); ?>

<div id="header_wrapper">
<h1>Edit Account</h1>
<form action="edit_account.php" method="post">
Username:<br />
<b><?php echo htmlentities($_SESSION['username']['username'], ENT_QUOTES, 'UTF-8'); ?></b>
<br /><br />
Navn:<br />
<input type="text" name="uname" value="<?php echo htmlentities($_SESSION['username']['uname'], ENT_QUOTES, 'UTF-8'); ?>" />
<br /><br />
Brugernavn:<br />
<input type="text" name="username" value="<?php echo htmlentities($_SESSION['username']['username'], ENT_QUOTES, 'UTF-8'); ?>" />
<br /><br />
E-Mail Address:<br />
<input type="text" name="email" value="<?php echo htmlentities($_SESSION['username']['email'], ENT_QUOTES, 'UTF-8'); ?>" />
<br /><br />
Password:<br />
<input type="password" name="password" value="" /><br />
<i>(leave blank if you do not want to change your password)</i>
<br /><br />
<input type="submit" value="Update Account" />
</form>
</div>
<?php include("footer.php"); ?>


The error

Error: "Failed to run query: SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens"

password_hash()

password_verify()

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.