I cannot update alphabetic password in database

Question

I'm facing a problem in updating my database, when I'm trying to update my password in database i cannot update my alphabet password in my database for example "adnan" but I can update numeric password in database for example "1233".

<?php
if(isset($_POST['submit'])){
    $new_pass=$_POST['new_pass'];
    $re_new_pass=$_POST['re_new_pss'];
    $old_pass=$_POST['old_pss'];
    if(empty($new_pass) || empty($re_new_pass) || empty($old_pass) ){
        $message="fill all the fields!";
    }
    else{
       if(strcmp($new_pass,$re_new_pass)==0){
       $con=mysqli_connect("localhost","root","","managment");
       $query="SELECT user_password FROM login_table;";
       $sql=mysqli_query($con,$query);
       if(mysqli_num_rows($sql) > 0){
           $result=mysqli_fetch_assoc($sql);
           if(strcmp($old_pass,$result['user_password'])==0){
              $query_insert="UPDATE login_table SET user_password=$new_pass WHERE user_password=$old_pass;"; 
              $sql=mysqli_query($con,$query_insert);
              $message="password change seccessfully!";
           }
           else{
               $message="Old password in not correct!";
           }
       }
        }
        else{
            $message="please type same passwords in both fileds!";
        } 
    }

}
?>
<html>  
 <head>  
  <title>Tutorial</title>      
 </head>  
 <body>  
 <div style="width: 400px; margin: auto;">  
   <form action="" method="post"> 
    <h3 align="center">Forget password</h3><br />
    <div class="text-danger text-center"><?php if(isset($message)) { echo $message; } ?></div>  
    <div class="form-group">  
     <label for="login">new password</label>  
     <input name="new_pass" type="password" class="form-control" />
     <label for="login">Re-type new password</label>
     <input name="re_new_pss" type="password" class="form-control" />
     <label for="login">old password</label>
     <input name="old_pss" type="password" class="form-control" />
     <br/>
     <input name="submit" type="submit" class="btn btn-danger" />
    </div>     
   </form>  
   <br />  
  </div>  
 </body>  
</html>

Answer 1

TL;DR;

1. Use backticks for column names.
2. Enclose values inside single quotes.

Okay, when it works when you update numeric value but not alphabetic value, it means that you are not surrounding your value within quotes.

UPDATE `table` SET `column`=35007; -- This works.
UPDATE `table` SET `column`=hello; -- This won't.

The best thing you should do is to enclose them using single quotes ' .

In your code:

$query_insert="UPDATE login_table SET user_password=$new_pass WHERE user_password=$old_pass;"; 
//--------------------------------------------------^-------^

Also make sure to use backticks.

$query_insert = "UPDATE `login_table` SET `user_password` = '$new_pass' WHERE `user_password` = '$old_pass';";

Finally, your code is vulnerable to SQL Injection attacks. Read about it. Use PDO or Prepared Statements proceeding further.

Answer 2

编辑sql更新：

 $query_insert="UPDATE login_table SET user_password='".$new_pass."' WHERE user_password='".$old_pass."';"; 

Answer 3

$query_insert="UPDATE login_table SET user_password=$new_pass WHERE username =$username";

You can't keep the update field in condition change the where clause with id or username.