Hi this my third day spent to solve this problem, as I posted in the previous thread, some suggest to obmit the single quote but does not work. Please help <?php // This page lets a user change their password. $page_title = 'Change Your Password'; include ('includes/header1.html'); // Check if the form has been submitted: if (isset($_POST['submitted'])) { // connect ot database require_once('../mysql_connection.php'); $errors = array(); // Initialize an error array. // Check for an email address: if (empty($_POST['email'])) { $errors[] = 'You forgot to enter your email address.'; } else { $e = escape_data($_POST['email']); } // Check for the current password: if (empty($_POST['password'])) { $errors[] = 'You forgot to enter your current password.'; } else { $p = escape_data($_POST['password']); } // Check for a new password and match // against the confirmed password: if (!empty($_POST['password1'])) { if ($_POST['password1'] != $_POST['password2']) { $errors[] = 'Your new password did not match the confirmed password.'; } else { $np = escape_data($_POST['password1']); } } else { $errors[] = 'You forgot to enter your new password.'; } if (empty($errors)) { // If everything's OK. // Check that they've entered the right email address/password combination: $query = "SELECT user_id FROM users WHERE email= '$e' AND password= SHA1('$p')"; //run the query $result = @mysql_query($query) or die ('Can not run the query?' . mysql_error()); //get the result $num = @mysql_num_rows($result); if ($num == 1) { // Match was made. // Get the user_id: $row = mysql_fetch_array($result , MYSQLI_NUM); // Make the UPDATE query: $query= "UPDATE users SET password=SHA('$np') WHERE user_id= $row[0]"; $result = @mysql_query($query); if($result) { echo yes; } else { echo no;} if (mysql_affected_rows() == 1) { // If it ran OK. // Print a message. echo '<h1>Thank you!</h1> <p>Your password has been updated. In Chapter 11 you will actually be able to log in!</p><p><br /></p>'; include('./includes/footer.html'); exit(); } else { // If it did not run OK. // Public message: echo '<h1>System Error</h1> <p class="error">Your password could not be changed due to a system error. We apologize for any inconvenience.</p>'; // Debugging message: echo '<p>' . mysql_error() . '<br /><br />Query: ' . $q . '</p>'; include('./includes/footer.html'); exit(); } } else { // Invalid email address/password combination. echo '<h1>Error!</h1> <p class="error">The email address and password entered do not match those on file!!!!.</p><p><br /></p>'; } } else { // Report the errors. echo '<h1>Error!</h1> <p class="error">The following error(s) occurred:<br />'; foreach ($errors as $msg) { // Print each error. echo " - $msg<br />\n"; } echo '</p><p>Please try again.</p><p><br /></p>'; } // End of if (empty($errors)) IF. mysql_close(); // Close the database connection. } // End of the main Submit conditional. ?> <h1>Change Your Password</h1> <form action="password.php" method="post"> <p>Email Address: <input type="text" name ="email" size="30" maxlength="40" value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /> </p> <p>Current Password: <input type="password" name ="password" size="30" maxlength="40" /></p> <p>New Password: <input type="password" name="password1" size="30" maxlength="40" /></p> <p>Confirm New Password: <input type="password" name="password2" size="30" maxlength="40" /></p> <p><input type="submit" name="submit" value="Change Password" /></p> <input type="hidden" name="submitted" value="TRUE" /> </form> <?php include ('includes/footer.html'); ?> PHP: