SQL syntax error corresponds to MariaDB Server version.

**ak47** · 06-21-2017, 11:03 AM

I am getting an error which says "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '(Username,Email,EmployeeID,Designation,Password, WHERE Id = '7'' at line 1".

I tried with some solutions, but I didn't fixed it. Please give solution for this and also explain something about this. My code is:

PHP Code:


<?php
    session_start();
    $id=$_SESSION['Id'];
    if(isset($_POST)){
        require '../_database/database.php';
        $username = $_REQUEST['Username'];
        $email = $_REQUEST['Email'];
        $employee = $_REQUEST['EmployeeID'];
        $designation = $_REQUEST['Designation'];
        $password = $_REQUEST['Password'];
        $query = "UPDATE users SET (Username,Email,EmployeeID,Designation,Password, WHERE Id = '$id'";
        $stmt = mysqli_prepare($database,$query)or die(mysqli_error($database));
        $stmt->bind_param('sssss', $username, $email, $employee, $designation, $password);
        $stmt->execute();
        //header("location:../user.php?Username=$temp&request=profile-update&status=success");
    }    
?>

**DyDr** · 06-21-2017, 01:08 PM

@ak47, while it appears you may have seen my reply in your previous thread and are trying to do a couple of the things mentioned, it also appears that you are just randomly making changes to your code for no reason.

Your previous code was using a working way of testing if the form has been submitted. The current code is not. $_POST is always set, even if it is empty, and the code using isset() will always be true.

You should also not use $_REQUEST, use the $_POST variables that match the form's method, and as mentioned in the other thread, there's no good reason to copy a bunch of variables to other variables. Just use the $_POST variables in the ->bind_param() call.

The reason for the sql syntax error you are getting is because what you have now isn't the correct syntax for an UPDATE statement. The syntax you had in the previous thread was correct. Converting the sql statement to a prepared query would have only involved replacing the php variables with ? place-holders, and removing the single-quotes around each value.