mysqli_query(): (42000/1064) when UPDATE SET WHERE with $_POST

Question

So I have 2 codes following each other up:

$query ="SELECT field6 FROM userfield WHERE userid='".$vbulletin->userinfo['userid']."' AND field6 IS NOT NULL LIMIT 1";
if ($result=mysqli_query($link, $query)) {

     $row = mysqli_fetch_array($result);

      $API = $row['field6'];


}
if(empty($API)) {
      echo "You don't have any information in our database!";
      $table   = $_POST["userfield"];
         $query ="  UPDATE $table SET field6='".mysqli_real_escape_string($link,$_POST['token'])."' WHERE userid=".$vbulletin->userinfo['userid']."";
   mysqli_query($link, $query);

The $link and $vbulletin code is working fine and so is the complete first part of the code.

However if field6 is indeed empty for that user(and $API returns empty) it start running the 2nd code. It uses most of the same variables however it wont work.

It gives the echo and then the error of:

You don't have any information in our database!
PHP Warning: mysqli_query(): (42000/1064): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SET field6 = '' WHERE userid=1' at line 1 in

And when I enter test in the field in goes to:

'SET field6 = 'test' WHERE userid=1' at line 1 in

I know the code is super messy and inconsistent but I have been trying to change small staff all night.

Answer 1

$table has no value so your query looks like:

UPDATE SET field6 = 'test' WHERE userid=1

You never validate a valid value is provided before using it in your query so an empty value will break your query. You are also wide open to SQL injections because of this.