change data from database using php

Question

I want to change data from a database but I keep getting errors and I just cannot find the mistake I made..

Here's the code:

    if(isset($_POST['id'])) {
        if(is_numeric($_POST['id'])) {
            $change = pg_query($db, "SELECT * FROM azubi3 WHERE id = ".$_POST['id']."");
            echo $change;
            if($auto == "") {
                $auto = "false";
            }
            else { $auto = "true"; }
            $change = pg_query($db, "UPDATE azubi3 SET vorname = '".$_POST['prename']."', nachname = '".$_POST['name']."', auto = ".$auto.", auto_id = ".$_POST['auto_id'].", schuh_id = ".$_POST['schuh_id']." WHERE id = ".$_POST['id']."");
        }
        else { echo "ID muss eine Zahl sein!"; }

    }

And that's the error i get:

Warning: pg_query(): Query failed: ERROR: syntax error at or near "," LINE 1: ...achname = 'Mustermüller', auto = false, auto_id = , schuh_id... ^ in /srv/www/htdocs/azubi2/test3.php on line 82

Answer 1

First thing your sql is vulenrable to injection, you should correct it.

For the sake of your question :

false is a reserved keyword, please use string around it:

 $change = pg_query($db, "UPDATE azubi3 SET vorname = '".$_POST['prename']."', nachname = '".$_POST['name']."', auto = '".$auto."', auto_id = ".$_POST['auto_id'].", schuh_id = ".$_POST['schuh_id']." WHERE id = ".$_POST['id']."");