check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE id=' \r\n

Question

I am new to php and cannot get this! I'm attempting to edit data on an edit page which will be stored through an update page onto mySQL.

<?php

include("secure/connect.php");


$newtitle = mysqli_real_escape_string($conn, ($_POST['title']));
$newinfo = mysqli_real_escape_string($conn,($_POST['info']));
$newprice = mysqli_real_escape_string($conn,($_POST['price']));
$newmenu_img = mysqli_real_escape_string($conn,($_POST['menu_img']));



$id = mysqli_real_escape_string($conn, ($_POST['rowid']));



//setup a SQL query
$query= "UPDATE  cocktails SET title='$newtitle', info='$newinfo',       price='$newprice', menu_img='$newmenu_img', WHERE id='$id'";

$result = mysqli_query($conn, $query) or die(mysqli_error($conn));


mysqli_close($conn);
?>

I keep getting the error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE id=' \r\nNotice: Undefined variable: iddata in /var/www/vh' at line 1

Your $id parameter is returned with the `\r\n` aka new line, without actual id? Print out your $id parameter with print_r($id) before you run your SQL query to see that you get it correctly — Maksim Luzik, Dec 13 '17 at 14:06

score 1 · Answer 1 · answered Dec 13 '17 at 14:00

If your parameters are OK, removing comma(,) in this line

UPDATE cocktails SET title='$newtitle', info='$newinfo', price='$newprice', menu_img='$newmenu_img', WHERE id='$id'

before WHERE will do the job. Note that MariaDB will start code in error message from exactly the part that gives error - in your case it tries to parse WHERE part as continuation of list of parameters.

Your code is also vulnerable to SQL code injection, so check out this answer before sending your code into production server.

check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE id=' \r\n

1 Answers1