-2

I Don't understand why my Query is not working right

$sql = "UPDATE rezepte Set namerecipe =" .$namerecipe .",ingredient1 =" . $ingredient1 . ",ingredient2 =" . $ingredient2 . ",ingredient3 =" . $ingredient3 . ",ingredient4 =" . $ingredient4 . ",ingredient5 =" . $ingredient5 . ",ingredient6 =" . $ingredient6 . ",ingredient7 =" . $ingredient7 . ",ingredient8 =" . $ingredient8 . ",ingredient9 =" . $ingredient9 . ",ingredient10 =" . $ingredient10 . ", preparation =" . $preparation . ", cathegory1 =" . $cathegory1 . ", cathegory2 = " . $cathegory2 . ", cathegory3 = " . $cathegory3 . ", difficulty = " . $difficulty . ",time = " . $time . ", amount = " .$amount . ", source =" . $source . " WHERE ID=" . $id ."";

I know some variables are not in correct English D:

PHP give my following Error Message:

"ERROR: Could not able to execute UPDATE rezepte Set namerecipe =,ingredient1 =,ingredient2 =,ingredient3 =,ingredient4 =,ingredient5 =,ingredient6 =,ingredient7 =,ingredient8 =,ingredient9 =,ingredient10 =, preparation =, cathegory1 =, cathegory2 = , cathegory3 = , difficulty = ,time = , amount = , source =Tom WHERE ID=18. You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'ingredient1 =,ingredient2 =,ingredient3 =,ingredient4 =,ingredient5 =,ingredient' at line 1"

But i don't find the error

Sfili_81
  • 2,377
  • 8
  • 27
  • 36
Tom
  • 1
  • 11
    SQL doesn't allow `column = ` with no value. Your variables appear to be empty. Ideally you should be using prepared statements anyway. – Jonnix Jan 09 '19 at 11:29
  • 2
    check if all of your variable aren't empty. You have to set something like this namerecipe =' " .$namerecipe ." ' – Sfili_81 Jan 09 '19 at 11:30
  • 3
    Additionally, this query generation is highly vulnerable for SQL injection – Nico Haase Jan 09 '19 at 11:30
  • 1
    You should be enclosing your variable values in single quotes i.e. `$sql = "UPDATE rezepte Set namerecipe ='" .$namerecipe ."',ingredient1 ='" . $ingredient1 ."',` etc. – Nick Jan 09 '19 at 11:35
  • besides the incrementing column names `ingredient1`, `ingredient2` end so on are great candidates for normalisation.. – Raymond Nijland Jan 09 '19 at 11:38
  • **Warning:** Your code is vulnerable to SQL Injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. **Never** insert unsanitised data directly into your SQL. The way your code is written now, someone could easily steal, incorrectly change, or even delete your data. – ADyson Jan 09 '19 at 11:45
  • The only variables you have set, is `$source` and `$id` the rest is empty – Stender Jan 09 '19 at 11:45
  • Anyway...if you're going to include a field in your update statement, you can't then simply leave the value blank. You have to either include a value or set the field to NULL. Maybe you aren't validating your data input properly, or maybe you're not constructing your SQL properly, it's unclear. – ADyson Jan 09 '19 at 11:47

1 Answers1

-1

while this question is not exactly a duplicate, the solution to your problem can be found by studying the top answer to this question: How can I prevent SQL injection in PHP?

  • your code is vulnerable to SQL injection, and solving that will also solve your query error. (setting stuff equal to absolutely nothing is a syntax error in SQL, the closest legal value is NULL or emptystring)
hanshenrik
  • 19,904
  • 4
  • 43
  • 89