php sql update issues

Question

I am trying to update an SQL table with PHP. I have a form that is submitted to the database - this is working fine. I have retrieved the entries from the database and this is also working fine.

The problem I am having is when I try to update the database with additional information into the comment field (a 'cell' that already has information in).

Here is my SQL code. Can you please point me where the problem is? There error I am getting is:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '= 36tWHERE id = 0' at line 1

My code is below :

$commy = $_POST['comment'];
$ident = $_POST['id'];

$sql = "UPDATE issuelog".
       "SET comment = $commy".
       "WHERE id = $ident";

I know there are security issues here but this is only for localhost use at the moment and only by my self as an example.

Answer 1

$sql = "UPDATE issuelog".
   " SET comment = $commy".
   " WHERE id = $ident";

You need spaces - try echoing out your $sql - you will see SET and WHERE are merged with the previous words.

Answer 2

You don't need to concatenate and you should put quotes around values.

$sql = "UPDATE issuelog
       SET comment = '$commy'
       WHERE id = '$ident';";

Update: As others pointed out you need spaces, but this is the reason you don't need to concatenate. By closing each line and concatenating, you are removing spaces between them. Be sure you use prepared statements, because as you said, this is subject to injections.