check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE id=' \r\n

Question

I am new to php and cannot get this! I'm attempting to edit data on an edit page which will be stored through an update page onto mySQL.

<?php

include("secure/connect.php");


$newtitle = mysqli_real_escape_string($conn, ($_POST['title']));
$newinfo = mysqli_real_escape_string($conn,($_POST['info']));
$newprice = mysqli_real_escape_string($conn,($_POST['price']));
$newmenu_img = mysqli_real_escape_string($conn,($_POST['menu_img']));



$id = mysqli_real_escape_string($conn, ($_POST['rowid']));



//setup a SQL query
$query= "UPDATE  cocktails SET title='$newtitle', info='$newinfo',       price='$newprice', menu_img='$newmenu_img', WHERE id='$id'";

$result = mysqli_query($conn, $query) or die(mysqli_error($conn));


mysqli_close($conn);
?>    

I keep getting the error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE id=' \r\nNotice: Undefined variable: iddata in /var/www/vh' at line 1

Answer 1

If your parameters are OK, removing comma(,) in this line

UPDATE cocktails SET title='$newtitle', info='$newinfo', price='$newprice', menu_img='$newmenu_img', WHERE id='$id'

before WHERE will do the job. Note that MariaDB will start code in error message from exactly the part that gives error - in your case it tries to parse WHERE part as continuation of list of parameters.

Your code is also vulnerable to SQL code injection, so check out this answer before sending your code into production server.