[Solved] Error in an update mysql query execution with php and mysqli [duplicate]

Question

You need to escape the single quotes using php’s str_replace, e.g.:

$exp_title = str_replace("'", "\'", $_REQUEST['exp_title']);
$exp_description = str_replace("'", "\'", $_REQUEST['exp_description']);
$exp_time = $_REQUEST['exp_time'];
$update="UPDATE experience SET exp_title="".$exp_title."" , exp_description='".$exp_description."' , exp_time="".$exp_time.""
WHERE expid='".$id."'";

However, you should really really use preparedstatements instead of concatenating strings and escaping characters, e.g.:

$exp_title = $_REQUEST['exp_title'];
$exp_description = $_REQUEST['exp_description'];
$exp_time = $_REQUEST['exp_time'];
$stmt = $conn->prepare("UPDATE experience SET exp_title= ?, exp_description = ?, exp_time = ? WHERE expid = ?");
$stmt->bind_param("types", $exp_title, $exp_description, $exp_time, $id);

Accepted Answer

You need to escape the single quotes using php’s str_replace, e.g.:

$exp_title = str_replace("'", "\'", $_REQUEST['exp_title']);
$exp_description = str_replace("'", "\'", $_REQUEST['exp_description']);
$exp_time = $_REQUEST['exp_time'];
$update="UPDATE experience SET exp_title="".$exp_title."" , exp_description='".$exp_description."' , exp_time="".$exp_time.""
WHERE expid='".$id."'";

However, you should really really use preparedstatements instead of concatenating strings and escaping characters, e.g.:

$exp_title = $_REQUEST['exp_title'];
$exp_description = $_REQUEST['exp_description'];
$exp_time = $_REQUEST['exp_time'];
$stmt = $conn->prepare("UPDATE experience SET exp_title= ?, exp_description = ?, exp_time = ? WHERE expid = ?");
$stmt->bind_param("types", $exp_title, $exp_description, $exp_time, $id);