Why does this SQL UPDATE query not work with a variable for WHERE?

Question

this is my first post here at Stack Overflow. I know the question has been asked many times before. I went through many answers, tried all of them (except the correct approa

Answer 1

The issue that you have is the fact your code does not use the SET correctly, you currently have the following;

$sql =  "UPDATE VideoArchiv             
    SET ('".$_POST["titel"]."','".$_POST["schauspieler"]."')
        WHERE id=$id";

Which is used like you'd do an INSERT

To rectify the immediate issue, simply change to;

$sql =  "UPDATE VideoArchiv             
        SET field1 = '".$_POST["titel"]."',
            field2 = '".$_POST["schauspieler"]."'
        WHERE id=$id";

But this odes leave you open to SQL injection attacks, to do a quick and easy fix on this, something as simple as the following would be helpful;

$id = mysqli_real_escape_string($connect, $_POST["id"]);
$titel = mysqli_real_escape_string($connect, $_POST["titel"]);
$schauspieler = mysqli_real_escape_string($connect, $_POST["schauspieler"]);

$sql =  "UPDATE VideoArchiv             
        SET field1 = '{$titel}',
            field2 = '{$schauspieler}'
        WHERE id=$id";

I'd suggest reading into prepared statements as this would be a lot safer however

I know this has had the right answer to the question at hand prior to this post, but none have mentioned injection and how to resolve (even a soft way like here)