update in php and sql

Question

i have this function

function update_job($title, $type, $salary, $country,
                    $city, $state, $category,$date,
                    $description, $responsabilities,
                    $requirements, $id_job ) {

  $HOST_DB ="localhost";
  $NAME_DB="jobs";
  $USER_DB ="root";
  $PWD_DB="";

  $connect = mysql_connect($HOST_DB, $USER_DB, $PWD_DB);
  $db=mysql_select_db($NAME_DB);    

  $requete_insert_tem = "UPDATE employment  SET title = $title , type = $type , salary = $salary , country = $country , city = $city , state = $state , category = $category , date = $date , description = $description , responsabilities = $responsabilities ,
                requirements = $requirements where id = $id_job ";
  mysql_query($requete_insert_tem)
    or die(mysql_error());    
}

but an error appears "Syntax error near 'street , category = informatique , date = 01/07/2013 , description = nothing' "

why i have this error ?
how to fix it?

Where have you learned your PHP from? What are you using as examples? — Andy Lester, Jan 02 '13 at 20:06
Why is there the term street in your error, if the query doesn't involve such a term? — markus, Jan 02 '13 at 20:07
@markus-tharkun It probably doesn't, rather the variable's value ends in *street* — Kermit, Jan 02 '13 at 20:07
This function of yours contains too many params, are you working on form data? If yes, how do you sanitize the data? You should probably pass an array to your function, or a data object instead of so many params. — markus, Jan 02 '13 at 20:10

score 1 · Accepted Answer · answered Jan 02 '13 at 20:04

You need to use single quotes around strings. Below I assume that all your columns are some string type. You also need to stop using mysql_ functions immediately as they are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which.

$requete_insert_tem = "UPDATE employment SET title = '$title' , type = '$type' , salary = '$salary' , country = '$country' , city = '$city' , state = '$state' , category = '$category' , date = '$date' , description = '$description' , responsabilities = '$responsabilities' , requirements = '$requirements' where id = '$id_job'";

score 1 · Answer 2 · answered Jan 02 '13 at 20:09

I guess the problem is because of you didn't use single quotations in set clause for non-numeric values.
try this one:

$requete_insert_tem  ="UPDATE employment  SET title = '$title' , type = '$type' , salary = '$salary' , country = '$country' , city = '$city' , state = '$state' , category = '$category' , date = '$date' , description = '$description' , responsabilities = '$responsabilities' ,
                requirements = '$requirements' where id = $id_job ";

you may also want to check your variable values to remove possible single quotations or use addslashes function to make the query safe.

update in php and sql

2 Answers2