SQL query for update data

Question

$update = mysqli_query($conn, "UPDATE pengguna SET 
                            '".$nama."' = nama,
                            '".$user."' = username,
                            '".$level."' = level,
                            '".$currdate."' = updated_at
                            WHERE id = '".$_GET['id']."'

                            ");

the output is

Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''Yulian' = nama, 'yuliani' = username, 'Admin' = level, ...' at line 2 in C:\xampp\htdocs\sekolah\admin\edit-pengguna.php:62 Stack trace: #0 C:\xampp\htdocs\sekolah\admin\edit-pengguna.php(62): mysqli_query(Object(mysqli), 'UPDATE pengguna...') #1 {main} thrown in C:\xampp\htdocs\sekolah\admin\edit-pengguna.php on line 62

reverse variables like this : `$update = mysqli_query($conn, "UPDATE pengguna SET nama = '".$nama."',username = '".$user."',level = '".$level."',updated_at ='".$currdate."' WHERE id = '".$_GET['id']."'");` . Still Your script is open to [SQL Injection Attack](http://stackoverflow.com/questions/60174). Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187) You should always use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's. — Anant Kumar Singh, May 20 '22 at 04:39

SQL query for update data

0 Answers0