PHP-MYSQL Update Error

Question

In my database, in 'users' table there are coloumns as uname , name, sname , password and email. 'uname' is unique.
I couldn't update name,sname and email values.
I am receiving "

Error updating record: Erreur de syntaxe près de 'manager''' à la ligne 2 

Firstly I do not know why it is in French. And 'manager' is the username that I defined in database.
$uname = $_SESSION['username']; value comes from previous script.

<?php
require_once("db_functions.php");
session_start();

$uname =  $_SESSION['username'];
$new_name="";
$new_sname="";
$new_email="";

if( !(isset($_SESSION['update'])) ||  $_SESSION['update'] != "1" )
{
$errorMsg= "Problem has occured in Update page";
echo $errorMsg;
// header  can be added.
}

else
{

 if(isset($_POST['Submit_update']))
    {
        $conn=db_connect();
       if ($conn) 
       {
        $SQL_select="SELECT * FROM users WHERE username=$uname";
        $select_result=mysqli_query($conn,$SQL_select);

        $new_name=mysqli_real_escape_string($conn,$_POST['name']);
        $new_sname=mysqli_real_escape_string($conn,$_POST['sname']);
        $new_email=mysqli_real_escape_string($conn,$_POST['email']);

      $SQL_update="UPDATE users SET name='$new_name', sname='$new_sname',
       email='$new_email' WHERE uname='$uname'";
      $update_result=mysqli_query($conn,$SQL_update);

        if ($update_result) { echo "Record updated successfully"; }
        else {  echo "Error updating record: " . mysqli_error($conn); }     
   mysqli_close($conn);

       }
else {
    $errorMsg=" Fail to Connect Database";
    echo $errorMsg;
  }   

    }


  }


?>

<!DOCTYPE html>
<html>
<head>
<title>Upload Page</title>
</head>
<body>
<form name="Update_Form" method="post" action="update.php">
    Name:<input type="text" name="name" value=""/><br/>
    <P>
    Surname:<input type="text" name="sname" value=""/><br/>
    <P>
    E-Mail:<input type="text" name="email" value=""/><br/>

    <input type="submit" name="Submit_update" value="Update"/>
</form>
</body>


</html>

Answer 1

I suspect there's a quote in $uname . Since you're not escaping $uname , it's ending the string value.

You should use a prepared query instead of substituting variables, then you don't need to escape anything.

$stmt_update = mysqli_prepare($conn, "UPDATE users SET name= ?, sname= ?,
   email=? WHERE uname=?") or die("Error preparing update: " . mysqli_error($conn);
mysqli_stmt_bind_param($stmt_update, "ssss", $_POST['name'], $_POST['sname'], $_POST['email'], $uname);
mysqli_stmt_execute($stmt_update) or die(echo "Error updating record: " . mysqli_stmt_error($stmt_update));

If you have quotes around the value in $uname so that where username=$uname works without putting quotes into the query, you should not do that, it makes using the variable harder for the rest of the code. It will prevent the above query from working, because it will look for the literal quotes in the table contents.