Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use in Update

Question

It seems that my mysqli query doesn't has any mistake. But it shows following error.

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '( title = 'Maths', start ='10:00am', end ' at line 1

This is my query.

$title = $_POST['title'];
$date = $_POST['date'];
$from = $_POST['from'].$_POST['from_time'];
$to = $_POST['to'].$_POST['to_time'];
$student=$_POST['student'];
$place = $_POST['location'];
$event_id = $_GET['event_id'];
$ti = $_SESSION['teacher_id'];

if ($date=='Monday'){

    $update = mysqli_query($conn,"UPDATE teacher_class_schedule SET(
        title = '".$title."',
        start ='".$from."',
        end ='".$to."',
        Monday = '".$date."',
        Tuesday = 'false',
        Wednesday = 'false',
        Thursday = 'false',
        Friday = 'false',
        Saturday = 'false',
        Sunday = 'false',
        teacher_id = '".$ti."' ,
        number_of_student = '".$student."',
        day = '".$date."',
        location = '".$place."') WHERE id = '".$event_id."'");

Can anyone help me to fix this error.

Answer 1

You should use a prepared statement to avoid code injection. ( documentation )

You also don't have to use parenthesis arround your SET data ( documentation )

<?php
$stmt = $dbh->prepare("UPDATE teacher_class_schedule SET title = :title, start = :start, [...]");
$stmt->bindParam(':title', $_POST['title']);
$stmt->bindParam(':start', $_POST['from']);
// ...
$stmt->execute();