I want to all users to be able to update their about page. Here is the string I am using in my php to query the MySQL update. I am getting an error. What am I doing wrong?
$insert_query= "UPDATE user_info SET bio= $bio_ans, residence= $residence_ans, work=
$work_ans WHERE user_id= $user_id";
mysqli_query($connect, $insert_query)
or die('error with query1');
If the update value is not an integer then you need to use quotes around the value.
$insert_query= "UPDATE user_info
SET bio= '$bio_ans',
residence= '$residence_ans',
work = '$work_ans' WHERE user_id= '$user_id'";
mysqli_query($connect, $insert_query)
or die('error with query1');
$insert_query= "UPDATE user_info SET bio= $bio_ans, residence= $residence_ans, work=$work_ans WHERE user_id= $user_id";
mysqli_query($connect, $insert_query)
or die('error: $mysqli->error');
The $mysqli->error will let you know specifically what went wrong.
$insert_query= "UPDATE user_info SET bio='" . $bio_ans. "', residence='" . $residence_ans."', work=
'".$work_ans."' WHERE user_id= '$user_id'"; mysqli_query($connect, $insert_query) or die('error with query1');
Besides the lack of quotes (as shown by RPM), the really wrong thing you're doing is to use variable interpolation to create an SQL query.
This is only acceptable for numeric variables, and then only if you have forcibly cast it to a numeric type just before use. String escaping is supposedly safe, but very error-prone (doing it twice, forgetting to add when you add a new value, etc). The slightest slip will open a huge hole for SQL injection, which is the absolute easiest way to crack a web app.
Use prepared statements with parameter bindings and you'll be safe.