The problem comes from escape_string in your check method. This function is used to escape precise parts inside a statement, you cannot apply it to the where clause as a whole in such a generic way.
If you ever know for sure that your inputs are safe (not containing special characters breaking the sql statement, malicious or not), then simply remove the escaping.
Or if you think that they may contain special characters, for good reasons or to possibly drag a sql injection, then you have to provide a more constrained interface so that you can build the where clause yourself with the appropriate escaping. For example :
public function update($table, $data, $woord) {
...
$where = 'woord = \'' . $this->check($woord) . '\'';
...
}
Edit: I know it may sound too much constrained but security comes at a price. For something more flexible, you could have a look at prepared statements. They let you use placeholders, for example WHERE woord = ? AND id < ?
, which you can bind to variables with something like :
$stmt->bind_param('si', $woord, $id); // 'si' -> 1:string, 2:integer
In this case, mysqli applies escaping internaly on bound strings, so you don't have to worry about it.
Note that you cannot use a placeholder to replace the whole where clause. WHERE ?
with $stmt->bind_param('s', $where);
will not work.
Last thing, PDO, an alternative API to access your database in PHP, supports named placeholders (WHERE woord = :woord
instead of WHERE woord = ?
).