Merely using prepare()
does not automatically quote all your variables appropriately. All prepare()
sees is a string, after you have interpolated variables into it. There is no way for it to tell what part of the string came from a variable and what part came from literal strings in your code.
You must use parameters for all values, instead of interpolating them into the string.
public function update() {
$attributes = $this->attributes();
print_r($attributes);
$attribute_pairs = array();
$attribute_values = array();
foreach($attributes as $key => $value) {
if(isset($value)) {
$attribute_pairs[] = "`{$key}`=?"; // use parameter placeholders
$attribute_values[] = $value; // collect the corresponding values
}
}
$sql = "UPDATE `".static::$table_name."` SET ";
$sql .= join(", ", $attribute_pairs);
$sql .= " WHERE id=?"; // use a placeholder here too
$attribute_values[] = $this->id; // and add to the collected values
$query = $handler->prepare($sql);
$query->execute($attribute_values); // pass the values here
}
Note I also put your table name and column names in back-ticks to help delimit them in case you use reserved words or special characters in your SQL identifiers.