Clean formatting helps clean stuff like this up:
if (!isset($_POST['new'])) {
$query.= "WHERE `name` = '" . mysqli_real_escape_string($origName) . "'";
}
$query .= ';';
query($query);
$output = "Changes saved";
First, the formatting of the WHERE
in your example is off. I set that to double quotes for the whole query & single quotes for the value inside the query that comes from mysqli_real_escape_string($origName)
.
But that said, the mysqli_real_escape_string()
format is incorrect. For the procedural style you need to have the actual DN connection (aka: link) set as the first parameter:
string mysqli_real_escape_string ( mysqli $link , string $escapestr )
So the mysqli_real_escape_string()
as shown in your example needs to be changed to something like this:
mysqli_real_escape_string($db, $origName)
With $db
actually being the real MySQL database connection link in your larger code structure.