In an effort to prevent sql injections, I am converting my queries into prepared statements. I have one left. It contains a possible null value too, hence it's proving to be a little difficult.
Normal:
// Declare $dbc, $varA, $varB, $varC, $ID
$varC = ($varC == '-') ? "NULL" : "'" . $varC . "'";
$query = "UPDATE myTable ";
$query .= "SET VARA = '{$varA}', VARB = '{$varB}', VARC = $varC ";
$query .= "WHERE ID = '{$ID}'";
$result = @mysqli_query($dbc, $query) or die("Error updating record: " . mysqli_error($dbc));
Attempt at prepared statement:
// Declare $dbc, $varA, $varB, $varC, $ID
$varC = ($varC == '-') ? "NULL" : "'" . $varC . "'";
$query = "UPDATE myTable ";
$query .= "SET VARA = ? VARB = ? VARC = ? ";
$query .= "WHERE ID = ?";
$stmt = mysqli_prepare($dbc, $query);
$bind = mysqli_stmt_bind_param($stmt, "ssss", $varA, $varB, $varC, $ID);
$exec = mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
Why not just
$varC = ($varC == '-') ? null : $varC;
?
Also, you are missing the commas in your query
$query .= "SET VARA = ?, VARB = ?, VARC = ? ";
Edit: I just ran the code with my changes and it seemed to work okay. For reference, this is the code I used:
<?php
error_reporting(-1);
ini_set('display_errors', 'On');
$dbc = mysqli_connect("127.0.0.1", "test", "test", "test");
$ID = "1";
$varA = "a";
$varB = "b";
$varC = "-";
$varC = ($varC == '-') ? null : $varC;
$query = "UPDATE myTable ";
$query .= "SET VARA = ?, VARB = ?, VARC = ? ";
$query .= "WHERE ID = ?";
$stmt = mysqli_prepare($dbc, $query);
$bind = mysqli_stmt_bind_param($stmt, "ssss", $varA, $varB, $varC, $ID);
$exec = mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
Could you try adding the error reporting lines to the top of your code and see if you are getting any errors?