Can't update SQL record.

[Arbu]

I'm getting an error when I try to update a record in my sql database. Here's my code:

function updateRecord($mysqli,$diagram_id,$data,$image){
  if(login_check($mysqli)){
    $sql = "UPDATE diagrams SET data=$data WHERE id=$diagram_id";

    if ($mysqli->query($sql) === TRUE) {
        // echo "Record updated successfully";
        //header("Location: ../account.php");
		 echo "Success";
        exit();
        // return true;
    } else {
        echo "Error: " . $sql . "<br>" . $mysqli->error;
        // return false;
    }

    $mysqli->close();
    exit();
  }
  else {
    header('Location: ../login.php');
    exit();
  }
}

and the response I get is:

Quote

Error: UPDATE diagrams SET data={
    "version": "3.4.0",
    "objects": [
        {
            "type": "group",
            ...
    "linecounter": 1
} WHERE id=88<br>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"version": "3.4.0",
    "objects": [
        {
            "type": "group",
    ' at line 2

I have some similar code for deleting a record which works fine:

function deleteRecord($mysqli,$diagram_id){
  if ($mysqli->connect_error) {
      die("Connection failed: " . $mysqli->connect_error);
  }

  $sql = "DELETE FROM diagrams WHERE id=$diagram_id";

  if ($mysqli->query($sql) === TRUE) {}
  else {
      echo "Error deleting record: " . $mysqli->error;
  }
  $mysqli->close();
}

What am I doing wrong?

Thanks.

[Ingolme]

You need to use prepared statements to prevent the data from messing up the query. You shouldn't put variables directly into an SQL string.

[Arbu]

I'm already saving files with much the same code, and that works OK. So I don't think there was an issue with not using prepared statements. What now seems to have fixed it however is simply placing single quote marks around $data in $sql.