updating names not values

I'm updating a database table with an HTML form. The update occurs but with the field names
not the values?
--------------------------------------
the form code:

<!DOCTYPE html><html lang="en">
<head>
</head>
<body bgcolor="#ccffff"><center>
<font size=+2><b> update 515 Certification Expiration database</font><br>
<form action="cert-update.php" method="post">
<label for="unit">Unit:</label>
<input type="text" name="unit" id="unit">
<label for="tenant">Tenant:</label>
<input type="text" name="tenant" id="tenant">
<label for="effdate">Effective date:</label>
<input type="text" name="effdate" id="effdate">
<label for="expdate ">Expiration date :</label>
<input type="text" name="expdate " id="expdate "><br>

<label for="moveindate">Move-in date:</label>
<input type="text" name="moveindate" id="moveindate">
<label for="daysleft">Days left:</label>
<input type="text" name="daysleft" id="daysleft">
<label for="date90">date90:</label>
<input type="text" name="date90" id="date90">
<label for="date60">date60:</label>
<input type="text" name="date60" id="date60">
<label for="date30">date30:</label>
<input type="text" name="date30" id="date30"><br>

<input type="submit" name="submit" value="Submit">
</form></body></html>
------------------------------------
the update code:

<html><body>
<center><b><font size=+2> 515 Certification Expiration Update</font><br>06/22/2020 - 06/22/2021<p>

<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "prerentdb";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}

$unit=$_POST['unit'];
$tenant=$_POST['tenant'];
$effectdate='effectdate';
$expdate='expdate';
$moveindate=$_POST['moveindate'];
$daysleft=$_POST['daysleft'];
$date90=$_POST['date90'];
$date60=$_POST['date60'];
$date30=$_POST['date30'];
$sql = "UPDATE certtbl SET
unit = '$unit',
tenant = '$tenant',
effectdate = '$effectdate',
expdate = '$expdate',
moveindate = '$moveindate',
daysleft = '$daysleft',
date90 = '$date90',
date60 = '$date60',
date30 = '$date30'
WHERE unit='$unit'";
if ($conn->query($sql) === TRUE) { echo "Record updated successfully"; }
else { echo "Error updating record: " . $conn->error; }
$conn->close();
?>
</center></body></html>

 

NO! Oh for F*** sake NO!

They need to extract their code's cranium from 2003's rectum and STOP slopping variables into the query string! Filter_input isn't the flipping answer, prepare/execute is!

Just like how 1997 called and it wants its markup back. The mere presence of FONT and CENTER should be a giant warning sign that the ENTIRE codebase has to be pitched in the trash and started over with practices from this century.

<?php

$conn = new mysqli(
	"localhost",
	"root",
	"",
	"prerentdb"
);
if ($conn->connect_error) {
	die("Connection failed: " . $conn->connect_error);
}

$stmt = $conn->prepare('
	UPDATE certtbl
	SET
		unit = ?,
		tenant = ?,
		effectdate = ?,
		expdate = ?,
		moveindata = ?,
		daysleft = ?,
		date90 = ?,
		date60 = ?,
		date30 = ?
	WHERE
		unit = ?
');

$stmt->bind_param(
	'ssssssssss',
	$_POST['unit'],
	$_POST['tenant'],
	'effectdate', // if these are tyoe DATETIME, these are invalid
	'expdate',
	$_POST['moveindate'],
	$_POST['daysleft'],
	$_POST['date90'],
	$_POST['date60'],
	$_POST['date30']
);

if ($stmt->execute()) {
	if ($stmt->affected_rows > 0) echo 'Record updated successfully';
	else echo 'No records updated, but no error?!?';
} else echo 'Error updating record: ', $conn->error;

$conn->close();

Code (markup):

Variables for nothing and garbage filter_input nonsense so they can be slopped into the query string is NOT the answer!