我有一个易受MySQL注入攻击的PHP表单，但我试图利用它来证明它存在，但我不断收到语法错误

我尝试这样做'，''，''，''，''，''）;更新注册SET年= 2000 WHERE student_id ='s01'; -

但是我遇到了SQL错误

<html>
<body>

<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "test";

// Create connection
$conn = new mysqli($servername,$username,$password,$dbname);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 
echo "Connected successfully <br> <br>"; 



$input1 = $_POST['input1'];
$input2 = $_POST['input2'];
$input3 = $_POST['input3'];
$input4 = $_POST['input4'];
$input5 = $_POST['input5'];
$input6 = $_POST['input6'];
$sql = "INSERT INTO student (student_id,first_name,last_name,DOB,sex,phone) VALUES ('$input1','$input2','$input3','$input4','$input5','$input6')";

if ($conn->multi_query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
?><br><br>

Input 1  <?php echo $_POST["input1"]; ?><br>
Input 2  <?php echo $_POST["input2"]; ?><br>
Input 3  <?php echo $_POST["input3"]; ?><br>
Input 4  <?php echo $_POST["input4"]; ?><br>
Input 5  <?php echo $_POST["input5"]; ?><br>
Input 6  <?php echo $_POST["input6"]; ?>

  <p>
  <a href="/index.html">Return to the form</a>
  </p>
</body>
</html>