Php + sql语句总是返回成功？

这是代码Php + sql语句总是返回成功？

<?php 
include("global.php"); 

$username = mysql_real_escape_string(stripslashes($_POST["strUserName"])); 
$password = md5(mysql_real_escape_string(stripslashes($_POST["strPassword"]))); 
$charid = mysql_real_escape_string(stripslashes($_POST["charid"])); 
$quest = mysql_real_escape_string(stripslashes($_POST["strQuest"])); 


$query = "SELECT * FROM wherei_users, wherei_characters WHERE wherei_users.username = '{$username}' AND wherei_users.password = '{$password}' AND wherei_characters.username =  '{$username}' AND wherei_characters.Id = '{$charid}'"; 
$result = mysql_query($query); 
$yesorno = (mysql_num_rows($result) == 0) ? 'NO' : 'YES'; 


if(empty($username) || empty($password) || empty($charid) || empty($quest) || $yesorno == "NO") { 
$status="error"; 
$msg="InvalidData"; 
$actiontype="&actiontype=savequestdata"; 
$out=("$actiontype&status=$status&msg=$msg"); 
} 

if ($yesorno = "YES") { 
mysql_query("UPDATE wherei_characters SET strQuest = '{$quest}' WHERE username = '{$username}' AND id = '{$charid}'") or die(mysql_error()); 
$actiontype="&actiontype=savequestdata"; 
$status="success"; 
$out=("$actiontype&$status"); 
} 

echo("$out"); 
?> 

然而，它总是返回该居留制是成功？当我去我的浏览器，只需键入的URL，它返回

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 

当我设置的值错误的目的，它返回一个状态是succesfull，你看，如果醚$username,$password,$charid,$quest为空或$yesorno是NO那么它应该回显&actiontype=savequestdata&status=error&msg=InvalidData。无论我设置变量，它都返回`actiontype = savequestdata &成功？