0

The code below uploads images to my sql database called upload_image.

if(isset($_POST['submit'])){
$target_path = "images/";
$target_path = $target_path . basename($_FILES['file']['name']);
if(move_uploaded_file($_FILES['file']['tmp_name'], $target_path)){
         $conn =new mysqli("localhost", "root", "", "upload_image");
         $sql = "Insert into upload_image('path') values('$target_path')";
         if($conn->query($sql)==TRUE){
             echo"<br><br>";
         }else{
             echo "Error on upload".$sql.$conn->error;
         }
    }   
}

The error being displayed is

Error on uploadInsert into upload_image('path') values('images/ao.png')

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''path') values('images/ao.png')' at line 1

Here is the HTML part:

<form method="post" enctype="multipart/form-data">
<input type="hidden" value=="1000000" name="MAX_FILE_SIZE"/>
<input type="file" name="file"/>
<input type="submit" name="submit" value="Upload"/>

The HTML and PHP are all in one code.

Improve this question
6
  • 'path' is a string, not a column. Remove the quotes, those are for strings. Use backticks if using special characters or reserved terms. You also are open to SQL injections parameterize the query. Commented Jun 6, 2018 at 20:59
  • It worked, once again thank you Commented Jun 6, 2018 at 21:01
  • Possible duplicate: How can I fix MySQL error #1064 "synthax error" Commented Jun 6, 2018 at 21:02
  • 1
    Possible duplicate of When to use single quotes, double quotes, and back ticks in MySQL Commented Jun 6, 2018 at 21:06
  • WARNING: When using mysqli you should be using parameterized queries and bind_param to add user data to your query. DO NOT use string interpolation or concatenation to accomplish this because you have created a severe SQL injection bug. NEVER put $_POST, $_GET or any user data directly into a query, it can be very harmful if someone seeks to exploit your mistake. Commented Jun 6, 2018 at 23:33

2 Answers 2

Reset to default
1

The line:

$sql = "Insert into upload_image('path') values('$target_path')";

Should be:

$sql = "Insert into upload_image(path) values('$target_path')";

In other words there should be no quotes around the column name in your query.

For readability: can use casing with keywords

$sql = "INSERT INTO upload_image (path) VALUES ('$target_path')";

For security: can use prepared statement

The code is vulnerable to SQL Injection so a better approach would be to use a prepared statement i.e.

$sql = "INSERT INTO upload_image (path) VALUES (?)";
$stmt = $conn->prepare($sql);
$stmt->bind("s", $target_path);
$stmt->execute();
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

$target_path being in the query is also a huge problem.
@tadman In this particular case why would the $target_path in the query be an issue? It will be processed (single quotes will not prevent processing of the variable in this case) and it would be replaced with the actual value.
Do you know what's in that string? I don't. It could be anything, and it could be hostile.
@tadman Okay, I see your point. My answer simply addresses the question in that it points out the syntax error but of course the code can be improved by rewriting it e.g. as a prepared statement to protect against sql injection.
@tadman I have edited the answer to include a prepared statement based on your suggestion.
|
0

The correct syntax would be

INSERT INTO upload_image (path) VALUES ('$target_path')

fieldname without quotes

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.