4

I am working on a control panel (admin pages) for a website. All the pages have the same code with little changes in the database table name and columns. All of them work fine, but one page doesn't work.

This is its code....

<?php
include('connect.php');

// read the input data
$KTitle   = $_POST['Title'];
$Kcontent = $_POST['content'];
$ImgName  = $_FILES["file"]["name"];

//get img extension
$ImgExtension = substr($ImgName, (strlen($ImgName) - 4), strlen($ImgName));
//check if it Gif, Bng, Jpg
if ($ImgExtension == ".gif" || $ImgExtension == ".jpg" || $ImgExtension == ".png")
{ //get img name to rename it then readd the extinsion
    $ImgName      = substr($ImgName, 0, (strlen($ImgName) - 4));
    $storyImgName = $ImgName . "_" . $Title;
    $target       = "../CharacterImgs/" . $storyImgName . $ImgExtension;
    $target       = str_replace(" ", "_", $target);

    move_uploaded_file($_FILES['file']['tmp_name'], $target);
    mysql_query("INSERT INTO CharactersN (name,desc,img) VALUES ('$KTitle', '$Kcontent','$target')");

    echo "<meta http-equiv=\"refresh\" content=\"3;URL=AddCharacterForm.php\">";
}
?>
Improve this question
4
  • 3
    Can you post what error are you getting? Commented Nov 24, 2011 at 18:53
  • 3
    I hope you are aware that your code has SQL injections there? Please top using the outdated mysql_* functions and learn how to work with PDO and prepared statements. Commented Nov 24, 2011 at 18:55
  • This is a minor issue, but $KTitle = $_POST['Title']; should probably be $KTitle = $_POST['title']; (unless you send your title as &Title= rather than the standard &title=). Commented Nov 24, 2011 at 18:58
  • Doesn't work? What is it that doesn't work? Commented Nov 24, 2011 at 19:01

2 Answers 2

Reset to default
4

If you use desc as a column name in MySQL, you must surround it in backticks because it is a reserved word.

"INSERT INTO CharactersN (name, `desc`, img) ..."
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You have a problem here:

INSERT INTO CharactersN (name,desc,img)

desc is a reserved word, so you must use the ` notation there, which is like this:

INSERT INTO CharactersN (`name`,`desc`,`img`)

It is a good practice to use this notation for field names every time (or never use reserved words for field names in your database design).

Also, please read about SQL Injection, because your code shows you are not aware of it. You are inserting values into your query which are coming from outside (POST in this case).

VALUES ('$KTitle', '$Kcontent','$target')")

You should escape these values first with mysql_real_escape_string(), or even better, use PDO for your database interaction.

enter image description here from xkcd

Improve this answer

4 Comments

one could counter that "stop using reserver works as field names" is a better practice ..
@tereško I don't want to start a comment war with this, but for an inexperienced user, who might happen not to know all the reserved words, it seems to be better to use the right notation instead. Still, I edited your comment into my answer.
agreed. on another note : mysql_escape_string() is deprecated. They now have mysql_real_escape_string() .. which is just another sign of how old mysql_* has become. You should edit the answer a bit.
@tereško Thanks, that was actually a typo. Before using PDO, I was more accustomed to typing it :).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.