SQL query error while trying to insert record in the database

Question

Hey Guys I have a big problem that I have no Idea why.. I have few forms that upload files to the database, all of them work fine except one.. I use the same query in all(simple insert). I think that it has something to do with the files i am trying to upload but I am not sure.

Here is the code:

if ($_POST['action'] == 'hndlDocs') {
$ref = $_POST['reference']; // Numeric value of
$doc = file_get_contents($_FILES['doc']['tmp_name']);


$link = mysqli_connect('localhost','XXXXX','XXXXX','documents');
mysqli_query($link,"SET autocommit = 0");

$query = "INSERT INTO documents ({$ref},
'{$doc}',
'{$_FILES['doc']['type']}')
;";
mysqli_query($link,$query);
if (mysqli_error($link)) {
    var_dump(mysqli_error($link));
    mysqli_rollback($link);
} else {
    print("<script> window.history.back(); </script>");
    mysqli_commit($link);
}

}

The database has only these fields:

DATABASE documents (
    reference INT(5) NOT NULL, //it is unsigned zerofill
    doc LONGBLOB NOT NULL, //this should contain the binary data
    mime_type TEXT NOT NULL // the mime type of the file php allows only application/pdf and image/jpeg
);

And the error I get is :

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '00001, '����' at line 1

UPDATE:

Except that I have forgotten to add the VALUE in the SQL query. I have to add addslashes() to the content that is collected from the file and it is all done.

I will appreciate every help. Cheers!

Ahhh... Thank you very much I didn't saw that.. Thank you guys And man... do I look dumb... — DaGhostman Dimitrov, Oct 26 '12 at 11:07

score 2 · Accepted Answer · edited May 23 '17 at 12:12

2

You forgot to add VALUES keyword. The type of INSERT syntax you use is implicit. So it is assumed that you table has only 3 columns because you have supplied only 3 values. But if you have more than 3 columns, then you need to explicitly define the columns names in your query.

$query = "INSERT INTO documents VALUES ({$ref}, 
                                       '{$doc}', 
                                       '{$_FILES['doc']['type']}');";

your query is vulnerable with SQL Injection. Please take time to read the article below

Best way to prevent SQL injection in PHP?

edited May 23 '17 at 12:12

Community

1
1

answered Oct 26 '12 at 10:59

John Woo

258,903
69
498
492

Currently I am building the basic structure making it run and after that applying the security measures. Thanks anyway I will check the article. Cheers! – DaGhostman Dimitrov Oct 26 '12 at 11:09

SQL query error while trying to insert record in the database

1 Answers1