1

I'm using PHP to create a service to accept a file and then enter information into a MySQL database. I'm not generating any errors (at least not in the directory error_log). The file uploads fine, however the information is not entered into the database, and as I said there are no errors that I see listed, there very well may be, and I'm unsure of where to look. 

include("connect.php");
$type = "jpg";

foreach ($_GET as $key => $value) { eval("\$" . $key . " = \"" . $value . "\";");}  
$filename = isset($_REQUEST["filename"]) ? $_REQUEST["filename"] : "jjj";  
$append = $_REQUEST["append"];
if($code == "XXX")  
{  
    try  
        {       
            mysql_query("INSERT INTO `images-table` (`file-name`, `file-type`) VALUES (`". $filename . "`, `" . $type . "`)");

            if(!$append)  
                $file = fopen("uploads/" . $filename,"w");  
            else  
                $file = fopen("uploads/" . $filename,"a");  

            $input = file_get_contents ("php://input");  
            fwrite($file,$input);  
            fclose($file);  

    echo "OK";

        }  
    catch (Exception $e)   
        {  
            echo 'Caught exception: ',  $e->getMessage(), "\n";  
        }  
}
else
{
echo 'You do not have permission to do this.';
}
John Woo
  • 258,903
  • 69
  • 498
  • 492
William B
  • 13
  • 3
  • 3
    [**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). – Vlad Preda Feb 01 '13 at 14:42
  • 1
    VALUES ('". $filename . "', '" . $type . "') change ` to single quota –  Feb 01 '13 at 14:42
  • @VladPreda Thanks for that information! I haven't messed with PHP all that much (obviously), much appreciated! – William B Feb 01 '13 at 14:55

1 Answers1

2

because the values of your INSERT statement were wrap with backticks. It should be single quote. Backticks are identifier, single quote are for string.

mysql_query("INSERT INTO `images-table` (`file-name`, `file-type`) 
             VALUES ('". $filename . "', '" . $type . "')");

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

Others

Community
  • 1
  • 1
John Woo
  • 258,903
  • 69
  • 498
  • 492
  • Thanks! So obvious now that I look at it. I assumed it would throw an error if I had that type of thing wrong. Also, thank you for the SQL injection information. Very much appreciated. – William B Feb 01 '13 at 14:56