Retrieving $_GET gives error unexpected T_VARIABLE, expecting ',' or ';'

Question

I'm working on an image uploader for a website, the first page lets the user enter the title and description of the image he wants to upload. This is then sent to another page which insert the data into a database and then forwards to a page which lets the user upload the image. I get an error at the database insert part.

when I load addTitleDescDB.php I get the following error

Parse error: syntax error, unexpected T_VARIABLE, expecting ',' or ';' in ../admin/imageupload/addTitleDescDB.php on line 10

The form:

<div id="upload-wrapper">
    <div align="center">
        <h3>Description</h3>
        <form action="addTitleDescDB.php" method="get" id="MyUploadForm">
            <label for="title">Titre:</label>
            <input type="text" name="title" id="title">
            <br><br>
            <label for="desc">Description:</label><br>
            <textarea name="desc" id="desc" cols=40 rows=6></textarea>
            <br><br>
            <input type="submit"  id="submit-btn" value="Envoyer" />
        </form>
    </div>
</div>

addTitleDescDB.php

<?php
  require_once ($_SERVER['DOCUMENT_ROOT'].'/includes/mysql_connect.php'); // Connect to the database.   
  include ($_SERVER['DOCUMENT_ROOT'].'/includes/sanitize.php');

  $_GET = sanitize($_GET); // Sanitize input
  $title = $_GET['title'];
  $desc = $_GET['desc'];

  if(mysql_query("INSERT INTO galerie (title, description) VALUES ($title, $desc)")) {
    $id = mysql_insert_id();
    echo "<script type=\"text/javascript\">window.location.href = '../admin/imageupload/imageupload.php?id=".$id."';</script>";
  }
  else
    echo "<script type=\"text/javascript\">window.location.href = '../admin/imageupload/index.php?error=SQL';</script>";
?>

sanitize.php

<?php
  function cleanInput($input) {
    $search = array(
      '@<script[^>]*?>.*?</script>@si',   // Strip out javascript
      '@<[\/\!]*?[^<>]*?>@si',            // Strip out HTML tags
      '@<style[^>]*?>.*?</style>@siU',    // Strip style tags properly
      '@<![\s\S]*?--[ \t\n\r]*>@'         // Strip multi-line comments
  );

  $output = preg_replace($search, '', $input);
  return $output;
  }
?>

<?php
  function sanitize($input) {
    if (is_array($input)) {
      foreach($input as $var=>$val) {
        $output[$var] = sanitize($val);
      }
    }
    else {
      if (get_magic_quotes_gpc()) {
        $input = stripslashes($input);
      }
      $input  = cleanInput($input);
      $output = mysql_real_escape_string($input);
    }
    return $output;
  }
?>

Answer 1

In your addTitleDescDB.php try this:

<?php
  require_once ($_SERVER['DOCUMENT_ROOT'].'/includes/mysql_connect.php'); // Connect to the database.   
  include ($_SERVER['DOCUMENT_ROOT'].'/includes/sanitize.php');

  $_GET = sanitize($_GET); // Sanitize input
  $title = $_GET['title'];
  $desc = $_GET['desc'];

  if(mysql_query("INSERT INTO galerie (title, description) VALUES ('".$title."','".$desc."')")) {
    $id = mysql_insert_id();
    echo "<script type=\"text/javascript\">window.location.href = '../admin/imageupload/imageupload.php?id=".$id."';</script>";
  }
  else
    echo "<script type=\"text/javascript\">window.location.href = '../admin/imageupload/index.php?error=SQL';</script>";
?>

Answer 2

your query variable should be quoted and give proper quote to your script

try to change

if(mysql_query("INSERT INTO galerie (title, description) VALUES ('$title', '$desc')")) {
    $id = mysql_insert_id();
    echo "<script type='text/javascript'>window.location.href = '../admin/imageupload/imageupload.php?id=$id';</script>";
  }
  else
    echo "<script type='text/javascript'>window.location.href = '../admin/imageupload/index.php?error=SQL';</script>";