photo upload query error

Question

i have query error , says :

error in INSERT into 'slides' ('image_name') VALUES ('image/29-07-2014-1406653546.jpg') == ----> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''slides' ('image_name') VALUES ('image/29-07-2014-1406653546.jpg')' at line 1

How to solve? here is my code :

<?php
include("config.php");
function GetImageExtension($imagetype)
{
if(empty($imagetype)) return false;
switch($imagetype)
{
case 'image/bmp': return '.bmp';
case 'image/gif': return '.gif';
case 'image/jpeg': return '.jpg';
case 'image/png': return '.png';
default: return false;
}
}
if (!empty($_FILES["uploadedimage"]["name"])) {
$file_name=$_FILES["uploadedimage"]["name"];
$temp_name=$_FILES["uploadedimage"]["tmp_name"];
$imgtype=$_FILES["uploadedimage"]["type"];
$ext= GetImageExtension($imgtype);
$imagename=date("d-m-Y")."-".time().$ext;
$target_path = "image/".$imagename;
if(move_uploaded_file($temp_name, $target_path)) {
$query_upload="INSERT into 'slides' ('image_name') VALUES 
('$target_path')";
mysql_query($query_upload) or die("error in $query_upload == ----> ".mysql_error());  
}
else{
exit("Error While uploading image on the server");
} 
}
?>;

[**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](http://j.mp/XqV7Lp). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). — esqew, Jul 29 '14 at 17:15

score 2 · Accepted Answer · edited May 23 '17 at 11:50

This is because you are using quotes around your table and column identifiers.

INSERT into 'slides' ('image_name')
            ^      ^  ^          ^

Remove the quotes or replace them with backticks.

Sidenote: Using backticks `` ensures if you may be (accidentally, or unknowingly) using a MySQL reserved word, or a space or hyphen between words for column names, which is discouraged practice.

Although this isn't the case (no reserved word found in your code), it's a matter of preference/personal taste to use them.

So, just do:

INSERT into `slides` (`image_name`) ...

or

INSERT into slides (image_name) ...

both will work.

Footnotes:

Your present code is open to SQL injection.
Do use mysqli_* with prepared statements, or PDO with prepared statements.

score 1 · Answer 2 · answered Jul 29 '14 at 17:16

1

Try:

$query_upload="INSERT into `slides` (`image_name`) VALUES ('$target_path')";

This is because you want to use back-ticks (`) to escape column and table named, and single quotes for values.

answered Jul 29 '14 at 17:16

Mark Watson

146
3

photo upload query error

2 Answers2