0

I'm hoping this will be a relatively simple one for someone in the know. I've tried as many options as i can think off but i must be missing something. I am attempting to create an insert statement in PHP using a file path which looks like this:

$filename = "images/stories/virtuemart/product/product05.jpg";

My insert statement looks like this:

$insert = 'INSERT INTO `jos_virtuemart_medias`(`virtuemart_vendor_id`, `file_title`, `file_description`, `file_mimetype`, `file_type`, `file_url`,`published`) VALUES (1,'basename($filename)','substr(basename($filename), 0, strrpos(basename($filename), '.'))', images/jpeg, Product, '$filename', 1)';

But its giving me a server error. I have checked the logs and nothing is showing, i also have display errors set at the start of the code. I just can't seem to get the syntax correct.

Cody Gray - on strike
  • 239,200
  • 50
  • 490
  • 574
Dtorr1981
  • 263
  • 2
  • 18
  • 3
    You can't just stop a string and run a PHP function or use a variable, you have to concatenate the items together with a `.` – WheatBeak Mar 14 '16 at 13:32
  • actually what problem you are facing? does your insert query not working ? – Swaminathan V Mar 14 '16 at 13:33
  • @WheatBeak can you give me an example? This is what is confusing me. Most of my experience is with VBA so the technique is different. – Dtorr1981 Mar 14 '16 at 13:34
  • @RaguSwaminathan i am trying to print_r the insert to check if the variables are correct, but i am facing an internal 500 error. – Dtorr1981 Mar 14 '16 at 13:35
  • Check the other person's answer below, however you will still have problems. with this section: `substr(basename($filename), 0, strrpos(basename($filename), '.')) .` – WheatBeak Mar 14 '16 at 13:35
  • @Dtorr1981 - the `.` is to PHP what `&` is to VBA. – rdiz Mar 14 '16 at 13:35
  • @WheatBeak what is the issue with it? Coul dyou explain? It returns the correct string as to my requirements. Is there a better way to do it? – Dtorr1981 Mar 14 '16 at 13:40
  • actually the problem is with the whole VALUES section, you have to have single quotes around any inserted VALUES that are strings. Also, it would be much cleaner and easier to define your variables first and then pass them into the string directly as seen here:http://pastebin.com/wC3GqMLT – WheatBeak Mar 14 '16 at 13:46
  • Ok thank you, i can't check pastebin at the moment as it is blocked by the firewall for some reason but will have a look later today :) – Dtorr1981 Mar 14 '16 at 13:58

1 Answers1

1

In PHP, you must join strings just a ., so your code would become:

$insert = 'INSERT INTO `jos_virtuemart_medias`(`virtuemart_vendor_id`, `file_title`, `file_description`, `file_mimetype`, `file_type`, `file_url`,`published`) VALUES (1,' . basename($filename) . ',' . substr(basename($filename), 0, strrpos(basename($filename), '.')) . ', images/jpeg, Product, ' . $filename . ', 1)';

Please note that the way you're doing this makes you very vulnerable to SQL injection attacks; you should use PDO instead to prepare a statement, which would reduce the chance of an attack.

Aaron Christiansen
  • 11,584
  • 5
  • 52
  • 78
  • 1
    Thank you, i just initially wanted to get the syntax correct. I am using the joomla API so will now attempt to convert it to that format. Thank you for your explanations. :) – Dtorr1981 Mar 14 '16 at 13:39