0

I want to give a unique name to each image in a folder and move them into another folder, and then update table posts according the new value.

$list = glob("../cardimg/*.jpg");
$x = 1;
foreach ($list as $item) {
  $id = uniqid();
  rename ($item, "../carda/" . $id . ".jpg");
  $st = $db->query("update posts set img = " . $id . " where id = " . $x);
  $x++;
}

Error: Unknown column '5ac7d19eb11d8'...

But I know - there is no such a column in my table - I want to update img column.

id column is from 1 to 50.

Why I'm getting this error?

qadenza
  • 9,025
  • 18
  • 73
  • 126
  • 1
    Strings need to be quoted. Use prepared statements and parameterize the query. – chris85 Apr 06 '18 at 20:12
  • @chris85, `id` column is from `1` to `50` and variable `$id` is unique new name – qadenza Apr 06 '18 at 20:14
  • @chris85, there is no any input in my code – qadenza Apr 06 '18 at 20:17
  • Please read what I am saying. "**needs to be quoted because it is a string**" You could manually quote it, or if you were always parameterizing you'd never run into the issue. – chris85 Apr 06 '18 at 20:18
  • @chris85, it's ok now, quotation was the problem, thanks a lot, solved, but it's not a duplicate question – qadenza Apr 06 '18 at 20:19
  • 1
    It is a duplicate. The underlying issue is what causes a SQL injection. If you weren't injectable you wouldn't have had the error. I guess it could be argued that a better dup is https://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-back-ticks-in-mysql – chris85 Apr 06 '18 at 20:22
  • @chris85, that's not a criteria for duplicate. This way you can mark any question as duplicate with some another. My problem and my question is not about injection at all. So far there is no any input in my code. – qadenza Apr 06 '18 at 20:25
  • 1
    You're not putting the data in your query properly. It 100% is an injection problem. Do it the right way with **placeholder values** and the problem goes away. – tadman Apr 06 '18 at 20:26
  • @tadman, placeholders with wrong quotation will also produce the problem. so in my case problem is quotation and not placeholding. – qadenza Apr 06 '18 at 20:28
  • 1
    Understand, please, that placeholders **do not require quotation**, they are impossible to get wrong if used correctly. If you do it like this by smashing together a SQL string out of components you *will* have injection problems. – tadman Apr 06 '18 at 20:31
  • @tadman, no - I dont' want to use any placeholders, I want to execute my code without any input, without any placeholders and that is clear from my code. Problem with my code is quotation and not anything else. – qadenza Apr 06 '18 at 20:34
  • 1
    I'll repeat it again because it's extremely important you understand this: **USE PLACEHOLDER VALUES**. Do not, I repeat, **do not** use string interpolation. This is not a quotation problem, this is an escaping problem, and escaping problems are a whole class of problems you can avoid with placeholder values. This doesn't have to be hard. You don't have to fight this. You can do it properly and be completely assured you don't have any injection problems. Or you can insist on being stubborn and create huge liabilities in your application that can and will blow up in a huge way. – tadman Apr 06 '18 at 21:31
  • @tadman, your words are good as a free lesson and that's ok. But your recomendations are not answer on my specific problem with specific code. And especially there is no a reason to mark a question as duplicate just because of some recomendations. – qadenza Apr 06 '18 at 21:45
  • 1
    Recommendations, no, but because you're doing it wrong and this is a problem endemic to PHP, yes. Your specific code is *wrong* because you don't escape things properly and the easiest way to escape things properly is placeholder values. – tadman Apr 07 '18 at 22:28

0 Answers0