0

The code below uploads images to my sql database called upload_image.

if(isset($_POST['submit'])){
$target_path = "images/";
$target_path = $target_path . basename($_FILES['file']['name']);
if(move_uploaded_file($_FILES['file']['tmp_name'], $target_path)){
         $conn =new mysqli("localhost", "root", "", "upload_image");
         $sql = "Insert into upload_image('path') values('$target_path')";
         if($conn->query($sql)==TRUE){
             echo"<br><br>";
         }else{
             echo "Error on upload".$sql.$conn->error;
         }
    }   
}

The error being displayed is

Error on uploadInsert into upload_image('path') values('images/ao.png')

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''path') values('images/ao.png')' at line 1

Here is the HTML part:

<form method="post" enctype="multipart/form-data">
<input type="hidden" value=="1000000" name="MAX_FILE_SIZE"/>
<input type="file" name="file"/>
<input type="submit" name="submit" value="Upload"/>

The HTML and PHP are all in one code.

Community
  • 1
  • 1
  • `'path'` is a string, not a column. Remove the quotes, those are for strings. Use backticks if using special characters or reserved terms. You also are open to SQL injections parameterize the query. – user3783243 Jun 06 '18 at 20:59
  • It worked, once again thank you –  Jun 06 '18 at 21:01
  • Possible duplicate: [How can I fix MySQL error #1064 "synthax error"](https://stackoverflow.com/questions/23515347/how-can-i-fix-mysql-error-1064?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa) – Julian David Jun 06 '18 at 21:02
  • 1
    Possible duplicate of [When to use single quotes, double quotes, and back ticks in MySQL](https://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-back-ticks-in-mysql) – user3783243 Jun 06 '18 at 21:06
  • **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or **any** user data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Jun 06 '18 at 23:33
  • Do try and get out of the habit of cluttering up your code with needless things like `== true` and `== false`. Many functions are designed to return values that evaluate as true so that literal comparison is redundant, and sometimes problematic due to slight mis-matches in type. – tadman Jun 06 '18 at 23:47

2 Answers2

1

The line:

$sql = "Insert into upload_image('path') values('$target_path')";

Should be:

$sql = "Insert into upload_image(path) values('$target_path')";

In other words there should be no quotes around the column name in your query.

For readability: can use casing with keywords

$sql = "INSERT INTO upload_image (path) VALUES ('$target_path')";

For security: can use prepared statement

The code is vulnerable to SQL Injection so a better approach would be to use a prepared statement i.e.

$sql = "INSERT INTO upload_image (path) VALUES (?)";
$stmt = $conn->prepare($sql);
$stmt->bind("s", $target_path);
$stmt->execute();
Prins
  • 1,051
  • 1
  • 6
  • 9
  • `$target_path` being in the query is also a huge problem. – tadman Jun 06 '18 at 23:33
  • @tadman In this particular case why would the $target_path in the query be an issue? It will be processed (single quotes will not prevent processing of the variable in this case) and it would be replaced with the actual value. – Prins Jun 06 '18 at 23:45
  • 1
    Do you know what's in that string? I don't. It could be anything, and it could be [hostile](http://bobby-tables.com/). – tadman Jun 06 '18 at 23:46
  • @tadman Okay, I see your point. My answer simply addresses the question in that it points out the syntax error but of course the code can be improved by rewriting it e.g. as a prepared statement to protect against sql injection. – Prins Jun 06 '18 at 23:59
  • 1
    @tadman I have edited the answer to include a prepared statement based on your suggestion. – Prins Jun 07 '18 at 00:08
  • Vastly improved! – tadman Jun 07 '18 at 17:20
0

The correct syntax would be

INSERT INTO upload_image (path) VALUES ('$target_path')

fieldname without quotes

Michael
  • 556
  • 2
  • 8