0

I am kind of new one for mysql and php. a week ago this code worked perfectly and when now I am trying it shows this error message

Error : You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's product portfolio has diversified to encompass a highly successful multi-brand' at line 1

I search how to solve that after spending a whole day, but couldn't figure it out. I have tried similar questions here in stackoverflow, Yet I am stucked here. A help would be really admired Given below is my code

<?php
    if(isset($_POST['upload']))
{       $company_name =$_POST['company_name'];
        $service =$_POST['service'];
        $email =$_POST['email'];
        $password =$_POST['password'];
        $details =$_POST['details'];

        $fileName = $_FILES['Filename']['name'];
        $fileName1 = $_FILES['Filename1']['name'];
        $fileName2 = $_FILES['Filename2']['name'];
        $fileName3 = $_FILES['Filename3']['name'];
        $fileName4 = $_FILES['Filename4']['name'];


        $target = "company_images/";                
        $fileTarget = $target.$fileName;    
        $fileTarget1 = $target.$fileName1;  
        $fileTarget2 = $target.$fileName2;  
        $fileTarget3 = $target.$fileName3;
        $fileTarget4 = $target.$fileName4;  
        $tempFileName = $_FILES["Filename"]["tmp_name"];
        $tempFileName1 = $_FILES["Filename1"]["tmp_name"];
        $tempFileName2 = $_FILES["Filename2"]["tmp_name"];
        $tempFileName3 = $_FILES["Filename3"]["tmp_name"];
        $tempFileName4 = $_FILES["Filename4"]["tmp_name"];
        $result = move_uploaded_file($tempFileName,$fileTarget);
        $result1 = move_uploaded_file($tempFileName1,$fileTarget1);
        $result2 = move_uploaded_file($tempFileName2,$fileTarget2);
        $result3 = move_uploaded_file($tempFileName3,$fileTarget3);
        $result4 = move_uploaded_file($tempFileName4,$fileTarget4);


        $file = rand(1000,100000)."-".$_FILES['file']['name'];
        $file_loc = $_FILES['file']['tmp_name'];
        $file_size = $_FILES['file']['size'];
        $file_type = $_FILES['file']['type'];
        $folder="pdf_uploads/";

        // new file size in KB
        $new_size = $file_size/1024;  
        // new file size in KB

        // make file name in lower case
        $new_file_name = strtolower($file);
        // make file name in lower case

        $final_file=str_replace(' ','-',$new_file_name);//anthima
        if(move_uploaded_file($file_loc,$folder.$final_file))
        {

            $query = "INSERT INTO company_details( company_name,service, email, password, details,image_path,file_name,image_path1,file_name1,image_path2,file_name2,image_path3,file_name3,file,type,size,image_path4,file_name4) VALUES ('$company_name','$service','$email','$password','$details','$fileTarget','$fileName','$fileTarget1','$fileName1','$fileTarget2','$fileName2','$fileTarget3','$fileName3','$final_file','$file_type','$new_size','$fileTarget4','$fileName4')";
            $con->query($query) or die("Error : ".mysqli_error($con));          


            mysqli_close($con);
}

}   
?>

<?php

Given below is the test data error 

VALUES ('singer','Hardware','singer@gmail.com','singer','Singer has been in Sr' at line 1
sadee
  • 43
  • 5
  • Include the test data you are trying to insert – Alfabravo Aug 15 '18 at 06:01
  • See? You're including the part of data in the error message instead of whatever you sent through the form (received in the `$_POST`) – Alfabravo Aug 15 '18 at 06:07
  • @Alfabravo Thank you very much. I understood where was the error. Can you explain me how to save data with unscaped apostrphe. Please? – sadee Aug 15 '18 at 06:12
  • you have misplaced a `,` at the end on column names – Sinto Aug 15 '18 at 06:14
  • @Sinto I removed that, even if the error message is there. This error has occured dues 's value in the submitted data.Now I want to solve that – sadee Aug 15 '18 at 06:20
  • @Sinto he was lucky the previous error never let him reach that misplaced comma :) – Alfabravo Aug 15 '18 at 06:21

1 Answers1

1

Because you never sanitize anything and put the data straight into your query, 

    $company_name =$_POST['company_name'];
    $service =$_POST['service'];
    $email =$_POST['email'];
    $password =$_POST['password'];
    $details =$_POST['details'];

...

$query = "INSERT INTO 
    company_details( company_name,service, email, password, details,image_path,file_name,image_path1,file_name1,image_path2,file_name2,image_path3,file_name3,file,type,size,image_path4,file_name4) 
    VALUES (
    '$company_name','$service','$email','$password','$details','$fileTarget','$fileName','$fileTarget1','$fileName1','$fileTarget2','$fileName2','$fileTarget3','$fileName3','$final_file','$file_type','$new_size','$fileTarget4','$fileName4'
    )";

your problem is most likely in the data

's product portfolio has diversified to encompass a highly successful multi-brand

Maybe you have unscaped apostrophes in your data, so you're kinda SQL-injecting yourself. The query ends before the string shown in the error.

The solution is to escape special chars before inserting like in this question: How do I escape only single quotes?

In your case, start with the details

$details = addcslashes($_POST['details'], "'");

or 

$details = addslashes($_POST['details']);

But keep adding test scenarios for your code. E.g. what happens if company name gets something like Mc'Donaldson? What is the set of chars you want to accept for each field? Then you will know how to validate those fields and create your functions (or reuse something)

Alfabravo
  • 7,493
  • 6
  • 46
  • 82