CODEWITHSUNDEEP
phpmysqlforms
Hello World
Hello World

Reputation: 63

unexpected error message in php form (SQL syntax error)

I have made a simple php cms form with database but it does not work properly when I want to submit the form with some dummy data! I don't know why it happens & also I added the mysqli_error() to get the type of error that I'm facing with but I only got this:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '','','')' at line 2

<?php 
if (isset($_POST['submit'])){
    $post_title = $_POST['title'];
    $post_date = date('d-m-y');
    $post_author = $_POST['author'];
    $post_keywords = $_POST['keywords'];
    $post_content = $_POST['content'];
    $post_image = $_FILES['image']['name'];
    $image_tmp = $_FILES['image']['tmp_name'];

    if ($post_title=='' or $post_keywords='' or $post_content='' or $post_author=''){
        echo '<script>alert("Some fields are missing")</script>';
    }else{
        move_uploaded_file($image_tmp,"post_images/$post_image");
        $insert_query = "INSERT INTO posts 
        (post_title,post_date,post_author,post_image,post_keywords,post_content) VALUES ('$post_title','$post_date','$post_author',$post_image','$post_keywords','$post_content')";
        $insert_post = mysqli_query($con,$insert_query);
        if ($insert_post){
            echo '<h3 style="color:green">Post has been added successfully.</h3>';
        }else{
            echo mysqli_error($con);
        }
    }
}
?>
<form method="POST" action="" enctype="multipart/form-data">
    <table width="600" align="center" border="10">
        <tr>
            <td align="center"><h6>Insert Post Title</h6></td>
            <td align="center"><input type="text" name="title"/></td></br>
        </tr>
        <tr>
            <td align="center"><h6>Insert Post Author</h6></td>
            <td align="center"><input type="text" name="author"/></td></br>
        </tr>
        <tr>
            <td align="center"><h6>Insert Post Keywords</h6></td>
            <td align="center"><input type="text" name="keywords"/></td></br>
        </tr>
        <tr>
            <td align="center"><h6>Insert Post Image</h6></td>
            <td align="center"><input type="file" name="image"/></td></br>
        </tr>
        <tr>
            <td align="center"><h6>Insert Post Content</h6></td>
            <td align="center"><textarea name="content" cols="10" rows="10"></textarea></td></br>
        </tr>
        <tr>
            <td align="center"><input type="submit" name="submit" value="Submit"/></td>
        </tr>
    </table>
</form>

It would be very helpful to me if you share your solution for this problem... thanks!

Upvotes: 1

Views: 70

Answers (3)

trincot
trincot

Reputation: 350300

You are missing a quote just before $post_image:

,$post_image'

Should be:

,'$post_image'

So the complete SQL statement becomes then:

$insert_query = "INSERT INTO posts 
    (post_title, post_date, post_author, post_image, post_keywords, post_content)
    VALUES ('$post_title', '$post_date', '$post_author', '$post_image', 
            '$post_keywords', '$post_content')";

Please note that you are doing assignments in this if:

if ($post_title=='' or $post_keywords='' or $post_content='' or $post_author=''){

You should be using double == instead of =.

Finally, your code is vulnerable to SQL injection. So please use prepared statements with parameters.

Upvotes: 1

Abdulla Nilam
Abdulla Nilam

Reputation: 38609

Changes

  1. Use empty for check empty variable
  2. Use || instead of or
  3. Check validation for what you are doing. (move_uploaded_file)
  4. Be careful with quotes ($post_image') - This is the bug in your code
  5. Enhance mysqli_error (if (!$insert_post){)

Code

<?php 
    if (isset($_POST['submit']))
    {
        $post_title = $_POST['title'];
        $post_date = date('d-m-y');
        $post_author = $_POST['author'];
        $post_keywords = $_POST['keywords'];
        $post_content = $_POST['content'];
        $post_image = $_FILES['image']['name'];
        $image_tmp = $_FILES['image']['tmp_name'];

        if (empty($post_title) || empty($post_keywords) || empty($post_content) || empty($post_author))
        {
            echo '<script>alert("Some fields are missing")</script>';
        }
        else
        {
            if (!move_uploaded_file($image_tmp,"post_images/$post_image")) {
                echo "Move Failed";
            }
            else
            {
                $insert_query = "INSERT INTO posts (post_title,post_date,post_author,post_image,post_keywords,post_content) VALUES ('$post_title','$post_date','$post_author','$post_image','$post_keywords','$post_content')";
                $insert_post = mysqli_query($con,$insert_query);

                if (!$insert_post){
                    echo mysqli_error($con);
                }
                else
                {
                    echo '<h3 style="color:green">Post has been added successfully.</h3>';
                }
            }

        }
    }
?>

Upvotes: 0

synan54
synan54

Reputation: 658

writing if statement in this way is better 

// this not always works
if ($post_title=='' or $post_keywords='' or $post_content='' or $post_author=''){
        echo '<script>alert("Some fields are missing")</script>';
    }

// yeah much better 
 if (empty($post_title) || empty($post_keywords) || empty($post_content) || empty($post_author)){
            echo '<script>alert("Some fields are missing")</script>';
        }

and sql mistake most probably because of here

'$post_keywords','$post_content')";

$post_keywords and $post_content is null or empty

Upvotes: 0

Related Questions