CODEWITHSUNDEEP
phpmysql
user1064499
user1064499

Reputation: 115

php code of adding a record to database

I am working on a control panel (admin pages) for a website. All the pages have the same code with little changes in the database table name and columns. All of them work fine, but one page doesn't work.

This is its code....

<?php
include('connect.php');

// read the input data
$KTitle   = $_POST['Title'];
$Kcontent = $_POST['content'];
$ImgName  = $_FILES["file"]["name"];

//get img extension
$ImgExtension = substr($ImgName, (strlen($ImgName) - 4), strlen($ImgName));
//check if it Gif, Bng, Jpg
if ($ImgExtension == ".gif" || $ImgExtension == ".jpg" || $ImgExtension == ".png")
{ //get img name to rename it then readd the extinsion
    $ImgName      = substr($ImgName, 0, (strlen($ImgName) - 4));
    $storyImgName = $ImgName . "_" . $Title;
    $target       = "../CharacterImgs/" . $storyImgName . $ImgExtension;
    $target       = str_replace(" ", "_", $target);

    move_uploaded_file($_FILES['file']['tmp_name'], $target);
    mysql_query("INSERT INTO CharactersN (name,desc,img) VALUES ('$KTitle', '$Kcontent','$target')");

    echo "<meta http-equiv=\"refresh\" content=\"3;URL=AddCharacterForm.php\">";
}
?>

Upvotes: 4

Views: 227

Answers (2)

kapa
kapa

Reputation: 78671

You have a problem here:

INSERT INTO CharactersN (name,desc,img)

desc is a reserved word, so you must use the ` notation there, which is like this:

INSERT INTO CharactersN (`name`,`desc`,`img`)

It is a good practice to use this notation for field names every time (or never use reserved words for field names in your database design).

Also, please read about SQL Injection, because your code shows you are not aware of it. You are inserting values into your query which are coming from outside (POST in this case).

VALUES ('$KTitle', '$Kcontent','$target')")

You should escape these values first with mysql_real_escape_string(), or even better, use PDO for your database interaction.

enter image description here from xkcd

Upvotes: 1

Mark Byers
Mark Byers

Reputation: 838096

If you use desc as a column name in MySQL, you must surround it in backticks because it is a reserved word.

"INSERT INTO CharactersN (name, `desc`, img) ..."

Upvotes: 4

Related Questions