Member Avatar for 1baxter1

Hi Ive just came across this syntax error and have no idea on how to go about fixing it hope someone can help? Im using Php myadmin # Server version: 5.0.45 # Protocol version: 10

Here is the error:

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') VALUES('test my a', 'img/photo/tab_bg.gif', 'img/thumb/tab_bg.gif', '')' at line 1"

<?php

require 'config.php';
require 'functions.php';
require 'common.php';


if(isset($_FILES['fupload'])) {

    $filename = addslashes($_FILES['fupload']['name']);
    $source = $_FILES['fupload']['tmp_name'];    
    $target = $path_to_image_directory . $filename;
    $description = $_POST['description']; 
	$category = addslashes($_POST['category']); 
    $source = $path_to_image_directory . $filename;
    $thumb = $path_to_thumbs_directory  . $filename;    
    
    
    // Validates the form input
    
    if(strlen($_POST['description']) < 4) 
    $error['description'] = '<p class="alert">Please enter a description for your photo. </p>';
	
    
    if($filename == '' || !preg_match('/[.](jpg)|(gif)|(png)|(jpeg)$/', $filename)) 
    $error['no_file'] = '<p class="alert">Please select an image, dummy! </p>';
    
    if(!$error) {
        move_uploaded_file($source, $target);    
        
        $q = "INSERT INTO photo (description, source, thumb, category,) VALUES('$description', '$source', '$thumb', '$category')";
        $result = $mysqli->query($q) or die(mysqli_error($mysqli));
        
        if($result) {
            echo "Success! Your file has been uploaded";
        }
        
        createThumbnail($filename);
        
    }  // end preg_match
}     

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>

<head>
	<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
	<link rel="stylesheet" href="css/default.css" />
	<title>My Photos</title>
</head>

<body>
    <h1>My Photos</h1>
    <ul><?php getPhotos(); ?></ul>

    <h1>Upload a Photo</h1>
    <form enctype="multipart/form-data" method="post" action="admin.php">
    <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
	    <p><input type="file" name="fupload" /></p>
	    
	    <p><label for="description">Enter a Description: </label>
	    <textarea rows="6" cols="50" id="description" name="description"></textarea></p>
        
        Please choose a category:
            <select name="select">
      <option>Sports</option>
      <option>London</option>
      <option>Macro</option>
      <option>Landscapes</option>
      <option>Local</option>
    </select>
	    
	    <p><input type="submit" value="Upload Photo" name="submit" /></p>
    </form>
  • 2 Contributors
  • 3 Replies
  • 118 Views
  • 10 Hours Discussion Span
  • Latest Post Latest Post by claritydigital
Member Avatar for claritydigital

Hi there,
You need to addslashes() to $_POST. SQL will not accept special chars without them first being escaped.

Code updated:

<?php

require 'config.php';
require 'functions.php';
require 'common.php';


if(isset($_FILES['fupload'])) {

    $filename = addslashes($_FILES['fupload']['name']);
    $source = $_FILES['fupload']['tmp_name'];    
    $target = $path_to_image_directory . $filename;
    $description = addslashes($_POST['description']); 
	$category = addslashes($_POST['category']); 
    $source = $path_to_image_directory . $filename;
    $thumb = $path_to_thumbs_directory  . $filename;    
    
    
    // Validates the form input
    
    if(strlen($_POST['description']) < 4) 
    $error['description'] = '<p class="alert">Please enter a description for your photo. </p>';
	
    
    if($filename == '' || !preg_match('/[.](jpg)|(gif)|(png)|(jpeg)$/', $filename)) 
    $error['no_file'] = '<p class="alert">Please select an image, dummy! </p>';
    
    if(!$error) {
        move_uploaded_file($source, $target);    
        
        $q = "INSERT INTO photo (description, source, thumb, category,) VALUES('$description', '$source', '$thumb', '$category')";
        $result = $mysqli->query($q) or die(mysqli_error($mysqli));
        
        if($result) {
            echo "Success! Your file has been uploaded";
        }
        
        createThumbnail($filename);
        
    }  // end preg_match
}     

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>

<head>
	<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
	<link rel="stylesheet" href="css/default.css" />
	<title>My Photos</title>
</head>

<body>
    <h1>My Photos</h1>
    <ul><?php getPhotos(); ?></ul>

    <h1>Upload a Photo</h1>
    <form enctype="multipart/form-data" method="post" action="admin.php">
    <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
	    <p><input type="file" name="fupload" /></p>
	    
	    <p><label for="description">Enter a Description: </label>
	    <textarea rows="6" cols="50" id="description" name="description"></textarea></p>
        
        Please choose a category:
            <select name="select">
      <option>Sports</option>
      <option>London</option>
      <option>Macro</option>
      <option>Landscapes</option>
      <option>Local</option>
    </select>
	    
	    <p><input type="submit" value="Upload Photo" name="submit" /></p>
    </form>
Member Avatar for 1baxter1

Thank you!, i also had a extra comma after $category which i just noticed on your post lol. thanks again

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.