I am working on a control panel (admin pages) for a website. All the pages have the same code with little changes in the database table name and columns. All of them work fine, but one page doesn’t work.
This is its code….
<?php
include('connect.php');
// read the input data
$KTitle = $_POST['Title'];
$Kcontent = $_POST['content'];
$ImgName = $_FILES["file"]["name"];
//get img extension
$ImgExtension = substr($ImgName, (strlen($ImgName) - 4), strlen($ImgName));
//check if it Gif, Bng, Jpg
if ($ImgExtension == ".gif" || $ImgExtension == ".jpg" || $ImgExtension == ".png")
{ //get img name to rename it then readd the extinsion
$ImgName = substr($ImgName, 0, (strlen($ImgName) - 4));
$storyImgName = $ImgName . "_" . $Title;
$target = "../CharacterImgs/" . $storyImgName . $ImgExtension;
$target = str_replace(" ", "_", $target);
move_uploaded_file($_FILES['file']['tmp_name'], $target);
mysql_query("INSERT INTO CharactersN (name,desc,img) VALUES ('$KTitle', '$Kcontent','$target')");
echo "<meta http-equiv=\"refresh\" content=\"3;URL=AddCharacterForm.php\">";
}
?>
You have a problem here:
descis a reserved word, so you must use the ` notation there, which is like this:It is a good practice to use this notation for field names every time (or never use reserved words for field names in your database design).
Also, please read about SQL Injection, because your code shows you are not aware of it. You are inserting values into your query which are coming from outside (POST in this case).
You should escape these values first with
mysql_real_escape_string(), or even better, use PDO for your database interaction.from xkcd