I’m trying to upload a form with an image using PHP to MySQL. I keep however, getting this error –
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/content/03/6455003/html/leakfaucet/submitAlbumForm.php on line 17
I’ve been staring at this one for quite a while now and just can’t figure out what the issue is, any help would be greatly appreciated!
Form-
<?php include "base.php"; ?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Submit an Album</title>
</head>
<body>
<table>
<tr>
<td align="center">Submit an Album</td>
</tr>
<tr>
<td>
<table>
<form enctype="multipart/form-data" action="submitAlbumForm.php" method="post">
<tr>
<td>Artist Name</td>
<td><input type="text" name="artistName" size="20">
</td>
</tr>
<tr>
<td>Album Name</td>
<td><input type="text" name="albumName" size="20">
</td>
</tr>
<tr>
<tr>
<td>Release Date</td>
<td><input type="text" name="releaseDate" size="20">
</td>
</tr>
<tr>
<tr>
<td>Leak Date</td>
<td><input type="text" name="leakDate" size="20">
</td>
</tr>
<tr>
<tr>
<td>Where It Leaked</td>
<td><input type="text" name="whereItLeaked" size="20">
</td>
</tr>
<tr>
<tr>
<td>Album Cover</td>
<td><input type="file" name="albumCover">
</td>
</tr>
<tr>
<td></td>
<td align="right"><input type="submit" name="submit" value="Add"></td>
</tr>
</table>
</td>
</tr>
</table>
</body>
</html>
Upload script
<?php
include "base.php";
//Setting up images directory
$target = "images/";
$target = $target . basename( $_FILES['photo']['name']);
$albumCover=($_FILES['photo']['name']);
//inserting data order
$order = "INSERT INTO albums
(artistName, albumName, releaseDate, leakDate, whereItLeaked, albumCover)
VALUES
('$_POST[artistName]',
'$_POST[albumName]',
'$_POST[releaseDate]',
'$_POST[leakDate]',
'$_POST[whereItLeaked]',
'($_FILES['albumCover']['name'])')"; /*this is the line where the error keeps occurring. I've tried a number of variations and still can't seem to get it right*/
if(move_uploaded_file($_FILES['albumCover']['tmp_name'], $target))
{
//Tells you if its all ok
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded, and your information has been added to the directory";
}
else {
//Gives an error if its not
echo "Sorry, there was a problem uploading your file.";
}
//declare in the order variable
$result = mysql_query($order); //order executes
if($result){
echo("<br>Thank you for submitting!");
} else{
echo("<br>Sorry, something went wrong! Please try again!");
}
?>
My base.php file with connect info
<?php
session_start();
$dbhost = "";
$dbname = "";
$dbuser = "";
$dbpass = "";
mysql_connect($dbhost, $dbuser, $dbpass) or die("MySQL Error: " . mysql_error());
mysql_select_db($dbname) or die("MySQL Error: " . mysql_error());
?>
You cannot use quoted array keys in PHP double-quoted strings. It throws warnings. Plus, you cannot use multi-dimensional arrays as you are within double-quoted strings. PHP’s parser is not “greedy” and will only see a single level of array, e.g.
will issue a warning about the quoted keys, and the ouput would actually be:
because the second level of array is not seen by PHP.
You need to use the
{}notation:which both allows quoted array keys, and forces PHP to consider the ENTIRE array reference, not just the first level.
Beyond that, your code is gaping wide open for SQL injection attacks, and you should read up and learn how to avoid those before you put this code on a public facing web-site, otherwise enjoy having your server pwn3d.