Unable to insert Images record in MySQL Table

Question

I am creating a PHP program which takes Product information and its images as input and store the information in the database. I have written the following code, its inserting the 'Product Information' records in the database, but not inserting 'Image record' in the database, and also giving me an error message. Kindly check it and tell me where i am making the mistake. Thanks.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
</body>
</html>
<?php 
global $current_id;
session_start();
if(isset($_SESSION['username']))
{


    include 'connect.php';

            $select_query=          'Select * from category';
            $select_query_run =     mysql_query($select_query);

    echo "  
        <form action='insert_product.php' method='POST' enctype='multipart/form-data' ></br>

        Product Name:   <input type='text' name='product_name'  /></br>

        Price       :   <input type= 'text' name= 'price'  /></br>

        Description :   <input type='text' name='description'  />*Seperate by Comma</br>

        File        : <input type='file' name= 'image' >


                        ";



    /*------------------
    Drop Down List Start
    ------------------*/            


            echo "<select name='category'>";


            while   ($select_query_array=   mysql_fetch_array($select_query_run) )
            {

                    echo "<option value='".$select_query_array['category_id']."' >".
                    htmlspecialchars($select_query_array["name"])."</option>";


                }

         $selectTag= "<input type='submit' value='Insert'  /></select></form>";

         echo $selectTag;

    /*-----------------
    Drop Down List End
    ------------------*/    








    if(isset($_POST['product_name']) && isset($_POST['price']) && isset($_POST['description'])  )
    {
         $product_name  =       $_POST['product_name'];
         $price         =       $_POST['price'];
         $description   =       $_POST['description'];
         $category      =       $_POST['category'];




    $query= "insert into products (name, price, description,  category_id ) 
                VALUES( '$product_name', $price, '$description', $category )";


    if($query_run=      mysql_query($query) )
    {

        echo 'Data Inserted';
        $current_id=     mysql_insert_id();



        }   
        else
        {
            'Error In SQL'.mysql_error();
            }
    }

    else
    {
        echo 'Plesae fill all the Fields';
        }


    /*-------------------
    IMAGE QUERY 
    ---------------*/


        $file   =$_FILES['image']['tmp_name'];


        if(!isset($file))
        {
            echo 'Please select an Image';

            }
            else 
            {
                $image_check=       getimagesize($_FILES['image']['tmp_name']);

                if($image_check==false)
                {
                    echo 'Not a Valid Image';
                    }
                    else
                    {

                        $image          =file_get_contents ($_FILES['image']['tmp_name']    );
                        $image_name     =$_FILES['image']['name'];                      
                        $image_query    ="insert into product_images VALUES ($current_id, '$image_name', $image)";


                    //  $image_query=    "INSERT INTO `product_images` (`product_id`, `name`, `image`) 
                            //VALUES ('1', '{$image_name}', '{$image}')";


                        if (mysql_query($image_query))
                        {

                        //if ($image_query      =mysql_query (insert into product_images values 
                                //                          ($current_id, $image_name, $image"))




                                                            //  echo $current_id;
                                                                //echo 'Successfull';
                                                                }
                                                                else
                                                                {
                                                                    echo "<br>". mysql_error();
                                                                    }
                    }

                }
        /*-----------------
    IMAGE QUERY END
    ---------------------*/



}

else
{
    echo 'You Must Log in To View this Page!';
    }
?>

Answer 1

Two problems.

First, you should escape the values to prevent SQL injection, and also to deal with the fact that $image contains binary data.

Second, you have to quote $image in the SQL.

Try this:

$image          =mysql_real_escape_string(file_get_contents ($_FILES['image']['tmp_name']    ));
$image_name     =mysql_real_escape_string($_FILES['image']['name']);                      
$image_query    ="insert into product_images VALUES ($current_id, '$image_name', '$image')";

Answer 2

try using it this way for insert sql :

$query= "insert into products (name, price, description,  category_id ) 
                VALUES( '$product_name', '$price', '$description', $category )";

$price needs to be inside quotes too.....