html - How to upload images into MySQL database using PHP code

Question

I am trying to save images in my database from HTML form. I have written PHP code to accomplish this task. The program is not generating any error message, but also not inserting image data in MySQL database. Kindly check it. Here i am sharing a excerpt from my code.

        /*-------------------
    IMAGE QUERY 
    ---------------*/


    $file   =$_FILES['image']['tmp_name'];
    if(!isset($file))
    {
      echo 'Please select an Image';
    }
    else 
    {
       $image_check = getimagesize($_FILES['image']['tmp_name']);
       if($image_check==false)
       {
        echo 'Not a Valid Image';
       }
       else
       {
        $image = file_get_contents ($_FILES['image']['tmp_name']);
        $image_name = $_FILES['image']['name'];
        if ($image_query = mysql_query ("insert into product_images values (1,'$image_name',$image )"))
        {
          echo $current_id;
         //echo 'Successfull';
        }
        else
        {
          echo mysql_error();
        }
       }
   }
        /*-----------------
    IMAGE QUERY END
    ---------------------*/

    <form action='insert_product.php' method='POST' enctype='multipart/form-data' ></br>
            File        : <input type='file' name= 'image' >
    </form>

Error Message You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

Answer 1

Firstly, you should check if your image column is BLOB type!

I don't know anything about your SQL table, but if I'll try to make my own as an example.

We got fields id (int), image (blob) and image_name (varchar(64)).

So the code should look like this (assume ID is always '1' and let's use this mysql_query):

$image = addslashes(file_get_contents($_FILES['image']['tmp_name'])); //SQL Injection defence!
$image_name = addslashes($_FILES['image']['name']);
$sql = "INSERT INTO `product_images` (`id`, `image`, `image_name`) VALUES ('1', '{$image}', '{$image_name}')";
if (!mysql_query($sql)) { // Error handling
    echo "Something went wrong! :("; 
}

You are doing it wrong in many ways. Don't use mysql functions - they are deprecated! Use PDO or MySQLi. You should also think about storing files locations on disk. Using MySQL for storing images is thought to be Bad Idea?. Handling SQL table with big data like images can be problematic.

Also your HTML form is out of standards. It should look like this:

<form action="insert_product.php" method="POST" enctype="multipart/form-data">
    <label>File: </label><input type="file" name="image" />
    <input type="submit" />
</form>

---

Sidenote:

When dealing with files and storing them as a BLOB, the data must be escaped using mysql_real_escape_string(), otherwise it will result in a syntax error.