SQL Syntax Error (Server version: 5.6.17 - MySQL)

问题

Could you guys please tell me what is missing on this code. because i get SQL Syntax Error.

i have created table with three colums. ID is auto incriminating and Image is Blob data type

as i think problem occurs when inserting the $image

here is the error ------->> "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '�#~���I�٢7W�?Hl����:��o���:�ӏvm5V��Ό��'`V���' at line 1 "

 <?php

if (isset($_POST["Upload"]))
 {
    include("DbConnection.php");

        $file  = $_FILES['image']['tmp_name'];


        if(!isset($file)) {
            echo 'Please Select a File';
        }
        else {
            $image     = file_get_contents($_FILES['image']['tmp_name']);
            $img_name  = $_FILES['image']['name'];
            $img_size  = getimagesize($_FILES['image']['tmp_name']);

            if ($img_size == false) 
                        {
                echo 'it is not a image'; 
                        }

        else 
        {
            $query  = mysqli_query($Con, "INSERT INTO `cars_tbl` (ID,Name,Image) VALUES ('','$img_name','$image')");
                if (!$query)
                {
                    echo 'Error Executing Query '.mysqli_error($Con);  
                    }
                    else 
                    {
                        $last_ID = mysqli_insert_id($Con);
                        echo "Image Uploaded. <p /> Your Image : <p /> <img src='get.php?ID=".$last_ID."'" ;
                        }


             }

                        } //else 
} // 1st IF

else
{
    echo 'Fill the details';
}
?> 

回答1:

You forgot to wrap $img_name in '

$query = mysqli_query($Con, "INSERT INTO `cars_tbl` (ID, Name, Image) VALUES ('', '$img_name', '$image')");

回答2:

The problem is you are saving apparently blob into the database without escaping it.

You must realize what happens in your command: The image data - which can also contain ' because it is binary - invalidates your SQL command.

The correct way how to save it:

1)

Either with prepared statements

2)

mysqli_query($Con, "INSERT INTO `cars_tbl` (ID, Name, Image)
   VALUES ('', '$img_name', '".mysqli_escape_string($image)."')");

I would prefer Prepared Statements. The other question is why you set ID to an empty string.

回答3:

You are trying to insert the value '$img_name' as Name and not img_name content. Try the following:

 $query  = mysqli_query($Con, "INSERT INTO `cars_tbl` (ID,Name,Image) VALUES ('','" . $img_name . "','" . $image . "')");

来源：https://stackoverflow.com/questions/36483245/sql-syntax-error-server-version-5-6-17-mysql