We Keep Coding

php insert blob into mysql from base64 string

I knew that there are several similar questions, also I am aware that best practice is to keep images on server but I was told to do this way... Well I am sending base64 string from android to php webservice. I am sending it right, also tested via Postman to be sure that problem is not android but service. I have error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'oX?떧?=j?b?ED?Nϯ??=?|?pv??ёQv}gX?' at line 2
<?php
header('Content-Type: text/html; charset=utf-8');
// array for JSON response
$response = array();
// include db connect class
require_once '../config/db_connect.php';
$db = new DB_CONNECT();
$host_id = $_POST['host_id'];
$name = $_POST['event_name'];
$description = $_POST['event_description'];
$date = $_POST['date'];
$photo = $_POST['photo'];
// get all products from products table
$escaped = mysql_escape_string ($photo);
$photo_blob = base64_decode($escaped);
//echo $photo_blob;
$result = mysql_query(
'INSERT INTO dogadjaj (host_id, name, description, date, photo)
VALUES ("' . $host_id . '" ,"' . $name .'", "' . $description . '", "' . $date . '", "' . $photo_blob . '");')
or die(mysql_error());
?>

Use $photo_blob = base64_encode($escaped); instead of $photo_blob = base64_decode($escaped);. You would need the base64_decode when processing the base_64 read from the database.

mysqli_query syntax error with $_SESSION used

I had got the error like this
Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING)
Here is my code (I used $_SESSION to get variable from the other page.)
$sql="insert into data(name,sex,time,suggest,eat,problem,student_suggest,tutor_suggest,other_suggest)
values('$_SESSION['name']','$_SESSION['gender']','$_SESSION['time']','$_SESSION['suggest']','$_SESSION['eat']', '$_SESSION['problem']','$_SESSION['student']','$_SESSION['tutor']','$_SESSION['other']')";
mysqli_query($cn,$sql) or die(mysqli_error($cn));

You need to proper write down variables.
It can't be :
values('$_SESSION['name']',
It has to be:
values('".$_SESSION['name']."',
Another good approach is to use PDO
$dbh = new PDO('mysql:host=localhost;dbname=data', $user, $pass);
$stmt = $dbh->prepare("INSERT INTO data (name, sex) VALUES (:name, :sex)");
$stmt->bindParam(':name', $_SESSION['name']);
$stmt->bindParam(':sex', $_SESSION['gender']);
$stmt->execute();

You are using single quote in worng sequnence and this generated wrong code ..
You could use string concat for avoid the problem
but be carefulfor sqlijcection using php var inside sql, (you should use PDO and param binding.
Anyway related to your question
$sql="insert into data(name,sex,time,suggest,eat,problem,student_suggest,tutor_suggest,other_suggest)
values(" . $_SESSION['name'] . ","
. $_SESSION['gender'] . ","
. $_SESSION['time'] . ","
. $_SESSION['suggest'] . ","
. $_SESSION['eat']', . ","
. $_SESSION['problem'] . ","
. $_SESSION['student'] . ","
. $_SESSION['tutor'] . ","
. $_SESSION['other'] . ")";

MySQL insert errors

It's pretty much one of my first times working with MYSQL, and I can't seem to fix this one error I keep getting. I'm trying to store data to a table which has an auto_increment on its id (first column).
The error I keep getting is this:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'voorletters ='asd', tussenvoegsel ='', achternaam ='', roepnaam ='', adres ='', ' at line 1"
I just filled the textboxes with a little bit of rubish, there are no columns that require data either. Here is the code I use:
if(isset($_POST['save']))
{
$voorletters = $_POST['voorletters'];
$tussenvoegsel = $_POST['tussenvoegsel'];
$achternaam = $_POST['achternaam'];
$roepnaam = $_POST['roepnaam'];
$adres = $_POST['adres'];
$postcode = $_POST['postcode'];
$plaats = $_POST['plaats'];
$geslacht = $_POST['geslacht'];
$emailadres = $_POST['emailadres'];
$telefoonnummer = $_POST['telefoonnummer'];
$mobielenummer = $_POST['mobielenummer'];
$geboortedatum = $_POST['geboortedatum'];
$bsn = $_POST['bsn'];
mysql_query("INSERT INTO `naw` "
. "voorletters ='$voorletters', "
. "tussenvoegsel ='$tussenvoegsel', "
. "achternaam ='$achternaam', "
. "roepnaam ='$roepnaam', "
. "adres ='$adres', "
. "postcode ='$postcode', "
. "plaats ='$plaats', "
. "geslacht ='$geslacht', "
. "emailadres ='$emailadres', "
. "telefoonnummer ='$telefoonnummer', "
. "mobielenummer ='$mobielenummer', "
. "geboortedatum ='$geboortedatum', "
. "bsn ='$bsn' "
. "WHERE id = '$id'")
or die(mysql_error());
If this isn't enough information, please tell me. I've tried a lot of things, but I can't seem to figure it out.

You mix up insert and update syntax. Replace
INSERT INTO `naw` voorletters ='$voorletters'...
with
UPDATE `naw` set voorletters ='$voorletters'....
And you should really use Prepared Statements to avoid syntax errors and SQL injections due to user input.

You have a wrong syntax
The INSERT syntax is
INSERT INTO `YourTableName`(`Field1`, `Field2`, `Field3`, `Field4)
VALUES ('value-1','value-2','value-3','value-4')
The UPDATE syntax is
UPDATE `YourTableName`
SET `Field1`='value-1',`Field2`='value-2',`Field3`='value-3',`Field4`='value-4'
WHERE YourConditions

Just use following code. Make sure that you are inserting data for every field sequentially-
mysql_query("INSERT INTO `naw` VALUES(
'".$voorletters."',
'".$tussenvoegsel."',
'".$achternaam."',
'".$roepnaam."',
'".$adres."',
'".$postcode."',
'".$plaats."',
'".$geslacht."',
'".$emailadres."',
'".$telefoonnummer."',
'".$mobielenummer."',
'".$geboortedatum."',
'".$bsn."')")
or die(mysql_error());

You should remove the `` around naw, it's ok in phpmyadmin but quite messy almost every where else.
And you souldn't concatenate every line, do it in one "..." and use backspace to make it more readable.
So:
mysql_query("INSERT INTO naw
VALUES('$voorletters',
'$tussenvoegsel',
... ,
WHERE id = '$id'");//you can't do that, maybe you should use an UPDATE

i am currently have an MYSQL syntax error

i am very new at MYSQL and after i created this script to update a row in the table of a MYSQL Database and run it i get this error
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '265'', Employer_VAT_number = ''45698'', Employer_Name = ''Namtax_Ltd'', Employer' at line 3
here is the code
// username and password sent from form
$Numb=$_POST["Numb"];
$VAT=$_POST["VAT"];
$Name=$_POST["Name"];
$Addr=$_POST["Addr"];
$PO=$_POST["PO"];
// To protect MySQL injection (more detail about MySQL injection )
$Numb = stripslashes($Numb);
$VAT = stripslashes($VAT) ;
$Name = stripslashes($Name) ;
$Addr = stripslashes($Addr) ;
$PO = stripslashes($PO) ;
$Numb = "'" . mysql_real_escape_string($Numb) . "'";
$VAT = "'" . mysql_real_escape_string($VAT) . "'";
$Name = "'" . mysql_real_escape_string($Name) . "'";
$Addr = "'" . mysql_real_escape_string($Addr) . "'";
$PO = "'" . mysql_real_escape_string($PO) . "'";
$sql=("UPDATE $tb1_name SET Employer_Registration_Number ='".$Numb."', Employer_VAT_number = '".$VAT."', Employer_Name = '".$Name."', Employer_Address = '".$Addr."', Employer_Postal_Address = '".$PO."' WHERE Employer_Name = '".$Name."' ");
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo "Successfully Updated";
mysqli_close($con);
?>
</body>

This here:
$Numb = "'" . mysql_real_escape_string($Numb) . "'";
Firstly, that isn't proper syntax and you're using mysqli_ to connect with, least I sure hope you are.
Those different MySQL APIs do not intermix with each other.
That should read as:
$Numb = mysqli_real_escape_string($con,$Numb);
while doing the same for the rest of your variables, following the same method outlined here.
Footnotes:
Seeing you didn't post what $tb1_name is, doubt that would be causing an issue. But just for the sake of argument, wrap that variable in ticks, just so if your table name changes to something containing a hyphen or a space, or anything that MySQL will complain about.
UPDATE `$tb1_name` SET...
Plus, since you didn't mention which MySQL API you're using to connect with, make sure it is in fact mysqli_ and not mysql_ or PDO.
It doesn't look like it, but I have to be 100% sure.
Your connection should resemble something like this:
$con = mysqli_connect("yourhost","user","pass","your_DB")
or die("Error " . mysqli_error($con));
Again, those different MySQL APIs do not intermix with each other.
Consult (PHP: Choosing an API - Manual): https://php.net/mysqlinfo.api.choosing
"I am very new at MYSQL..."
Seeing you're new to this:
Use mysqli with prepared statements, or PDO with prepared statements.
Additional notes. (as an edit)
I noticed another question you posted earlier:
https://stackoverflow.com/q/30191388/
where you said "Thank you it worked " in the answer given https://stackoverflow.com/a/30191647/
I don't get that.
How could that possibly work where you're using if (!mysqli_query($con,$sql))?
You'll need to show us the way you're connecting with here.
If you truly want to see if your query was successful, use mysqli_affected_rows().
if(mysqli_affected_rows($con)){
echo "Successfully updated.";
}
else{
echo "Not updated.";
}
Add error reporting to the top of your file(s) which will help find errors.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
// rest of your code
Sidenote: Error reporting should only be done in staging, and never production.

Struggling with mysql_real_escape_string

Can anyone help. I'm trying to shore up my security using mysql_real_escape_string on values passed to PHP for an internal messaging service, but I must be getting the syntax wrong somewhere because the values are not being inserted into the database. I've looked around for tutorials, help etc but struggling to get it right.
The code I'm using is below. The values that haven't been escaped ($email, $from, $time) are being entered correctly, but the other values are just entered blank.
<?php
session_start();
$conn = mysqli_connect('localhost', 'username', 'password', 'dbname');
$email=$_SESSION['email'];
$to = $_POST ['touser'];
$toemail = $_POST['touseremail'];
$from = $_SESSION['name'];
$message = $_POST['message'];
$subject = $_POST['subject'];
$time = time();
$query ="INSERT INTO messages
(to_user, to_email, subject, message, from_user, from_email, daterecord)
VALUES (
'" . mysql_real_escape_string($conn, $to) . "',
'" . mysql_real_escape_string($conn, $toemail) . "',
'" . mysql_real_escape_string($conn, $subject) . "',
'" . mysql_real_escape_string($conn, $message) . "',
'$from', '$email', '$time')";
$send = $conn -> query($query);
echo "Message sent!";
?>

check out the function mysqli_real_escape_string()
i should also note that the prefered method for escaping strings these days is parameter binding

You are using mysql_real_escape_string instead of mysqli_real_escape_string.
Fix that and it will work better!

The actual problem you're having is that you're mixing up between the mysql extension and the mysqli extension.
If you're using mysqli_connect(), then all the DB functions you use must begin mysqli_.
You're using mysql_real_escape_string, when the function you actually want is mysqli_real_escape_string.
That i is very important.
However, if you'll allow me to go beyond the actual problem described, I would recommend moving away from escaped queries, and instead use Parameterised Queries.
Parameterised Queries is a technique that allows you to specify queries like this:
SELECT fieldname from talbe WHERE arg = ? AND arg2 = ?
and then replace those ?s with your variables using mysqli_bind_param().
This technique is considered a much better technique than using escape strings.
Hope that helps.

Use the function mysqli_real_escape_string() instead
Doc: http://www.php.net/manual/en/mysqli.real-escape-string.php