this is a simplified version of my code. What I'm trying to achive is that I want to insert the image path into a DB table. I used the constant DIRECTORY_SEPERATOR and I am also using PDO.
$tmp = $_FILES['file1']['tmp_name'];
$name = $_FILES['file1']['name'];
$path = getcwd() . DIRECTORY_SEPARATOR . 'images' . DIRECTORY_SEPARATOR . $name;
$success = move_uploaded_file($tmp, $path);
$query = "INSERT INTO phptbl (Name, Photo) VALUES ('name', '$path')";
echo 'Something went wrong!';
\ on your system, you're creating a string with backslashes. Backslashes are an escape character in many languages, including SQL. The database will interpret
\ as a meta character. To correctly store any and all arbitrary values, you need to either escape the value correctly (to
\\) or, better, prepare and bind the query:
$stmt = $db->prepare("INSERT INTO phptbl (Name, Photo) VALUES ('name', ?)"; $stmt->execute([$path]);
This will correctly preserve special characters as is without them getting interpreted.