Image storing in Database using PHP error

Question

I want to make profile page in PHP where I should display information of Logged in user including profile photo for that purpose. I want to store uploaded image in database. I have written script but it give me some error in SQL statement.

My php script

<?php
include("configdb.php");
    function GetImageExtension($imagetype)
     {
       if(empty($imagetype)) return false;
       switch($imagetype)
       {
           case 'image/bmp': return '.bmp';
           case 'image/gif': return '.gif';
           case 'image/jpeg': return '.jpg';
           case 'image/png': return '.png';
           default: return false;
       }
     }
if (!empty($_FILES["uploadedimage"]["name"])) {
    $file_name=$_FILES["uploadedimage"]["name"];
    $temp_name=$_FILES["uploadedimage"]["tmp_name"];
    $imgtype=$_FILES["uploadedimage"]["type"];
    $ext= GetImageExtension($imgtype);
    $imagename=date("d-m-Y")."-".time().$ext;
    $target_path = "../Photos/".$imagename;
if(move_uploaded_file($temp_name, $target_path)) {
    $query_upload="INSERT into 'images_tbl' ('images_path','submission_date') VALUES
('".$target_path."','".date("Y-m-d")."')";
    mysql_query($query_upload) or die("error in $query_upload == ----> ".mysql_error()); 
}else{
   exit("Error While uploading image on the server");
}
}
?>;

I got following error

error in INSERT into 'images_tbl' ('images_path','submission_date') VALUES ('../Photos/03-10-2016-1475478958.jpg','2016-10-03') == ----> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''images_tbl' ('images_path','submission_date') VALUES ('../Photos/03-10-2016-14' at line 1**

Answer 1

You are mixing Mysqli with Mysql try like this

 $query_upload="INSERT into images_tbl (`images_path`,`submission_date`) VALUES
('".$target_path."','".date("Y-m-d")."')";    
mysqli_query($conn,$query_upload) or die("error in $query_upload == ----> ".mysqli_error($conn)); 

instead of

 $query_upload="INSERT into 'images_tbl' ('images_path','submission_date') VALUES
('".$target_path."','".date("Y-m-d")."')";
    mysql_query($query_upload) or die("error in $query_upload == ----> ".mysql_error()); 

Answer 2

You are using quotes around the tablename and columns where it should be backticks, so change:

$query_upload="INSERT into 'images_tbl' ('images_path','submission_date') VALUES
('".$target_path."','".date("Y-m-d")."')";

to

$query_upload="INSERT into `images_tbl` (`images_path`,`submission_date`) VALUES
('".$target_path."','".date("Y-m-d")."')";

That said, the code is vulnerable to sql injection and you are using the now deprecated and obsolete mysql_* functions - change to eitehr mysqli or PDO and begin using prepared statements.

---

As your db connection is mysqli you need to use mysqli_query and other associated functions and not mix them with the older mysql functions.

$result=mysqli_query($conn, $query_upload) or die('error');