MySQL Query not executing during file retrieval

Question

I'm using PHP to create a service to accept a file and then enter information into a MySQL database. I'm not generating any errors (at least not in the directory error_log). The file uploads fine, however the information is not entered into the database, and as I said there are no errors that I see listed, there very well may be, and I'm unsure of where to look.

include("connect.php");
$type = "jpg";

foreach ($_GET as $key => $value) { eval("\$" . $key . " = \"" . $value . "\";");}  
$filename = isset($_REQUEST["filename"]) ? $_REQUEST["filename"] : "jjj";  
$append = $_REQUEST["append"];
if($code == "XXX")  
{  
    try  
        {       
            mysql_query("INSERT INTO `images-table` (`file-name`, `file-type`) VALUES (`". $filename . "`, `" . $type . "`)");

            if(!$append)  
                $file = fopen("uploads/" . $filename,"w");  
            else  
                $file = fopen("uploads/" . $filename,"a");  

            $input = file_get_contents ("php://input");  
            fwrite($file,$input);  
            fclose($file);  

    echo "OK";

        }  
    catch (Exception $e)   
        {  
            echo 'Caught exception: ',  $e->getMessage(), "\n";  
        }  
}
else
{
echo 'You do not have permission to do this.';
}

Answer 1

because the values of your INSERT statement were wrap with backticks. It should be single quote. Backticks are identifier, single quote are for string.

mysql_query("INSERT INTO `images-table` (`file-name`, `file-type`) 
             VALUES ('". $filename . "', '" . $type . "')");

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

• How to prevent SQL injection in PHP?

Others

• MySQL - when to use single quotes, double quotes, and backticks?