-1

I use formData to upload data to the server and the data for the body I am saving as a text datatype in the database. I found out that when there is punctuation like: ' - " etc. as value in formData it gives this error: SyntaxError: Unexpected token < in JSON at position 0. When the body contains comma's and dots it works but not with other punctuations. FormData docs say that the value is converted to a string, therefor my question, can this string be converted to text datatype? Which I believe should then work with punctuations. Or is there any other way to have formData value work with punctuations as described above? My code:

let formData = new FormData();
formData.append("image", {uri: this.state.ImageSource.uri, name: 'image.jpg', type: 'image/jpeg'});
formData.append('video', this.state.video);
formData.append('title', this.state.title);
formData.append('body', this.state.body);
formData.append('categories', this.state.category);

let data = {
    method: 'POST',
    headers: {
        "Content-Type": "multipart/form-data",
    },
    body: formData
};

const response = await fetch(fetchUrlPhp, data);

This is the error I receive on the server side:

Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'blog', '2019-12-24')' at line 1 in D:\XAMPP\htdocs\own_website\portfolio\handle_post.php:69

Which is this query/line: 

$query = $connect->query("insert into posts ( image, video, title, body, categories, postDate ) VALUES('$target_dir', '$video', '$title', '$body', '$categories', '$date')");
Barmar
  • 741,623
  • 53
  • 500
  • 612
Clemens Philipse
  • 75
  • 1
  • 9
  • 1
    If you do some research on that error, it is usually caused by the server returning an error HTML page rather than JSON. You need to find out what exactly is causing the error on the server. We can guess, but it would be just that -- a guess, and of less use to later visitors than a concrete answer based on full knowledge of what the error is. – Heretic Monkey Dec 24 '19 at 20:55
  • @HereticMonkey Thanks for your response. You're completely right, didn't think of that. I updated the question with the error I found on the server side. Now researching that error, but this error only arrives when using punctuation like ' " - etc. I think this error arrives because when I insert the data like the body, it expects a text datatype, but instead got a string from the formdata. – Clemens Philipse Dec 24 '19 at 21:11
  • 3
    The problem is that you have an unescaped quote in one of the variables. Use a prepared statement with bound parameters, and it will solve this problem and protect against SQL injection. – Barmar Dec 24 '19 at 21:17
  • @Barmar Look at that, you're right! I made the prepared statement like you said and it works. Thanks man! Will you make an answer out of this? Or should I? – Clemens Philipse Dec 24 '19 at 21:32
  • Does this answer your question? [How to include a PHP variable inside a MySQL statement](https://stackoverflow.com/questions/7537377/how-to-include-a-php-variable-inside-a-mysql-statement) – Dharman Dec 24 '19 at 23:02
  • @Dharman it is not the answer to my question, but it is a solution to my issue as I found out by the comment of Barmar. Initially I didn't even think it was a problem on my server side, but that it was with formdata. The answer on my question I've written below as answer. – Clemens Philipse Dec 25 '19 at 07:30

1 Answers1

1

Based on the comment of @Barmar I fixed the issue.

The problem is that you have an unescaped quote in one of the variables.

Hereby the answer which only needed some adjustment in my php code:

// From
$query = $connect->query("insert into posts ( image, video, title, body, categories, postDate ) VALUES('$target_dir', '$video', '$title', '$body', '$categories', '$date')");

// To
$sql = "INSERT INTO posts(image, video, title, body, categories, postDate) VALUES(:image, :video, :title, :body, :categories, :postDate)";
$query = $connect->prepare($sql);
$query->execute(array(':image' => $target_dir, ':video' => $video, ':title' => $title, ':body' => $body, ':categories' => $categories, ':postDate' => $date));

Answer to my own question: Can the value with formdata be a text datatype? It's a string which is close to equal to text, but in the end punctuation won't be a problem with the formdata syntax. The reason why it didn't work for me was because of the code on the server side.

Clemens Philipse
  • 75
  • 1
  • 9