Upload PDF to sql database

Does anyone know how on earth you can upload a PDF file to a varbinary(max) in an sql Database. I have tried all sorts of way and got no where. This is my code but it just does like the binary when it comes to the insert

$Title = htmlspecialchars(trim($_POST['Title']));
				$DivisionID = trim($_POST['DivisionID']);
				$FileName = trim($_FILES['Pdf']['name']);
				$File_Tmp = $_FILES['Pdf']['tmp_name'];
				echo $FileName;
				echo $File_Tmp;
				if ($Pdf_Binary = file_get_contents($File_Tmp)) {      					
					$SQL = "INSERT INTO HelpFiles (DivisionID, Title, FileName, Pdf_File, FileType, FileSize) VALUES(" . $DivisionID . ", '" . $Title . "', '" . $FileName . "', CONVERT(varbinary(MAX),'" . $Pdf_Binary . "'), '.pdf', " . $FileSize . ")";  					
					$stmt = sqlsrv_query($connect,  $SQL);
					echo $SQL;

When I try the echoed sql insert in Sql Management Studio I get

Msg 102, Level 15, State 1, Line 1
Incorrect syntax near ‘�’.
Msg 103, Level 15, State 4, Line 1
The identifier that starts with ‘�l^BZdv.��_�ﯬ{ endstream endobj 5 0 obj <> endobj 6 0 obj <> endobj 7 0 obj <> endobj 8 0 obj <> endobj 9 0 obj <> endobj 17 0 o’ is too long. Maximum length is 128.
Msg 103, Level 15, State 4, Line 1
The identifier that starts with ’ 176 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 508 0 554 553 416 0 0 555 288 0 0 0 717 542 546 502 0 0 517’ is too long. Maximum length is 128.
Msg 103, Level 15, State 4, Line 1
The identifier that starts with ‘A�(asCq[��D!�hU�U+���ֶv���N[m�X5nU�v��vqZ��Lm���Vk�!��{�Ng>��}?�O��}��s�=�=���[email protected]!��e��’��e��YD������d[{P9e!�:���̷���’ is too long. Maximum length is 128.
Msg 103, Level 15, State 4, Line 1
The identifier that starts with ‘)�[email protected]��6A*����� ���F�n�!���R��ɉ�����#�pr"�Ⱥ|b���HD-�2w�U�"BeO~H{%^U��SI"K.�X�_�x��"{6��|#*��P���y����h�K8���iPg=?�V�’ is too long. Maximum length is 128.
Msg 103, Level 15, State 4, Line 1
The identifier that starts with ‘5cj���4P�⨙�ͺb���#:�]Cלj��A]4�C�;h�q��_,v�W贎�]��(rG0�ڱs�QwsOJ�U���;�����r ��� FN!к�՘j�ea!�kDФB� q9�f�A][email protected]%�Z��]��' is too long. Maximum length is 128. Msg 103, Level 15, State 4, Line 1 The identifier that starts with 'ٌlPC�p�n�F�>�8��]�$Ż�5{��I�z���8����8ݻN�9H��jx���rr�1�V�o46Nn�ש5��k�m-�A���[_ ��� e��H�4dc�``�D�:��ͽ�Lh��5�VP�����4'h' is too long. Maximum length is 128. Msg 103, Level 15, State 4, Line 1 The identifier that starts with '��N��|(��*������a���C��b�N�@��a �M�»�H��?̸�h�>Ύ��*�B�a;�� �eu� ���Eq��؉O%����02 m�B�B��^&��o��}V(!6���]����G۠,E3�’ is too long. Maximum length is 128.
Msg 103, Level 15, State 4, Line 1
The identifier that starts with ‘9B�>�2���q��F��k: tl�P���#�z��� ��j���P(����ѿn�d��_�pRX�&����.{�N(N(�rn?�앐��rԡ��W��rNund8Dљ399a�����<$�!�� ;�’ is too long. Maximum length is 128.
Msg 103, Level 15, State 4, Line 1
The identifier that starts with ‘��(�{�i��+O�� <��CػCȢOM�ʆ̶���=�[� ��X�{yKa5�f��.�%d��;�B�ŗ�n��Uw��w�ٕ��[email protected]���K ��!Pl=:��o�ʌ��F�? 9Ag���;����v��{d_��7/’ is too long. Maximum length is 128.
Msg 103, Level 15, State 4, Line 1
The identifier that starts with ‘W0�{/' �5���۶:��� ��2�Ť����Aiv�{�f�������^!��VW�Iu�������&!xP�.������¥�E���9D�q����r(cK���P���b���L��Ň|��ϒ"’ is too long. Maximum length is 128.

I hope someone can help - thanks

I personally wouldn’t upload the pdf itself to the MySQL database table, but rather the link to a directory where it is located at. Then simply reference the link in a HTML anchor tag or what have you.

That’s partly because when you copy/paste the echoed output, you only get the printed output. Anything in the binary file that doesn’t result in any printed output or that looks like html tags <...> won’t be rendered by the browser.

Next, the sql query statement is a string. Any sql special characters in any value you put directly into it will break the sql syntax, which is how sql injection is accomplished. The expected way of supplying external, unknown, dynamic values to a query, when it gets executed, is to use a prepared query. This applies to all the columns. The php’s sqlsrv_query() documentation shows the basics of how to use a prepared query - PHP: sqlsrv_query - Manual

The above is just one of the many reasons why files are usually not stored in databases, they are stored in the file system.

Lastly, htmlspecialchars() is an output function. It is used when a dynamic value is output in a html context, right before outputting the value. Do not apply it to the input value(s) you are going to insert into a database table.

I agree but the person I am doing it for wants it in the Datatbase

That’s partly because when you copy/paste the echoed output, you only get the printed output. Anything in the binary file that doesn’t result in any printed output or that looks like html tags <...> won’t be rendered by the browser.

Idiot - of course. I hadn’t thought of that

This works perfectly - thanks for pointing me in the right direcction

$fp = fopen($File_Tmp, ‘rb’);
$file_content = fread($fp, filesize($File_Tmp));
$params = array($DivisionID, $Title, $FileName, $file_content, ‘.pdf’, $FileSize);

				$SQL = "INSERT INTO HelpFiles (DivisionID, Title, FileName, Pdf_File, FileType, FileSize) VALUES(?, ?, ?, CONVERT(VARBINARY(max),?), ?, ?)"; 				
				$stmt = sqlsrv_query( $connect, $SQL, $params);
				if( $stmt === false ) {
					 die( print_r( sqlsrv_errors(), true));
				}

to be honest, i think store a pdf in database such as mysql is a very bad idea. it will make your db grow very fast, and it will make your query very slow, i think you shall only store the pdf path in db, and store the pdf elsewhere :sweat_smile:

Sponsor our Newsletter | Privacy Policy | Terms of Service