Stupid php Question. What is wrong in this code?

Question

Sorry I'm a newbie, I think that there's something wrong in this code, or something that can be improved. This code was designed to upload files from a flash javascript uploader plugin. It doesn't give me an error but sometimes it does not insert the mysql query. P.s: every posted variable is cleaned up via javascript (just alphanumeric text) Thank you.

<?php
include 'a/inc/db.php';

if (!empty($_FILES)) 
{
    $tempFile = $_FILES['Filedata']['tmp_name'];

    if (substr($_FILES['Filedata']['name'],-3)!='mp3')
    {
        echo 'ERROR: your file was not an mp3';
        die();
    }

    $targetPath = $_SERVER['DOCUMENT_ROOT'] . $_POST['folder'] . '/';
    $titlepost = $_POST['title']; 
    $tagspost = $_POST['tag'];    
    $artist= $_POST['artist'];
    $i= $_POST['i'];
    $targetFile = str_replace('//','/',$targetPath) .time().".mp3";
    $targetFilea = $targetFile; 
    $targetFilea = substr($targetFilea , strrpos($targetFilea , 'music') -1);
    move_uploaded_file($tempFile,$targetFile);
    mysql_query('set names utf8');
    $sql = mysql_query("INSERT INTO `Music` (`filename`, `title`, `tags`, `rating`, `click`, `rand`, `album`, `i`, `artist`) 
                        VALUES ('".$targetFilea."', '".$titlepost."', '".$tagspost."', '0', '1', '".$ras."', '1', '".$i."', '".$artist."');") 
    or die(mysql_error());   
    $sqli = mysql_query("INSERT INTO `activity` (`from`, `what`, `text`) 
                         VALUES ('".$i."', 'upload', '".$titlepost."');") 
    or die(mysql_error());
    $click =  mysql_query("SELECT * 
                           FROM `Music` 
                           WHERE `filename`='".$targetFilea."' ;");  

    while($row = mysql_fetch_array( $click ))
    {
        $mid=$row['id'];
        echo "<id>".$row['id']."</id>";
    }
    mysql_close($connection);
}
echo "1";
?>

Answer 1

If the record is not getting inserted, this means most likely that there is some error. Possibly you have not set the proper error reporting that is why you don't see any error. Put below two lines on top of your script so that all errors are shown.

ini_set('display_errors', true);
error_reporting(E_ALL);

Answer 2

$sqli = mysql_query("INSERT INTO `activity` (`from`, `what`, `text`) 
                         VALUES ('".$i."', upload', '".$titlepost."');") 

there is a ' missing before upload

try this instead (also added mysql_real_escape_string for security):

$sqli = mysql_query("INSERT INTO `activity` (`from`, `what`, `text`) 
                         VALUES ('".mysql_real_escape_string($i)."', 'upload', '".mysql_real_escape_string($titlepost)."');") 

Answer 3

What really wrong is: your code is totally insecure. You sanitize POST-Data only using javascript and place it into your SQL query? Anybody can EASILY inject some custom SQL-Code and to really bad things to your database. Never ever rely on any HTTP-Data (be it GET, POST or anything else) to be secure.

I know you are new to PHP, so I honestly encourage you, for the sake of your customer, your project or anyone using your code, before you do anything else, sanitize your POST-Data with PHP before using it within SQL-Querys. Please.

There is even an article on Wikipedia on it, and it is a huge mistake newbies make with huge consequences which is quite easy to prevent.

http://en.wikipedia.org/wiki/SQL_injection

http://www.smashingmagazine.com/2009/03/24/10-useful-php-tips-revisited/ (Tip 1)