This question already has an answer here:
Can PHP PDO Statements accept the table or column name as parameter?
Can I parameterize the table name in a prepared statement?
Three issues with the code:
PDO prepare takes care of the escaping and quotes.
VALUES ('', ':title', ':by_information', ':short', ':long_information', ':email', ':filename', ':filetarget', ':filename2', ':filetarget2', 'false'");
The issue here is that if you define a param to a string (
PDO::PARAM_STR) the values are double quoted with single quotes. Instead do this:
`VALUES ('', :title, :by_information, :short, ....");`
Don't insert an ID, this should be set on auto increment and is done automatically.
'INSERT INTO table (title, ...'
Also, backticks (``) are used to let the database driver know that you're using this value and is not to be used as a reserved keyword. In other words, entirely obsolete in this query.