Hi everyone, currently im working on a script/form with the following fields: Image Title - Text Input Image - File/Browse Input Upon submission I want the following things to happen: Image Title is POSTed and inserted into MySQL Database Image file is uploaded to server Image file name is retrieved and inserted to MySQL Database Currently, I have 2 out of 3 things accomplished, the only one I am having problems with is the Image file name being inserted to MySQL DB. Here is my script.. MySQL COnnect String and other tags up here... if(isset($submit_button)){ if ($_FILES['PhotoFile']['type'] == "image/gif"){ copy ($_FILES['PhotoFile']['tmp_name'], "../../images/pictures/".$_FILES['PhotoFile']['name']) or die ("Could not copy"); } else { echo "<br><br>"; echo "Could Not Copy, Wrong Filetype (".$_FILES['PhotoFile']['name'].")<br>"; } $PhotoFilen = $_FILES['PhotoFile']['name']; $PhotoTitle = $_POST['PhotoTitle']; $PhotoFilename = $_POST['$PhotoFilen']; $query = "INSERT INTO pictures VALUES('','$PhotoFilename','$PhotoTitle')"; mysql_query($query) or die(mysql_error()); mysql_close(); } ?> <form method="POST" action="index.php" enctype="multipart/form-data"> <table border="1" cellpadding="7" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1"> <tr> <td width="16%" align="right">Photo Title</td> <td width="84%"> <input type="text" name="PhotoTitle" size="20"></td> </tr> <tr> <td width="16%" align="right">Photo</td> <td width="84%"> <input type="file" name="PhotoFile"></td> </tr> <tr> <td width="16%" align="right"> </td> <td width="84%"> <input type="submit" value=" Register " name="submit_button"></td> </tr> </table> </form> </body> </html> ?> <form method="POST" action="index.php" enctype="multipart/form-data"> <table border="1" cellpadding="7" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1"> <tr> <td width="16%" align="right">Photo Title</td> <td width="84%"> <input type="text" name="PhotoTitle" size="20"></td> </tr> <tr> <td width="16%" align="right">Photo</td> <td width="84%"> <input type="file" name="PhotoFile"></td> </tr> <tr> <td width="16%" align="right"> </td> <td width="84%"> <input type="submit" value=" Register " name="submit_button"></td> </tr> </table> </form> </body> </html> PHP: As you can see the var $PhotoFilen is trying to pull the name from PhotoFile but that field in my DB ends up blank... Any help in figuring that out would be much appreciated Also, if anyone knows how I could replace spaces in filenames in that script, I would appreicate that as well, I know it should use str_replace but I im not sure where..
It's not that hard to find the source of the error, just trace back from your SQL query. You are inserting $PhotoFilename into the DB, which is set as $_POST['$PhotoFilen'], but there is no such field in your form so it's always going to be null. Just use $PhotoFilename = $_FILES['PhotoFile']['name']. As for spaces, use urlencode().
Awesome, Thanks Penagate... I did have one issue with the urlencode() function, it would put + where spaces were which once clicked would come up with a 404 saying it couldnt find the picture... Example. urlencoded url: I+Swan.JPG would throw up a 404, the pictures name is I Swan.JPG
Oh, I forgot about that. Use rawurlencode() instead. Bear in mind, only use that when outputting the URL to the file in the HTML code. No need to alter the file names server-side.
You should really put some checks in your script to check the data that is coming from the form. The way it is now it is open to an SQL injection attack IMHO. A quick search on Google will help. http://www.google.com/search?hl=en&lr=&q=SQL+injection+prevention+in+php&btnG=Search
Assuming magic quotes is on, it's not too bad. But assumption is the mother of all... you get the gist. For proper avoidance of SQL injection, use a proper database API, such as PEAR::MDB2 on PHP 4 and PDO on PHP 5; these support parameterised queries which avoids the SQL injection issue altogether.
I understand that this form would leave me open to SQL Injection attacks but this form isnt going to be a public. Its going in an Admin area for a clien to add photos and a short title for each picture. How safe is htaccess a directory with a password?