It inserts an empty query even though all variables are set

[pixy]

I'm completely lost at this. This is my first time using a file-upload script, so bear with me.

Whenever I submit this, I get a huge error message which shows me all the arrays that are set. So I look at the query that is run, and it says something like:

INSERT INTO table (column, column2, column3) VALUES ('', '', '');

Even though I know all variables are set. Can anyone help here? This is the code I wrote:

[code]
<?php

// Date: July 24, 2006
// Description: Add a new Shop

$page_title = 'Add a New Item';

session_start();
$user = $_SESSION['user'];
$user_id = $_SESSION['id'];

// Includes header + database variables + Stuff
require_once('config.inc.php');
require_once('connect.php');
include('functions.php');
include('header.php');

loggedin();
if ($user !== 'lifeonmars') {
echo 'You are not allowed to use administrative tools.';
include('footer.php');
die();
}

if (isset($_POST['submitted'])) {
$errors = array();
if (!empty($_FILES['upload'])) {
$allowed = array('images/gif');
if (in_array($_FILES['upload']['type'], $allowed)) {
$image = "../items/{$_FILES['upload']['name']}";
if (move_uploaded_file($_FILES['upload']['tmp_name'], "$image")) {
echo 'File uploaded!';
}
else {
switch ($_FILES['upload']['error']) {
case 1:
print 'The file exceeds the upload_max_filesize setting in php.ini.';
break;
case 2:
print 'The file exceeds the MAX_FILE_SIZE setting in the HTML form.';
break;
case 3:
print 'The file was only partially uploaded.';
break;
case 4:
print 'No file was uploaded.';
break;
case 6:
print 'No temporary folder was avaliable.';
break;
default:
print 'A system error occured.';
break;
}
}
}
else {
echo 'Image must be in GIF Format.';
unlink($_FILES['upload']['tmp_name']); // Deletes the file
}
if (empty($_POST['name'])) {
$errors[] = 'You did not specify a name for the item.';
}
else {
$name = escape_data($_POST['name']);
}
if (empty($_POST['descr'])) {
$errors[] = 'You did not supply an item description.';
}
else {
$desc = escape_data($_POST['descr']);
}
if (empty($_POST['value'])) {
$errors[] = 'You did not supply a value!';
}
else {
$val = escape_data($_POST['value']);
}
if (empty($_POST['rarity'])) {
$errors[] = 'You did not specify the rarity for this item.';
}
else {
$rarity = escape_data($_POST['rarity']);
}
if (empty($_POST['who_own'])) {
$errors[] = 'You did not specify who can own this item.';
}
else {
$who = escape_data($_POST['who_own']);
}
}
else {
echo 'Please upload a file';
}
if (empty($errors)) { // No problems with the upload...
$query = "INSERT INTO items (name, descr, value, rarity, image, who_own) VALUES ('$name', '$desc', '$val', '$rarity', '$image', '$who')";
$result = mysql_query($query) or die(mysql_error());
if ($query) {
echo 'The item '.stripslashes($name).' has been added sucessfully!';
}
else {
echo mysql_error();
}
}
else {
foreach ($errors as $msg) {
echo '<li> '.$msg.'</li>';
}
}
}
?>
<form action="<?php echo $file; ?>" method="post" type="multipart/form-data">
<table border="0" class="Tablestyledark" align="center" valign="top" cellpadding="7px" cellspacing="7px">
<tr><td align="center" colspan="2"><div class="title">Add a new item</div></td></tr>
<tr><td class="tablestylelight"><b>Item Name:</b></td><td class="tablestylelight"><input type="text" name="name"></td></tr>
<tr><Td class="tablestylelight"><b>Item Description:</b></Td><td class="tablestylelight"><textarea name="Descr" rows="5" cols="25"></textarea></td></tr>
<tr><td class="tablestylelight"><b>Upload Image</b></td><td class="tablestylelight"><input type="file" name="upload"></td></tr>
<tR><td class="tablestylelight"><b>Rarity:</b></td><td class="tablestylelight"><input type="text" size="3" maxlength="3" name="rarity"> %</td></tR>
<tr><td class="tablestylelight"><b>Value:</b></td><td class="tablestylelight"><input type="text" name="value" size="10"></td></tr>
<tr><td class="tablestylelight"><b>Who can own it?</b></td><td class="tablestylelight"><input type="radio" name="who_own" value="1"> Students Only<br>
<input type="radio" name="who_own" value="2"> Adults Only<br>
<input type="radio" name="who_own" value="3"> Everyone</td></tr>
<tr><td class="tablestylelight" colspan="2"><center><input type="submit" name="submit" value="Create Image"></center></td></tr>
</table>
<input type="hidden" name="submitted" value="TRUE">
</form>
<?php
include('footer.php');
?>
[/code]

[Barand]

A couple of errors I spotted so far

$allowed = array('image[color=red]s[/color]/gif');  #<<< remove the 's'


<form action="<?php echo $file; ?>" method="post" [color=blue]enc[/color]type="multipart/form-data">


Your textarea name is "Descr" but you check for $_POST['descr'].

If I create a dummy function

function escape_data($str) {return $str;}

the query is created OK so the problem could be in your escape_data() function. eg is it returning a value?

[pixy]

The escape_data() function has never caused problems before. Basically it only checks to see if magic quotes is on so that it doesn't over-escape data.

I'll fix all of those things and edit this. Thanks for your reply.

[pixy]

I fixed all that stuff and STILL get errors. This is what it's giving me:

(for easier reference, line 97 is the line with my query and line 100 is where I echo a sucess message.)

PART ONE:

Please upload a fileAn error occured in script 'C:\wamp\www\Wizarding World\admin_add_item.php' on line 97:

[b]EDITED BY akitchin:  too much output[/b]

[pixy]

PART TWO:
An error occured in script 'C:\wamp\www\Wizarding World\admin_add_item.php' on line 97:

[b]EDITED BY akitchin:  too much output[/b]

[akitchin]

for the love of god, please paste this var info into a text file and post a link to it.

without knowing what type of error is being produced, it will be difficult to say what the problem is (not to mention without seeing the updated script itself).

[pixy]

I said the error! Its inserting an empty query into the database. It's STILL doing that and I made the exact changes that were recommended.

Sorry about the huge texts, but I don't have anywhere to upload it...

[akitchin]

i've edited the posts to remove all that content - it's unnecessary.

you've got a logic flaw.  you're checking if the $errors array is empty to see if you should run the query.  it will be empty if they user hasn't entered a file to be uploaded, since you don't do anything with it.  that's why you're getting "Please upload a file" IMMEDIATELY followed by an error.  it is echoing your error, and then trying to process the query.

rather than just using the $errors array to track whether an error occurred, i would suggest using a TRUE/FALSE flag to say whether there really was an error or not.