File uploading

[NeMoD]

I'm attempting to make a form where you upload an item with an image, it returns "Query Finished" but the file never gets uploaded and the database never gets updated  ???

 

<? 
//initilize PHP

if($_POST['submit']) //If submit is hit
{
   //then connect as user
   $conn = mysql_connect("********", "********", "********") or die(mysql_error());

   //select db
mysql_select_db('********', $conn) or die(mysql_error());

   //convert all the posts to variables:
   $category = $_POST['category'];
   $name = $_POST['name'];
   $product_id = $_POST['product_id'];
   $image = $_FILES['image'];

$uploadfile = $_SERVER['DOCUMENT_ROOT']."/images/uploads/" . $_FILES['image']['name'];

if (move_uploaded_file($_FILES['image']['tmp_name'], $uploadfile)) {

	   //Insert the values into the correct database with the right fields
	   $result=MYSQL_QUERY("INSERT INTO product_listing (id,category,name,product_id,price,description,cur_timestamp,image,)".
		  "VALUES ('NULL', '$category', '$name', '$product_id', 'NULL', 'NULL', 'NULL', '$uploadfile')"); 

		//confirm
	   echo 'Query Finished. Return <a href="./index.php">Home</a>'; 
} else {
	echo "Possible file upload attack!\n";
	echo 'Here is some more debugging info:';
		print_r($_FILES); echo '</br>';
		print_r($uploaddir); echo '</br>';
		print_r($uploadfile); echo '</br>';
}

}	else
{
?>
<form method="post" action="add.php" enctype="multipart/form-data">
<TABLE>
<TR>
   <TD>Category:</TD>
   <TD><INPUT TYPE='TEXT' NAME='category' VALUE='' size=60></TD>>
</TR>
<TR>
   <TD>Name:</TD>
   <TD><INPUT TYPE='TEXT' NAME='name' VALUE='' size=60></TD>
</TR><br>
<TR>
   <TD>Product ID:</TD>
   <TD><INPUT TYPE='TEXT' NAME='product_id' VALUE='' size=60></TD>
</TR>
<TR>
   <TD>Image:</TD>
   <TD><input name="image" type="file"></TD>
</TR>
<TR>
   <TD></TD><br>
   <TD><INPUT TYPE="submit" name="submit" value="submit"></TD> 
</TR>
</TABLE>
</form>

<?
} //close the else statement
?>

[PFMaBiSmAd]

The query contains at least one syntax error and one other usage problem that is preventing it from executing. Your code is also declaring 'Query Finished' without actually checking if the query worked.

 

You have an extra comma after image, in your query and 'NULL' is the string 'NULL', not the NULL keyword. Remove the single-quotes around NULL.

 

For an INSERT query, the $result variable in your code will either be TRUE or FALSE and you should always test it -

if($result){
    //confirm
     echo 'Query Finished. Return <a href="./index.php">Home</a>';
} else {
    echo "INSERT query failed: " . mysql_error(); // for debugging, show why the query failed
}

[HPWebSolutions]

Hi NeMoD,

Exactly what error are you getting?  Please post what you see when you click the submit button.  The script is working fine for me, other than the db insert which I didn't use.  Double and triple check that the $uploadfile path is correct and that you have write permissions for the directory and make sure the filename for the form is add.php as you have written in your opening form tag. 

 

Somewhat related, you may want to read up on secure file uploading at http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/ if this is going to be an internet facing web form.

[NeMoD]

You have an extra comma after image, in your query and 'NULL' is the string 'NULL', not the NULL keyword. Remove the single-quotes around NULL.

Ok, it works now, thanks a ton!

 

[quote author=HPWebSolutions link=topic=258367.msg1215780#msg1215780 date=1246124696

Somewhat related, you may want to read up on secure file uploading at http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/ if this is going to be an internet facing web form.

Thanks for the link, will give it a read