Derby Artists Posted September 30, 2009 Share Posted September 30, 2009 Hi, I built this site, www.derbyartists.co.uk, and within 2 days of it going live it is causing problems....i have done local advertising etc and th site got hit more than I ever imagined. What I want to do is create php processor to take the sign up form to my sql database and automate an email reponse to the sender saving me loads of time. I have been playing with php script on a test page and have come up with the following Here is the processor code <?php $target = "image/"; $target = $target . basename( $_FILES['upload']['name']); $name=$_POST['name']; $email=$_POST['email']; $phone=$_POST['phone']; $upload=($_FILES['upload']['name']); mysql_connect("", "", "") or die(mysql_error()) ; mysql_select_db("derbyartists_co") or die(mysql_error()) ; mysql_query("INSERT INTO `test` VALUES ('$name', '$address', '$email', '$upload')"); if(move_uploaded_file($_FILES['upload']['tmp_name'], $target)) { echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded, and your information has been added to the directory"; } else { echo "Sorry, there was a problem uploading your file."; } ?> This does upload the image into my image folder on the server but it doesnt put anything in the mysql database. Any help would be greatky aooreiated Quote Link to comment Share on other sites More sharing options...
cags Posted September 30, 2009 Share Posted September 30, 2009 Do you get an error message displayed, or does it just fail to insert into the db? Is the name of the table in your database test? How many columns are their in test, what are the column types? I highly recommend you edit that last post ASAP and remove your details from mysql_connect() and mysql_select_db Quote Link to comment Share on other sites More sharing options...
Derby Artists Posted September 30, 2009 Author Share Posted September 30, 2009 Hi ooopps sorry just copied it from DW without thinking, no error messages at all in fact it says its been upload correctly. The columns are id, name, address, email, upload Id is set to INT auto and yes the name of the db is called test, do you know if it could be something I am doing database side. And your right it is not uploading any info into the database. Just the images into image folder. Quote Link to comment Share on other sites More sharing options...
cags Posted September 30, 2009 Share Posted September 30, 2009 Sounds like the problem is due to your table having 5 columns and your VALUES () section only having 4, this is fine, but you need to specify which columns they are. <?php mysql_query("INSERT INTO `test` (`name`, `address`, `email`, `upload`) VALUES ('$name', '$address', '$email', '$upload')"); ?> Quote Link to comment Share on other sites More sharing options...
Derby Artists Posted September 30, 2009 Author Share Posted September 30, 2009 Thanks for that will try it in a minute, you said I only have 4 categories but I put "id" "name" "address" "email" "upload" should I not count the id and how important will the "id" be to me with what I want to do. I have very very little knowledge of php mysql so you are talking to layman on the subject....finding it a little easier than I thought and Im quite a quick learner. I take it I am doing the right thing of putting the uploaded images to a seperate folder on my server, but how do I match these up with the people who have uploaded them. Quote Link to comment Share on other sites More sharing options...
Maq Posted September 30, 2009 Share Posted September 30, 2009 You should also be escaping your POST values with mysql_real_escape_string, to prevent SQL injections. Quote Link to comment Share on other sites More sharing options...
cags Posted September 30, 2009 Share Posted September 30, 2009 As I said you have 5 columns, but your only inserting 4 with your INSERT code. I'm assuming your `id` field is set to auto increment, so you don't need to explicitly insert it. If you are not inserting a value for every field you do need to inform MySQL which columns your updating. Hence the code I suggested. As far as putting the file in a folder, yes, definately the right thing to do. If you need to match it up with who uploaded it, You'd track it using a table in your database. Without knowing full project details it's hard to know the exact format. But you could have a table for users (which stores id, username, etc, etc) and a column for uploads which would have (id, uploader_id, file_uri). It all depends what your going for. Quote Link to comment Share on other sites More sharing options...
otuatail Posted September 30, 2009 Share Posted September 30, 2009 if you have 5 columbs in the table is ID AUTO INSERT if not it will be required. Desmond. Quote Link to comment Share on other sites More sharing options...
Derby Artists Posted October 1, 2009 Author Share Posted October 1, 2009 Thanks Cags works a treat?? Maq like I said I am a layman so "You should also be escaping your POST values with mysql_real_escape_string(), to prevent SQL injections." This means nothing to me, it would be nice to know where I would put this. Cags you mentioned a table for the file uploads, sorry if I sound stupid but isnt it a table I already have ie "name" etc and you mention "and a column for uploads which would have (id, uploader_id, file_uri)". I dont understand this bit, how can 1 column have more than one thing in it. Thanks for any help again people Quote Link to comment Share on other sites More sharing options...
cags Posted October 1, 2009 Share Posted October 1, 2009 Basically what Maq was suggesting is that you have your code something like... <?php $sql = sprintf("INSERT INTO `test` (`name`, `address`, `email`, `upload`) VALUES ('%s', '%s', '%s', '%s')", mysql_real_escape_string($name), mysql_real_escape_string($address), mysql_real_escape_string($email), mysql_real_escape_string($upload)); mysql_query($sql) or trigger_error("Query Error: " . mysql_error(), E_USER_ERROR); ?> Looks a bit complicated, but basically sprintf is a function that will insert everything after the first paramter into the first parameter in position of special keywords in this case we have used %s, meaning it's of type string. So the 2nd-5th paramaters will be inserted into the first in place of the %s's. Technically speaking you can do what he suggested without sprintf, I just think it makes it easier to follow. The mysql_real_escape_string takes a string and replaces all MySQL special characters with the special character preceded by a backslash (so for example it will replace ' with \'). If you don't do this your site will be vulnerable to several types of sql injection attacks. With regards to my last post, that should have said "and a table for uploads", it was a typo, as you say 1 column should only contain one value. Cags you mentioned a table for the file uploads, sorry if I sound stupid but isnt it a table I already have ie "name" etc I have no idea, alas my crystal ball is in for a service so I can't automatically divine what is stored in a table based on a column name of one word. Note: If somebody mentions a function you don't understand, look it up on php.net, you will answer many of your own questions. Quote Link to comment Share on other sites More sharing options...
Derby Artists Posted October 1, 2009 Author Share Posted October 1, 2009 Thanks Cags, but where in the code does this go. does it just go below all the code I already have. Also Cags when someone uploads the files it goes to a seperate screen saying, your file has been uploaded etc....How can I stop it from going to another page and just open a little 200x200 window stating its been uploaded etc. Thanks for all your help on this one Quote Link to comment Share on other sites More sharing options...
cags Posted October 1, 2009 Share Posted October 1, 2009 If you can't work out where it goes, then I have to say your understanding is probably not going to be what is required to make anything any more complicated than you have. Just looking at the line of code should make it fairly obvious where in your code it goes. We create a query string, then send the query string to the database. The code replaces your current call of mysql_query as it essentially does exactly the same thing only more securely. From what I can see of the code you have. The form POSTs to a seperate page which then processes the data and outputs success or failure. To stop it going to another screen you could self POST and process the information on the same page or you could redirect back after success. In order to make a pop-up window of a specifc size (something which I actually hate) you will probably have to use JavaScript as PHP cannot directly control the users browser. Quote Link to comment Share on other sites More sharing options...
Derby Artists Posted October 1, 2009 Author Share Posted October 1, 2009 Stupid me, with being new to php etc I just see code and panic. so after sitting back and reading then I think this is right instead of mysql_query("INSERT INTO `test` VALUES ('$name', '$address', '$email', '$upload')"); I put $sql = sprintf("INSERT INTO `test` (`name`, `address`, `email`, `upload`) VALUES ('%s', '%s', '%s', '%s')", mysql_real_escape_string($name), mysql_real_escape_string($address), mysql_real_escape_string($email), mysql_real_escape_string($upload)); mysql_query($sql) or trigger_error("Query Error: " . mysql_error(), E_USER_ERROR); Ok ditched the idea of a pop up, if they are annoying to the user so where it says echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded, and your information has been added to the directory"; } can i have something like echo "success.htm" to go back to another page the same as my home page but with a message saying "thank you complete" Thanks again Quote Link to comment Share on other sites More sharing options...
cags Posted October 1, 2009 Share Posted October 1, 2009 Exactly. This is how I would do it... <?php if(isset($_POST['submit'])) { // process information and upload to mysql here (like the code we've been discussing) if(move_uploaded_file($_FILES['upload']['tmp_name'], $target)) { $feedback = "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded, and your information has been added to the directory"; } else { $feedback = "Sorry, there was a problem uploading your file."; } } ?> <!-- the header / heading etc of your document here --> <?php if(isset($feedback)) { echo $feedback; } ?> <form action="" method="post"> <!-- your form info here, this is an example --> <input type="hidden" name="submit" value="1" /> <input type="submit" /> </form> <!-- footer/ rest of page here --> Quote Link to comment Share on other sites More sharing options...
Derby Artists Posted October 1, 2009 Author Share Posted October 1, 2009 Thanks Cags, I am at work later so I intend to make the proper page and if I get stuck will give you a shout mate. Thank you so so much, I have learnt a great deal just from this post. Quote Link to comment Share on other sites More sharing options...
Derby Artists Posted October 1, 2009 Author Share Posted October 1, 2009 Here is where I am at <?php $target = "image/"; $target = $target . basename( $_FILES['upload']['upload1']['name']); $name=$_POST['name']; $address=$_POST('address']; $address1=$_POST('address1']; $city=$_POST('city']; $postcode=$_POST('postcode']; $telephone=$_POST('telephone']; $mobile=$_POST('mobile']; $email=$_POST['email']; $upload=($_FILES['upload']['name']); $upload1=($_FILES['upload1']['name']); $bio=$_POST['bio']; mysql_connect("", "", "") or die(mysql_error()) ; mysql_select_db("derbyartists_co") or die(mysql_error()) ; &sql = sprintf("INSERT INTO `signup` (`name`, `address`, `address1`, `city`,`postcode`,`telephone`,`mobile`,`email`,`upload`, `upload1`,`bio`) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s')", mysql_real_escape_string($name), mysql_real_escape_string($address), mysql_real_escape_string($address1), mysql_real_escape_string($city), mysql_real_escape_string($postcode), mysql_real_escape_string($telephone), mysql_real_escape_string($mobile), mysql_real_escape_string($email), mysql_real_escape_string($upload), mysql_real_escape_string($upload1), mysql_real_escape_string($bio)); mysql_query($sql) or trigger_error("Query Error: " . mysql_error(), E_USER_ERROR); if(move_uploaded_file($_FILES['upload''upload1']['tmp_name'], $target)) { echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded, and your information has been added to the directory"; } else { echo "Sorry, there was a problem uploading your file."; } ?> And I am now getting an error message of Parse error: syntax error, unexpected ']' in /customers/derbyartists.co.uk/derbyartists.co.uk/httpd.www/php/signup1.php on line 7 Thanks again Quote Link to comment Share on other sites More sharing options...
Maq Posted October 1, 2009 Share Posted October 1, 2009 Well look at your $_POSTs, you're using a parenthesis and a square bracket. You should be using square brackets. Quote Link to comment Share on other sites More sharing options...
Derby Artists Posted October 1, 2009 Author Share Posted October 1, 2009 Thanks Maq sorted the brackets now I am getting Parse error: syntax error, unexpected '&' in /customers/derbyartists.co.uk/derbyartists.co.uk/httpd.www/php/signup1.php on line 18 Line 18:- &sql = sprintf("INSERT INTO `signup` (`name`, `address`, `address1`, `city`,`postcode`,`telephone`,`mobile`,`email`,`upload`, `upload1`,`bio`) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s')", Could you also tell me if this is correct, the user is required to upload 2 files, and I dont know if this will cause any problems if(move_uploaded_file($_FILES['upload''upload1']['tmp_name'], $target)) { Should this be ['upload']['upload1'] Quote Link to comment Share on other sites More sharing options...
cags Posted October 1, 2009 Share Posted October 1, 2009 Firstly the first problem is fairly obvious if you actually read the error message. Unexpected ampersand, so we look through the line for an ampersand, oooh, look one right at the start. Hmm.. thats a variable, I wonder what character that should be.... Secondly, no that doesn't make any sense. If you want to move both files, and one file input node has the name upload and the other has the name upload 1, then you would be more along the lines of... if(move_uploaded_file($_FILES['upload']['tmp_name'], $target) && move_uploaded_file($_FILES['upload1']['tmp_name'], $target2)) { } That may not be 100% I've not worked with files in months. Quote Link to comment Share on other sites More sharing options...
Derby Artists Posted October 1, 2009 Author Share Posted October 1, 2009 Thanks cags, I noticed you put $target2 so shouldnt the top 2 lines be different This is what it is at the minute $target = "image/"; $target = $target . basename( $_FILES['upload'][upload1]['name']) should it be $target = "image/"; $target = $target . basename( $_FILES['upload']['name']) $target2 = "image/"; $target2= $target . basename( $_FILES['upload1']['name']) Without getting impatient with me, I did read the code and understood that their was "&" their but I really have got no idea what to put in its place. Quote Link to comment Share on other sites More sharing options...
Maq Posted October 1, 2009 Share Posted October 1, 2009 Without getting impatient with me, I did read the code and understood that their was "&" their but I really have got no idea what to put in its place. These errors are very basic mistakes, and it is irritating that you're trying to perform something such as uploading files when you don't even know the fundamentals yet. I suggest you read the manual and some tutorials on the basics before proceeding. To answer your question, you need to replace the ampersand with '$', it is a variable. Quote Link to comment Share on other sites More sharing options...
cags Posted October 1, 2009 Share Posted October 1, 2009 Well lets put it this way, you said they have to upload two files, you can't store them as the same filename can you? They'd overwrite each other. Without getting impatient with me, I did read the code and understood that their was "&" their but I really have got no idea what to put in its place. If you don't understand what character should be there you really need to go back to basics and learn PHP, otherwise your going to be doing absolutely nothing but posting problems on here, and it won't take long for people to become impatient. Many of the questions your asking are far beyond what I'd consider the difficultly of knowing what that character should be. If you don't get the basics like that down, your unlikely to get anywhere without people essentially spoon feeding code to you. As tempted as I am to not tell you what it should be, I guess I will this once. sql is a variable, all variables in PHP must begin with a dollar sign. I'm sorry if any of that sounds too harsh, thats not my intention, I'm just pointing out that knowing a variable should begin with a dollar sign should be one of the first things you learnt. Quote Link to comment Share on other sites More sharing options...
Derby Artists Posted October 1, 2009 Author Share Posted October 1, 2009 I have took your advice and done a couple of tutorials and read up a little, which I will continue doing later tonight when I get in. I have the form working now and uploading correctly with correct file names etc, the trouble I am having now is when I retrieve the data using retrieve.php I get all the info but I want it to show the images, it just shows red crosses, if i look at the source page it picks up the names of the images but just doesnt display them. { Echo "<img src=www.derbyartists.co.uk/php/image/".$info['upload']."> <br>"; Echo "<img src=www.derbyartists.co.uk/php/image/".$info['upload1']."> <br>"; Echo "<b>Name:</b> ".$info['name'] . "<br> "; Echo "<b>Address:</b> ".$info['address'] . "<br> "; Echo "<b>Address1:</b> ".$info['address1'] . "<br> "; Echo "<b>City:</b> ".$info['city'] . "<br> "; Echo "<b>Postcode:</b> ".$info['postcode'] . "<br> "; Echo "<b>Telephone:</b> ".$info['telephone'] . "<br> "; Echo "<b>Mobile:</b> ".$info['mobile'] . "<br> "; Echo "<b>Email:</b> ".$info['email'] . " <br>"; Echo "<b>Bio:</b> ".$info['bio'] . " <hr>"; } ?> Thanks in advance Quote Link to comment Share on other sites More sharing options...
cags Posted October 1, 2009 Share Posted October 1, 2009 Try... <?php echo '<img src="htp://www.derbyartists.co.uk/php/image/'.$info['upload'].'" /> <br />'; echo '<img src="http://www.derbyartists.co.uk/php/image/'.$info['upload1'].'" /> <br />'; ?> It's a more 'best practice' version (god that's bad English). It may well not work though, if it doesn't, are you sure the path is correct? Quote Link to comment Share on other sites More sharing options...
Derby Artists Posted October 1, 2009 Author Share Posted October 1, 2009 Thanks Cags, sorted, see how your trying to catch me out with the missing "t" in http, but thank you so much for helping me get this one mate. Note to Maq.... I find your replies a little unfair, although I agree that you should read, try and understand before you post on forums if you read the post you will see I have tried I didnt come here with no code, and if you also read the post correctly I did mention that I was "LAYMAN" and NEW to PHP, we all need to start somewhere. I hope people were a little more helpful when you were on the steep learning curve. I will enlighten you into the 3 different learning styles Visual...People who learn from reading/watching Auditory....People who learn by listening Kinesthetic...People who learn by doing I come into a Kinesthetic learner, I will play with the script and if I get stuck after a few hours I will ask the question, if at any point you found me irritating, my response is "I didnt personally ask you to answer the question", if people irritate you stay away from their post, half the reason for forums is to help people at all stages of development, not just people with the same knowledge on the subject as yourself. My current job is a technical trainer with Audi, and if my superiors found that I told my students they were irritating because they couldnt pick the basic firing order of an engine then I would no longer be in a job. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.