Why is this upload code only returning the tmp filename in the MySQL database?

[simcoweb]

This was working fine until I added a bit of code to do some form validation via CAPTCHA. I didn't touch the queries or any of the database functions, however. But, for some reason now instead of the file name of the image being inserted i'm getting the /tmp name.

[code]<?php
ob_start();
session_start();
// Turn on magic quotes to prevent SQL injection attacks
if(!get_magic_quotes_gpc())
set_magic_quotes_runtime(1);

if (isset($_POST['submit'])) {
// clean and check form inputs including the secure image code
    $username = trim(strip_tags($_POST['username']));
    $email = trim(strip_tags($_POST['email']));
    $password = trim(strip_tags($_POST['password']));
    $confirmPass = trim(strip_tags($_POST['confirmPass']));
    $secure = strtoupper(trim(strip_tags($_POST['secure'])));
    $match = $_SESSION['loggedin']; // the code on the image

// input error checking
    if ($username=="") {
        $err.= "Please provide a username<br/>";
    }
    if (!$email) {
        $err.= "Please provide your email address<br>";
    }
    if ($email) {
        if (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)) {
            $err.= $email. " is not a valid email address.<br/>";
        }
    }
    if ($password=="") {
        $err.= "Please provide password<br/>";
    }
    if ($confirmPass=="") {
    $err.= "Please confirm your password.<br/>";
}
if ($confirmPass != $password) {
  $err.= "Your passwords do not match. Please re-enter your passwords.";
}
    if (!$secure) {
        $err.= "No security code entered<br/>";
    }
    if (($secure!=$match) && ($secure!="")) {
        $err.= "Security code mismatch<br/>";
    }
    if ($err=="") {
    // success - input passed all tests
    include 'dbconfig.php';
// Connect to database
$eg_objConn1 = mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($dbname, $eg_objConn1);

  //check if username already exists
  $sql_user_check = "SELECT * FROM plateau_pros WHERE username='$username'";
      $result_name_check = mysql_query($sql_user_check);
      $usersfound = mysql_num_rows($result_name_check);
      mysql_query($sql_user_check);
     
// if user  found, note that and end
if ($usersfound > 0) {
    $eg_error['username'] = "Username $username is already in use. Please choose another username to continue.";
    } else {
     
// Upload File
$eg_success_File1 = false;
if(!empty($_FILES['photo']['name']))
{
// Check file is not larger than specified maximum size
$eg_allowUpload = $_FILES['photo']['size'] <= 100000 ? true : false;
// Check file is of the specified type
if($eg_allowUpload)
$eg_allowUpload = preg_match('/\\.(gif|jpg|jpeg|png)$/i', $_FILES['photo']['name']) ? true : false;

if($eg_allowUpload)
{
if(is_uploaded_file($_FILES['photo']['tmp_name']))
{
$eg_uploaddir = $_SERVER['DOCUMENT_ROOT']."/images/photo/";

$eg_uploadFile1 = $eg_uploaddir.rawurlencode($_FILES['photo']['name']);
// Create a unique filename for the uploaded file
$eg_i = 1;
while (file_exists($eg_uploadFile1))
{
$eg_separated_filename = explode(".",$eg_uploadFile1);
if (substr($eg_separated_filename[0],-1) == $eg_i)
{
$eg_separated_filename[0] = substr($eg_separated_filename[0], 0, (strlen($eg_separated_filename[0])-1));
$eg_i++;
}
$eg_separated_filename[0] = $eg_separated_filename[0] . "$eg_i";
$eg_uploadFile1 = implode(".",$eg_separated_filename);
}

$eg_success_File1 = move_uploaded_file($_FILES['photo']['tmp_name'], $eg_uploadFile1);
}

}

}

// Run query
$sql = "INSERT INTO `plateau_pros`(`username`, `password`, `confirmPass`, `firstname`, `lastname`, `email`, `business`, `title`, `address`, `city`, `zip`, `phone`, `fax`, `mobile`, `category`, `comments`, `specialties`, `photo`) VALUES ('$username', '$password', '$confirmPass', '$firstname', '$lastname', '$email', '$business', '$title', '$address', '$city', '$zip', '$phone', '$fax', '$mobile', '$category', '$comments', '$specialties', '$photo')";
mysql_query($sql) or die(mysql_error());
$newid = mysql_insert_id();
echo $sql;

// $sql2 = "INSERT INTO members_cat (`memberid`, `categoryid`) VALUES ('$newid', '$catid')";
// mysql_query($sql2) or die(mysql_error());

// $sql3 = "INSERT INTO specialties (`memberid`, `specialties`) VALUES ('$newid' '$specialties')";
// mysql_query($sql3) or die(mysql_error());

// set session ID and redirect to login page upon success
// Set Session Value
//$_SESSION['loggedin'] = @$_POST['username'];
// Go to page
header("Location: login.php");
exit;
}
}
}
?>[/code]


help?

[Barand]

You write the variable $photo to the table but I can't see it given a value anywhere

[simcoweb]

Barand, wouldn't that come from the $_POST of the form? I didn't post that code but basically it's parsing the form data to obtain the variables. All the other form elements are getting entered perfectly.

[Barand]

But having moved the uploaded file to $eg_uploadFile1, isn't that what you need to store?

[simcoweb]

Hmmm... is there a simple fix for this?

[Barand]

You shouldn't get a value in $_POST['photo'] if you are uploading a file.

Does your form tag have enctype="multipart/form-data"

If you run this script you'll see what I mean
[code]
<?php
if (isset($_POST['x']))  {
  echo "<h3>POST variables</h3>"; 
  echo '<pre>', print_r($_POST, true), '</pre>';
  echo "<h3>FILES[photo] variables</h3>"; 
  echo '<pre>', print_r($_FILES['photo'], true), '</pre>';
}
?>
<form method="post" enctype="multipart/form-data">
    Caption <input type="text" name="txt"> <br/>
    Photo <input type="file" name="photo"> <br/>
    <input type="submit" name="x" value="Upload">
</form>
[/code]

[simcoweb]

Hi Barand:

The form is enctype="multipart/form-data" and was previously working fine regarding the upload. I guess where i'm confused is your statement:

[quote]You shouldn't get a value in $_POST['photo'] if you are uploading a file.[/quote]

I'm inserting the name of the pic into a mysql database field ( 'photo' ) so I can bring it up in the page display later. If I don't assign it a value how do I get the name of the pic into that field?

[Barand]

Did you run that scriptlet ^

You will see that the input type=file, name=photo does not appear in the $_POST array.

The value you need to write to the database is the location of the file on the server. You are writing the value from $photo; you should be putting the value from $eg_uploadFile1, which is where you copied it to on the server.

[simcoweb]

Ok, ran the scriptlet. Here's the results:

[quote]POST variables

Array
(
    [txt] => yoo hoo
    [x] => Upload
)

FILES[photo] variables

Array
(
    [name] => 42dragono1-thumb.jpg
    [type] => image/jpeg
    [tmp_name] => /tmp/phpbEf9lf
    [error] => 0
    [size] => 3439
)
[/quote]

So the value I need to write to the database is the location? I'm so confused. I'm using this to summon pics in the HTML page:

<img src='http://www.sitename.com/images/photo/$photo'>

So storing the file [name] comes from...?

[Barand]

When you are displaying the image on the page they come from the 'photo' column in the table. This column needs to contain the location of the file on the server.

When you are inserting the record it therefore need to contain the location of the image [b]on the server[/b].

You are writing whatever is in the variable '$photo' when you insert the record, which, you say, comes from $_POST['photo'].


$sql = "INSERT INTO `plateau_pros`(`username`, `password`, `confirmPass`,
    `firstname`, `lastname`, `email`, `business`, `title`,
    `address`, `city`, `zip`, `phone`, `fax`, `mobile`,
    `category`, `comments`, `specialties`, `photo`)
    VALUES ('$username', '$password', '$confirmPass',
        '$firstname', '$lastname', '$email', '$business', '$title',
        '$address', '$city', '$zip', '$phone', '$fax', '$mobile',
        '$category', '$comments', '$specialties', '[color=red]$photo[/color]')";


As I demonstrated in the scriptlet, there should be no such thing as $_POST['photo'].

You should be writing the contents of "$eg_uploadFile1" to the 'photo' column in the table, as that is where you have moved the uploaded file.