lauren_etherington Posted April 7, 2014 Share Posted April 7, 2014 Hello, I'm having a bit of a problem with some code of mine. I need to save an image file however I'm not sure where I have gone wrong. So as a bit of background, in my public_html folder I have the 'Add News' file where the user will fill in a form and upload it to the database and a folder called 'news' where the images will be stored... the script to add the article (along with the image) is stored in a folder called functions. Okay so now for the code: This is the form to add the article: <form id="form" action="functions/newsadd.php" method="post"> <table class="input"> <tr><td>News Title</td><td><textarea name="title" cols="80" rows="1"></textarea></td></tr> <tr><td>Author</td><td><textarea name="author" cols="80" rows="1"></textarea></td></tr> <tr><td>Status</td><td><select name="stat"><option>Enabled</option><option>Disabled</option></select></td></tr> <tr><td>Snippet Text</td><td><textarea name="snip" cols="80" rows="6"></textarea></td></tr> <tr><td>News Story</td><td><textarea name="stry" cols="80" rows="15"></textarea></td></tr> <tr><td>Image</td><td><input type='file' name='file'></td></tr> <tr><td><input type="submit" value="submit"/></td></tr> </table> </form> AND this is the code stored in "functions/newsadd.php" <?php $t = $_POST['title']; $a = $_POST['author']; $st = $_POST['stat']; $sn = $_POST['snip']; $s = $_POST['stry']; $conn = mysqli_connect("blah" "blah "blah" "blah") or die ("Could not connect to database"); if(!is_uploaded_file($_FILES['file']['tmp_name'])) { $query = "INSERT INTO news (newstitle,newsauthor,newsdate,newsstatus,newssnippet,newsarticle) VALUES ('$t','$a',CURDATE(),'$st','$sn','$s')"; } else { if ($_FILES['file']['type'] != "image/gif" && $_FILES['file']['type'] != "image/jpeg" && $_FILES['file']['type'] != "image/jpg" && $_FILES['file']['type'] != "image/x-png" && $_FILES['file']['type'] != "image/png") { $query = "INSERT INTO news (newstitle,newsauthor,newsdate,newsstatus,newssnippet,newsarticle) VALUES ('$t','$a',CURDATE(),'$st','$sn','$s')"; } else { $finame = $_FILES["file"]["name"]; $result = move_uploaded_file($_FILES['file']['tmp_name'], "../news/$finame"); if ($result == 1) { $query = "INSERT INTO news (newstitle,newsauthor,newsdate,newsstatus,newssnippet,newsarticle,newsimage) VALUES ('$t','$a',CURDATE(),'$st','$sn','$s','$finame')"; } else { $query = "INSERT INTO news (newstitle,newsauthor,newsdate,newsstatus,newssnippet,newsarticle) VALUES ('$t','$a',CURDATE(),'$st','$sn','$s')"; } } } $result = mysqli_query($conn, $query); if($result){ echo "Entered data successfully"; echo "<BR />"; echo "click <a href='sitepath.php'>here</a> to return to News"; } else { echo "Oh No! Something has gone wrong and your article could not be uploaded"; echo "<BR />"; echo "click <a href='http://sitepath.php'>here</a> to return to News"; } mysqli_close($conn); ?> Now I am perfectly able to upload the information in the form into the database, that is fine. My problem is that I am unable to save an image to the server and I'm not sure where I have gone wrong. I know it has something to do with this part of the code: $finame = $_FILES["file"]["name"]; $result = move_uploaded_file($_FILES['file']['tmp_name'], "../news/$finame"); if ($result == 1) { $query = "INSERT INTO news (newstitle,newsauthor,newsdate,newsstatus,newssnippet,newsarticle,newsimage) VALUES ('$t','$a',CURDATE(),'$st','$sn','$s','$finame')"; } I am just unsure on what it is..... Any help would be appreciated, thanks Link to comment https://forums.phpfreaks.com/topic/287576-upload-image-to-server/ Share on other sites More sharing options...
Ch0cu3r Posted April 7, 2014 Share Posted April 7, 2014 First to allow for file uploads you need to add the enctype="multipart/form-data" attribute to the form tag otherwise the files will not be uploaded <form id="form" action="functions/newsadd.php" method="post" enctype="multipart/form-data"> Second, you are do not appear to be doing any data validation/sanitization. This leaves your code vulnerable to attacks such as SQL injection and XSS and many others. This is why you should first validate the data before using it, such a making sure all fields are filled in and that they meet your requirements. With sanitization you should apply htmlentities/strip_tags on the data to protect your site from attacks like XSS , and use either mysqli_real_escape_string or prepared queries to protect yourself from sql injection attacks. Link to comment https://forums.phpfreaks.com/topic/287576-upload-image-to-server/#findComment-1475218 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.