lauren_etherington Posted April 7, 2014 Share Posted April 7, 2014 Hello, I'm having a bit of a problem with some code of mine. I need to save an image file however I'm not sure where I have gone wrong. So as a bit of background, in my public_html folder I have the 'Add News' file where the user will fill in a form and upload it to the database and a folder called 'news' where the images will be stored... the script to add the article (along with the image) is stored in a folder called functions. Okay so now for the code: This is the form to add the article: <form id="form" action="functions/newsadd.php" method="post"> <table class="input"> <tr><td>News Title</td><td><textarea name="title" cols="80" rows="1"></textarea></td></tr> <tr><td>Author</td><td><textarea name="author" cols="80" rows="1"></textarea></td></tr> <tr><td>Status</td><td><select name="stat"><option>Enabled</option><option>Disabled</option></select></td></tr> <tr><td>Snippet Text</td><td><textarea name="snip" cols="80" rows="6"></textarea></td></tr> <tr><td>News Story</td><td><textarea name="stry" cols="80" rows="15"></textarea></td></tr> <tr><td>Image</td><td><input type='file' name='file'></td></tr> <tr><td><input type="submit" value="submit"/></td></tr> </table> </form> AND this is the code stored in "functions/newsadd.php" <?php $t = $_POST['title']; $a = $_POST['author']; $st = $_POST['stat']; $sn = $_POST['snip']; $s = $_POST['stry']; $conn = mysqli_connect("blah" "blah "blah" "blah") or die ("Could not connect to database"); if(!is_uploaded_file($_FILES['file']['tmp_name'])) { $query = "INSERT INTO news (newstitle,newsauthor,newsdate,newsstatus,newssnippet,newsarticle) VALUES ('$t','$a',CURDATE(),'$st','$sn','$s')"; } else { if ($_FILES['file']['type'] != "image/gif" && $_FILES['file']['type'] != "image/jpeg" && $_FILES['file']['type'] != "image/jpg" && $_FILES['file']['type'] != "image/x-png" && $_FILES['file']['type'] != "image/png") { $query = "INSERT INTO news (newstitle,newsauthor,newsdate,newsstatus,newssnippet,newsarticle) VALUES ('$t','$a',CURDATE(),'$st','$sn','$s')"; } else { $finame = $_FILES["file"]["name"]; $result = move_uploaded_file($_FILES['file']['tmp_name'], "../news/$finame"); if ($result == 1) { $query = "INSERT INTO news (newstitle,newsauthor,newsdate,newsstatus,newssnippet,newsarticle,newsimage) VALUES ('$t','$a',CURDATE(),'$st','$sn','$s','$finame')"; } else { $query = "INSERT INTO news (newstitle,newsauthor,newsdate,newsstatus,newssnippet,newsarticle) VALUES ('$t','$a',CURDATE(),'$st','$sn','$s')"; } } } $result = mysqli_query($conn, $query); if($result){ echo "Entered data successfully"; echo "<BR />"; echo "click <a href='sitepath.php'>here</a> to return to News"; } else { echo "Oh No! Something has gone wrong and your article could not be uploaded"; echo "<BR />"; echo "click <a href='http://sitepath.php'>here</a> to return to News"; } mysqli_close($conn); ?> Now I am perfectly able to upload the information in the form into the database, that is fine. My problem is that I am unable to save an image to the server and I'm not sure where I have gone wrong. I know it has something to do with this part of the code: $finame = $_FILES["file"]["name"]; $result = move_uploaded_file($_FILES['file']['tmp_name'], "../news/$finame"); if ($result == 1) { $query = "INSERT INTO news (newstitle,newsauthor,newsdate,newsstatus,newssnippet,newsarticle,newsimage) VALUES ('$t','$a',CURDATE(),'$st','$sn','$s','$finame')"; } I am just unsure on what it is..... Any help would be appreciated, thanks Quote Link to comment https://forums.phpfreaks.com/topic/287576-upload-image-to-server/ Share on other sites More sharing options...
Solution Ch0cu3r Posted April 7, 2014 Solution Share Posted April 7, 2014 First to allow for file uploads you need to add the enctype="multipart/form-data" attribute to the form tag otherwise the files will not be uploaded <form id="form" action="functions/newsadd.php" method="post" enctype="multipart/form-data"> Second, you are do not appear to be doing any data validation/sanitization. This leaves your code vulnerable to attacks such as SQL injection and XSS and many others. This is why you should first validate the data before using it, such a making sure all fields are filled in and that they meet your requirements. With sanitization you should apply htmlentities/strip_tags on the data to protect your site from attacks like XSS , and use either mysqli_real_escape_string or prepared queries to protect yourself from sql injection attacks. Quote Link to comment https://forums.phpfreaks.com/topic/287576-upload-image-to-server/#findComment-1475218 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.