Jump to content

Recommended Posts

Hello,

I'm having a bit of a problem with some code of mine. I need to save an image file however I'm not sure where I have gone wrong.

So as a bit of background, in my public_html folder I have the 'Add News' file where the user will fill in a form and upload it to the database and a folder called 'news' where the images will be stored... the script to add the article (along with the image) is stored in a folder called functions.

 

Okay so now for the code:

This is the form to add the article:

<form id="form" action="functions/newsadd.php" method="post">
		<table class="input">
			<tr><td>News Title</td><td><textarea name="title" cols="80" rows="1"></textarea></td></tr>
			<tr><td>Author</td><td><textarea name="author" cols="80" rows="1"></textarea></td></tr>
			<tr><td>Status</td><td><select name="stat"><option>Enabled</option><option>Disabled</option></select></td></tr>
			<tr><td>Snippet Text</td><td><textarea name="snip" cols="80" rows="6"></textarea></td></tr>
			<tr><td>News Story</td><td><textarea name="stry" cols="80" rows="15"></textarea></td></tr>
			<tr><td>Image</td><td><input type='file' name='file'></td></tr>
			<tr><td><input type="submit" value="submit"/></td></tr>
		</table>
	</form>

AND this is the code stored in "functions/newsadd.php"

<?php
$t = $_POST['title'];
$a = $_POST['author'];
$st = $_POST['stat'];
$sn = $_POST['snip'];
$s = $_POST['stry'];


$conn = mysqli_connect("blah" "blah "blah" "blah") or die ("Could not connect to database");

if(!is_uploaded_file($_FILES['file']['tmp_name']))
{
	$query = "INSERT INTO news (newstitle,newsauthor,newsdate,newsstatus,newssnippet,newsarticle) VALUES ('$t','$a',CURDATE(),'$st','$sn','$s')";
	
}
else
{
	if ($_FILES['file']['type'] != "image/gif" && $_FILES['file']['type'] != "image/jpeg" && $_FILES['file']['type'] != "image/jpg" && $_FILES['file']['type'] != "image/x-png" && $_FILES['file']['type'] != "image/png")
	{
		$query = "INSERT INTO news (newstitle,newsauthor,newsdate,newsstatus,newssnippet,newsarticle) VALUES ('$t','$a',CURDATE(),'$st','$sn','$s')";
		
	}
	else
	{
		$finame = $_FILES["file"]["name"];
		$result = move_uploaded_file($_FILES['file']['tmp_name'], "../news/$finame");
		if ($result == 1)
		{
			$query = "INSERT INTO news (newstitle,newsauthor,newsdate,newsstatus,newssnippet,newsarticle,newsimage) VALUES ('$t','$a',CURDATE(),'$st','$sn','$s','$finame')";
		}
		else
		{
			$query = "INSERT INTO news (newstitle,newsauthor,newsdate,newsstatus,newssnippet,newsarticle) VALUES ('$t','$a',CURDATE(),'$st','$sn','$s')";
			
		}
	}
}

$result = mysqli_query($conn, $query);

if($result){

	echo "Entered data successfully";
	echo "<BR />";
	echo "click <a href='sitepath.php'>here</a> to return to News";

}

else {
	echo "Oh No! Something has gone wrong and your article could not be uploaded";
	echo "<BR />";
	echo "click <a href='http://sitepath.php'>here</a> to return to News";
}

mysqli_close($conn);
?>

Now I am perfectly able to upload the information in the form into the database, that is fine.

My problem is that I am unable to save an image to the server and I'm not sure where I have gone wrong. I know it has something to do with this part of the code:

$finame = $_FILES["file"]["name"];
		
		$result = move_uploaded_file($_FILES['file']['tmp_name'], "../news/$finame");
		if ($result == 1)
		{
			$query = "INSERT INTO news (newstitle,newsauthor,newsdate,newsstatus,newssnippet,newsarticle,newsimage) VALUES ('$t','$a',CURDATE(),'$st','$sn','$s','$finame')";
		
		}

I am just unsure on what it is.....

 

Any help would be appreciated, thanks :)

Link to comment
https://forums.phpfreaks.com/topic/287576-upload-image-to-server/
Share on other sites

  • Solution

First to allow for file uploads you need to add the   enctype="multipart/form-data"   attribute to the form tag otherwise the files will not be uploaded

<form id="form" action="functions/newsadd.php" method="post" enctype="multipart/form-data">

Second, you are do not appear to be doing any data validation/sanitization. This leaves your code vulnerable to attacks such as SQL injection and XSS and many others.

 

This is why you should first validate the data before using it, such a making sure all fields are filled in and that they meet your requirements.

 

With sanitization you should apply htmlentities/strip_tags on the data to protect your site from attacks like XSS , and use either mysqli_real_escape_string or prepared queries to protect yourself from sql injection attacks.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.