Escape string for file uploads to Mysql in Php

[PNewCode]

Hello again everyone!

Today I'm working with learning file uploads. I faces an issue when uploaded a song that has a special character, for example YA'LL

I managed to take care of this for the text field by using 
$band21 = $_POST['band2'];
$band2 = mysqli_real_escape_string($conn , $band21);

But I don't see where to add such a thing for the file name of the song upload.
Any thoughts?

NOTE: This works perfectly as long as there's no special characters in the file name

Btw, I know this is a bit messy and amatuer, please keep in mind that I'm still learning

<?php

error_reporting(E_ALL);
ini_set('display_errors', '1');

 session_start();


CONNECTION STUFF HERE (removed for posting)


// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
}
    $id=$_SESSION['id'];
$sql = "SELECT * FROM users WHERE id=$id";
$result = $conn->query($sql);


if ($result->num_rows > 0) {
  // output data of each row
  while($row = $result->fetch_assoc()) {


$band21 = $_POST['band2'];
$band2 = mysqli_real_escape_string($conn , $band21);
  
  }
} else {
  echo " ";
}



 if (isset($_POST["submit"]))
 {
     

     $allowed_audio = array('mp3','wav');
     

      $audio_ext = $_FILES["file2"]["name"];

           
           $ext2 = pathinfo($audio_ext, PATHINFO_EXTENSION);
           
     if (!in_array($ext2, $allowed_audio)) {
    


if (!in_array($ext2, $allowed_audio)) {
    echo 'Only Mp3 or WAV Files are Allowed to be Uploaded';
}
 die();
}



     #file name with a random number so that similar dont get replaced
     $ppname = rand(1000,10000)."-".$_FILES["file2"]["name"];
     #temporary file name to store file
    $ttname = $_FILES["file2"]["tmp_name"];
    #upload directory path
    $uploads_dir = 'member-audio';
    #TO move the uploaded file to specific location
    move_uploaded_file($ttname, $uploads_dir.'/'.$ppname);



$sql = "UPDATE users
SET band2 = '".$band2."', audio1 = '".$ppname."'
WHERE id = $id";


    if(mysqli_query($conn,$sql)){
     echo " ";
    }
    else{
        echo "Error";
    }
}
?>

 

[kicken]

37 minutes ago, PNewCode said:

But I don't see where to add such a thing for the file name of the song upload.

You'd just do the same thing, but with the variable for your file name.

$ppname = mysqli_real_escape_string($conn , $ppname);

However, this is not really the way you should be handling this issue.  Instead, you should be using prepared statements with bound parameters.

$sql = "
UPDATE users
SET band2 = ?, audio1 = ?
WHERE id = ?
";

$stmt=mysqli_prepare($conn, $sql);
$stmt->bind_param('ssi', $_POST['band2'], $ppname, $id);
$stmt->execute();

 

[PNewCode]

@kicken Thank you much. I'm getting a new error now when I added that sayin

which is wierd because I didn't get that before I added it, only the error that says I'm using a ' in the string.

I added
$ppname1 = $_POST['ppname'];
$ppname = mysqli_real_escape_string($conn , $ppname1);

And that second part, I'd like to circle back to that and get some more education on that

Edited March 13, 2023 by PNewCode

[kicken]

ppname doesn't come from $_POST.  You defined it here:

#file name with a random number so that similar dont get replaced
$ppname = rand(1000,10000)."-".$_FILES["file2"]["name"];

 

[PNewCode]

@kicken Thank you! Great education again and now it all works smooth!