Jump to content

Escape string for file uploads to Mysql in Php


Go to solution Solved by kicken,

Recommended Posts

Hello again everyone!

Today I'm working with learning file uploads. I faces an issue when uploaded a song that has a special character, for example YA'LL

I managed to take care of this for the text field by using 
$band21 = $_POST['band2'];
$band2 = mysqli_real_escape_string($conn , $band21);


But I don't see where to add such a thing for the file name of the song upload.
Any thoughts?

NOTE: This works perfectly as long as there's no special characters in the file name

Btw, I know this is a bit messy and amatuer, please keep in mind that I'm still learning :)

<?php

error_reporting(E_ALL);
ini_set('display_errors', '1');

 session_start();


CONNECTION STUFF HERE (removed for posting)


// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
}
    $id=$_SESSION['id'];
$sql = "SELECT * FROM users WHERE id=$id";
$result = $conn->query($sql);


if ($result->num_rows > 0) {
  // output data of each row
  while($row = $result->fetch_assoc()) {


$band21 = $_POST['band2'];
$band2 = mysqli_real_escape_string($conn , $band21);
  
  }
} else {
  echo " ";
}



 if (isset($_POST["submit"]))
 {
     

     $allowed_audio = array('mp3','wav');
     

      $audio_ext = $_FILES["file2"]["name"];

           
           $ext2 = pathinfo($audio_ext, PATHINFO_EXTENSION);
           
     if (!in_array($ext2, $allowed_audio)) {
    


if (!in_array($ext2, $allowed_audio)) {
    echo 'Only Mp3 or WAV Files are Allowed to be Uploaded';
}
 die();
}



     #file name with a random number so that similar dont get replaced
     $ppname = rand(1000,10000)."-".$_FILES["file2"]["name"];
     #temporary file name to store file
    $ttname = $_FILES["file2"]["tmp_name"];
    #upload directory path
    $uploads_dir = 'member-audio';
    #TO move the uploaded file to specific location
    move_uploaded_file($ttname, $uploads_dir.'/'.$ppname);



$sql = "UPDATE users
SET band2 = '".$band2."', audio1 = '".$ppname."'
WHERE id = $id";


    if(mysqli_query($conn,$sql)){
     echo " ";
    }
    else{
        echo "Error";
    }
}
?>

 

  • Solution
37 minutes ago, PNewCode said:

But I don't see where to add such a thing for the file name of the song upload.

You'd just do the same thing, but with the variable for your file name.

$ppname = mysqli_real_escape_string($conn , $ppname);

However, this is not really the way you should be handling this issue.  Instead, you should be using prepared statements with bound parameters.

$sql = "
UPDATE users
SET band2 = ?, audio1 = ?
WHERE id = ?
";

$stmt=mysqli_prepare($conn, $sql);
$stmt->bind_param('ssi', $_POST['band2'], $ppname, $id);
$stmt->execute();

 

  • Like 1

@kicken Thank you much. I'm getting a new error now when I added that sayin
image.png.a1be57a92ccaaeed1954af4ba8473b90.png
which is wierd because I didn't get that before I added it, only the error that says I'm using a ' in the string.

I added
$ppname1 = $_POST['ppname'];
$ppname = mysqli_real_escape_string($conn , $ppname1);


And that second part, I'd like to circle back to that and get some more education on that

Edited by PNewCode
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.