PNewCode Posted March 13, 2023 Share Posted March 13, 2023 Hello again everyone! Today I'm working with learning file uploads. I faces an issue when uploaded a song that has a special character, for example YA'LL I managed to take care of this for the text field by using $band21 = $_POST['band2']; $band2 = mysqli_real_escape_string($conn , $band21); But I don't see where to add such a thing for the file name of the song upload. Any thoughts? NOTE: This works perfectly as long as there's no special characters in the file name Btw, I know this is a bit messy and amatuer, please keep in mind that I'm still learning <?php error_reporting(E_ALL); ini_set('display_errors', '1'); session_start(); CONNECTION STUFF HERE (removed for posting) // Create connection $conn = new mysqli($servername, $username, $password, $dbname); // Check connection if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } $id=$_SESSION['id']; $sql = "SELECT * FROM users WHERE id=$id"; $result = $conn->query($sql); if ($result->num_rows > 0) { // output data of each row while($row = $result->fetch_assoc()) { $band21 = $_POST['band2']; $band2 = mysqli_real_escape_string($conn , $band21); } } else { echo " "; } if (isset($_POST["submit"])) { $allowed_audio = array('mp3','wav'); $audio_ext = $_FILES["file2"]["name"]; $ext2 = pathinfo($audio_ext, PATHINFO_EXTENSION); if (!in_array($ext2, $allowed_audio)) { if (!in_array($ext2, $allowed_audio)) { echo 'Only Mp3 or WAV Files are Allowed to be Uploaded'; } die(); } #file name with a random number so that similar dont get replaced $ppname = rand(1000,10000)."-".$_FILES["file2"]["name"]; #temporary file name to store file $ttname = $_FILES["file2"]["tmp_name"]; #upload directory path $uploads_dir = 'member-audio'; #TO move the uploaded file to specific location move_uploaded_file($ttname, $uploads_dir.'/'.$ppname); $sql = "UPDATE users SET band2 = '".$band2."', audio1 = '".$ppname."' WHERE id = $id"; if(mysqli_query($conn,$sql)){ echo " "; } else{ echo "Error"; } } ?> Quote Link to comment Share on other sites More sharing options...
Solution kicken Posted March 13, 2023 Solution Share Posted March 13, 2023 37 minutes ago, PNewCode said: But I don't see where to add such a thing for the file name of the song upload. You'd just do the same thing, but with the variable for your file name. $ppname = mysqli_real_escape_string($conn , $ppname); However, this is not really the way you should be handling this issue. Instead, you should be using prepared statements with bound parameters. $sql = " UPDATE users SET band2 = ?, audio1 = ? WHERE id = ? "; $stmt=mysqli_prepare($conn, $sql); $stmt->bind_param('ssi', $_POST['band2'], $ppname, $id); $stmt->execute(); 1 Quote Link to comment Share on other sites More sharing options...
PNewCode Posted March 13, 2023 Author Share Posted March 13, 2023 (edited) @kicken Thank you much. I'm getting a new error now when I added that sayin which is wierd because I didn't get that before I added it, only the error that says I'm using a ' in the string. I added$ppname1 = $_POST['ppname']; $ppname = mysqli_real_escape_string($conn , $ppname1); And that second part, I'd like to circle back to that and get some more education on that Edited March 13, 2023 by PNewCode Quote Link to comment Share on other sites More sharing options...
kicken Posted March 13, 2023 Share Posted March 13, 2023 ppname doesn't come from $_POST. You defined it here: #file name with a random number so that similar dont get replaced $ppname = rand(1000,10000)."-".$_FILES["file2"]["name"]; 1 Quote Link to comment Share on other sites More sharing options...
PNewCode Posted March 14, 2023 Author Share Posted March 14, 2023 @kicken Thank you! Great education again and now it all works smooth! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.