0

I made code in PHP for uploading images, but I have one problem, when I upload image, there is no record in database, but image is uploaded to path where I want it.

this is my code:

<form action="upload.php" method="post" enctype="multipart/form-data" id="upload_form">
    <input id="file" type="file" name="file[]" />
    <input type="submit" id="upload" name="submit" value="Dodaj" />
</form>

include 'init.php';

    $uploaded = [];
    $allowed = ['jpg', 'png'];

    $succeeded = [];
    $failed = [];

    if(!empty($_FILES['file'])){
        foreach($_FILES['file']['name'] as $key => $name){
            if($_FILES['file']['error'][$key] == 0){
                $temp = $_FILES['file']['tmp_name'][$key];

                $ext = explode('.', $name);
                $ext = strtolower(end($ext));

                $file = md5_file($temp) . time() . '.' . $ext;              

                if(in_array($ext, $allowed) === true && move_uploaded_file($temp, "uploads/{$file}") === true){
                    $succeeded[] = array('name' => $name, 'file' => $file);
                    $path = 'uploads';
                    $sql = "INSERT INTO users (img_path, img_name, img_type) VALUES ('$path', '$file', '$ext') WHERE id = '$session_user_id'";
                    $result = mysql_query($sql);                    
                }else{
                    $failed[] = array('name' => $name); 
                }               
            }       
        }

init file:

session_start();

    mysql_connect('localhost','root','');
    mysql_select_db('croglas'); 
    mysql_query('SET CHARACTER SET utf8');

    include 'functions.php';

    if(logged_in() === true){
        $session_user_id = $_SESSION['id'];
        $user_data = user_data($session_user_id, 'id', 'username', 'password', 'email', 'address', 'zip', 'phone_number', 'city', 'type', 'points', 'img_path', 'img_name', 'img_type');
    }
CroVG
  • 149
  • 2
  • 13
  • 1
    You're simply assuming your query succeeded. You have no error checking at all. `$result = mysql_query(...) or die(mysql_error())` should be the bare MINIMUM handling you have. never EVER assume success with a db operation. always assume it'll fail, and treat success as a pleasant surprise. – Marc B Sep 01 '15 at 17:02
  • Wow.. Great @MarcB. Well Said. – Nana Partykar Sep 01 '15 at 17:03
  • 1
    http://dev.mysql.com/doc/refman/5.6/en/insert-select.html --- http://dev.mysql.com/doc/refman/5.6/en/insert-on-duplicate.html - in regards to `WHERE`. Read that as well as a prepared statement. If the intention is to do an UPDATE, well, that's a different animal altogether. – Funk Forty Niner Sep 01 '15 at 17:03
  • [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Sep 01 '15 at 17:14
  • If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Sep 01 '15 at 17:14
  • @JayBlanchard where is risk? – CroVG Sep 03 '15 at 17:12
  • You really shouldn't use MD5 password hashes and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Sep 03 '15 at 17:50
  • You're passing variables directly to the database that appear not to have been cleansed. – Jay Blanchard Sep 03 '15 at 17:50
  • @JayBlanchard I made function sanitize where I prevent injection, but I didn't write this in my question – CroVG Sep 04 '15 at 09:18

2 Answers2

5

This is probably returning an error which the code is ignoring:

INSERT INTO users (img_path, img_name, img_type) VALUES ('$path', '$file', '$ext') WHERE id = '$session_user_id'

INSERT statements don't have WHERE clauses. Just omit the clause entirely:

INSERT INTO users (img_path, img_name, img_type) VALUES ('$path', '$file', '$ext')

Additionally, you should check for SQL errors after executing a SQL statement.

Edit: Or... Does this need to be an UPDATE statement instead? It strikes me as strange that a table called users would hold image records. Are you instead updating an existing user record to include new values? That would have a WHERE clause. Something like this:

UPDATE users SET img_page='$path', img_name='$file', img_type='$ext' WHERE id = '$session_user_id'
David
  • 176,566
  • 33
  • 178
  • 245
  • How will you know which user it will record? – CroVG Sep 01 '15 at 17:04
  • @CroVG: If there's a column in that table to record that data, insert a value into that column as well. – David Sep 01 '15 at 17:05
  • Yes but if i have more colums whit different users? is it same? – CroVG Sep 01 '15 at 17:06
  • 1
    @CroVG: Any column for which you have data when inserting the record can be included in the `INSERT` statement. It's not really clear what you're asking at this point. (It's also not really clear why you're storing image data in a table called `users`. Maybe this should be an `UPDATE` statement instead of an `INSERT`? *That* would have a `WHERE` clause...) – David Sep 01 '15 at 17:08
  • 1
    ^ yep, and...as I outlined [here...](http://stackoverflow.com/questions/32337157/php-upload-image-to-folder-and-insert-record-to-database#comment52548559_32337157) – Funk Forty Niner Sep 01 '15 at 17:09
  • Thanks guys, I get it – CroVG Sep 01 '15 at 17:10
0

Your query is wrong, you cant have where in AN INSERT statement.

It should be like this,

INSERT INTO users (img_path, img_name, img_type) VALUES ('$path', '$file', '$ext')

Also,one tip: use mysqli.

Varun
  • 1,950
  • 2
  • 8
  • 16