Trying to Update MySQL database (uploading file) using a php script

Question

I am trying to create a login system where users can upload file in the existing database. First require the user to login then upload file. Here is my database:

Now I want to update cv (blob). So I have created the following page.

<!-- Form -->

<h1>Pease Login to Upload CV</h1>
<form method="POST" enctype="multipart/form-data">
    Username:
    <input type="text" name="username"><br>
    Password:
    <input type="password" name="password"><br><br>
    <input type="submit" value="Submit" name="submit" /> <br>

</form>

Above is the initial form. Then I used the following script:

<!-- Script -->
<?php 
    if (isset($_POST['submit'])) {


    // make connection
        $conn = mysqli_connect('localhost','root','','users');


        // if fails show error
        if (!$conn) {
            die("Connection failed: " . mysqli_connect_error());
            echo "Error Connecting to DB";
        }


        $usrName = ($_POST['username']);
        $paswrd  = ($_POST['password']);

        if($usrName!='' && $paswrd!=''){

            $sql ="SELECT username, password FROM credentials WHERE username = '$usrName'"; 

            $result = mysqli_query($conn, $sql);

            $row = mysqli_fetch_row($result);
            $dbUsname = $row[0];
            $dbPassword = $row[1];

                if ($usrName == $dbUsname && $paswrd == $dbPassword) {
                    echo "Hello ".$usrName." upload your CV now <br>";

                    echo 

                    "<form method='POST' enctype='multipart/form-data'>
                    <input type = 'file' value= 'upload' name = 'file'>
                    <input type='submit' value='Upload' name='upload' /> <br>
                    </form>";



                    if(isset($_POST['upload'])){

                        $cv = mysqli_real_escape_string($conn, $_POST['file']);

                        mysql_query("UPDATE credentials SET cv=$cv  WHERE username=$usrName");

                        if (!mysqli_query($conn,$UpdateQuery)) {
                            die('Error: ' . mysqli_error($conn));
                        }

                    }



                }
                else{
                    echo "<h1>Incorrect Username and/or password!</h1>";
                }
        }else{
            echo "Please make sure username and password is not empty";
        }
    }
?>

I have tested out the script for the most part. The problem occurs when I try to update the cv file. On the code below.

The Script executes but I can not see any file uploaded in my database. Can someone please point out where am I making the error.

Answer 1

Firstly, we're dealing with "files" and not a "text" input.

• Reference: http://php.net/manual/en/features.file-upload.post-method.php

So this part $_POST['file'] of your code, needs to be changed to $_FILES['file']

However this part of your code

mysql_query("UPDATE credentials SET cv=$cv  WHERE username=$usrName");

that's failing you for 2 reasons.

You're mixing APIs and you need to quote string values and would technically need to read as: (see the line of code just below my sidenote).

Sidenote: mysqli_query should not be included (just below) if you're to use the conditional statement that you're using if (!mysqli_query($conn,$UpdateQuery)).

mysqli_query($conn, "UPDATE credentials SET cv='$cv'  WHERE username='$usrName'");

• Different MySQL APIs/functions do not intermix.

You need to use the same one from connection to query.

Yet seeing this though,

if (!mysqli_query($conn,$UpdateQuery)) {
    die('Error: ' . mysqli_error($conn));
}

You probably forgot to add the $UpdateQuery variable to your query, which should read as

$UpdateQuery = "UPDATE credentials SET cv=`$cv`  WHERE username='$usrName'";

Error reporting would have thrown you an undefined variable UpdateQuery notice.

• Reference: http://php.net/manual/en/function.error-reporting.php

Sidenote: Make sure that the file size is allowed. If it is too large, then you will need to increase its values.

Consult the following post on Stack:

• PHP change the maximum upload file size

---

Rewrite:

$cv = mysqli_real_escape_string($conn, $_FILES['file']);

    $UpdateQuery = "UPDATE credentials SET cv='$cv'  WHERE username='$usrName'";

    // or using '".XXX."' syntax. In rare cares, that makes a difference.
    // $UpdateQuery = "UPDATE credentials SET cv='".$cv."'  WHERE username='".$usrName."'";

    if (!mysqli_query($conn,$UpdateQuery)) {
        die('Error: ' . mysqli_error($conn));
    }

    else{
        echo "Success!";
        }

---

You're also open to an SQL injection. It's best to use a prepared statement.

• https://en.wikipedia.org/wiki/Prepared_statement

Reference on BLOB and TEXT Types:

• https://dev.mysql.com/doc/refman/5.7/en/blob.html

---

Passwords

I also noticed that you may be storing passwords in plain text. This is not recommended.

Use one of the following:

• CRYPT_BLOWFISH
• crypt()
• bcrypt()
• scrypt()
• On OPENWALL
• PBKDF2
• PBKDF2 on PHP.net
• PHP 5.5's password_hash() function.
• Compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/

Other links:

• PBKDF2 For PHP

Answer 2

When you post your upload form the update query will not run because it's hidden inside if(isset($_POST['submit'])). You need to move if(isset($_POST['upload'])) outside of submit for it to work.