0

I'm doing a student system, and in the registration, i am not being able to insert the record of the student which also has an image to be uploaded. The new folder is being created however the record is not inserted and the file is not moved. I'm not quite sure what the problem is.

    <?php

include_once ('Database.php');

$course  = $_POST['course'];
$firstname  = $_POST['firstname'];
$lastname  = $_POST['lastname'];
$email  = $_POST['email'];
$username  = $_POST['username'];
$password  = md5($_POST['password']);
$filename = $_FILES['file']['name'];
$target_dir = mkdir("Images/".$username."/");
$target_file = $target_dir . basename($filename);

// Select file type
$imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));

// Valid file extensions
$extensions_arr = array("jpg","jpeg","png","gif");


$idquery ="SELECT `courseid` FROM `course` WHERE coursename = '$course'";
$result= mysqli_query($conn, $idquery);

if (mysqli_num_rows($result)==1){

    while($row = mysqli_fetch_assoc($result)){
        $courseid= ($row['courseid']);
    }
}


$sql = "INSERT INTO student VALUES('$firstname','$lastname','$email','$username','$password', '$filename', '$courseid')";
if (mysqli_query($conn, $sql)){
    header("Location: StudentDashboard.html");
}else{
    echo "Registration failed";
}

// Check extension
if( in_array($imageFileType,$extensions_arr) ){

   // Upload file
   move_uploaded_file($_FILES['file']['tmp_name'],$target_dir.$filename);


}

?>
David
  • 176,566
  • 33
  • 178
  • 245
Divya Jhugroo
  • 1
  • 3
    What does happen? Is this code executed at all? Is there an error in the PHP logs? Did you turn on PHP error reporting? Is the SQL command executed? What is the result? It's worth noting that (1) your code is *wide open* to **SQL injection** which means you're not entirely in control of the code you're executing, and (2) you're not checking for errors from the database after attempting to execute that code, so it could be failing with a specific error message that you're simply not observing. – David Mar 01 '20 at 16:47
  • Yes, the code is not entirely secure yet. I will implement that after i am sure that it is functional. For now, I've seen that the **folder is created** according to the username. However, the **sql query is not executed** and the file is not moved to the new folder. I have not worked with file uploads before and i would like to know if there is any error with the way I'm processing the file. When I run the code, my msg "registration failed" is displayed. – Divya Jhugroo Mar 01 '20 at 17:25
  • If that message is displayed then that means the SQL query is failing. Use `mysqli_error` to get the error from the database. As for the first part of your comment, please understand that you're actively working against yourself with that approach. SQL injection is not just a security problem, it's also a very common source of bugs. Which is exactly the situation you're in right now. It's highly likely that your code is failing *because* of the SQL injection problem. Instead of trying to work around that problem, correct that problem. – David Mar 01 '20 at 17:37

0 Answers0