0

I got this upload script but when I want to run it, the page returns blank. There is something wrong, but I cannot figure out where the error is and how to fix it. I would appreciate if someone helped me to make this script work ! MANY thanks ! 

<?php
    $allowedExts = array("jpg", "jpeg", "gif", "png");
    $extension = end(explode(".", $_FILES["file"]["name"]));
    if ((($_FILES["file"]["type"] == "image/gif")
    || ($_FILES["file"]["type"] == "image/jpeg")
    || ($_FILES["file"]["type"] == "image/png")
    || ($_FILES["file"]["type"] == "image/pjpeg"))
    && ($_FILES["file"]["size"] < 20000)
    && in_array($extension, $allowedExts))
      {
      if ($_FILES["file"]["error"] > 0)
        {
        echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
        }
      else
        {
        echo "Upload: " . $_FILES["file"]["name"] . "<br>";
        echo "Type: " . $_FILES["file"]["type"] . "<br>";
        echo "Size: " . ($_FILES["file"]["size"] / 1024) . " kB<br>";
        echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br>";

        if (file_exists("upload/" . $_FILES["file"]["name"]))
          {
          echo $_FILES["file"]["name"] . " already exists. ";
          }
        else
          {
          move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $_FILES["file"]["name"]);
            include 'db.php';
            mysql_query("INSERT INTO `members`(img) VALUES ('$_FILES["file"]["name"]')");
            include 'succes.php';
            }
        }
      }
    else
      {
      echo "Invalid file";
      }
    ?>
Dave Piersma
  • 81
  • 8
  • have you verified that your "upload/" folder exists with correct read/write permissions on said folder? If the page returns white;then it is possible you have a fatal error inside your code. Turn on your error handling to E_ALL and post any error codes shown – Daryl Gill Dec 06 '12 at 14:38

2 Answers2

2

There was a error in this line 

mysql_query("INSERT INTO `members`(img) VALUES ('$_FILES["file"]["name"]')");

change that line to

mysql_query("INSERT INTO `members`(img) VALUES ('{$_FILES["file"]["name"]}')");

UPDATE:

Error was Parse error: syntax error, unexpected '"', expecting T_STRING or T_VARIABLE or T_NUM_STRING on line 30

Note: Don't use mysql_* function they will be deprecated soon. Instead use PDO or mysqli function. Before inserting data to database, alway validate the data and beware of SQL Injections.

Muthu Kumaran
  • 17,682
  • 5
  • 47
  • 70
1

Please, don't use mysql_* functions in new code. They are no longer maintained and the deprecation process has begun on it. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

However, check that upload/ folder has read and write permissions and use this working code:

mysql_query("INSERT INTO `members`(img) VALUES ('" . $_FILES["file"]["name"] . "');");

See that using that code there's an SQL injection vulnerability, I suggest you to prepare queries via PDO.

If you have to update an existing record use:

mysql_query("UPDATE `members` SET img = '" . $_FILES["file"]["name"] . "' WHERE member_id = '" . $member_id . "';");

If you have to add new image to an existing member you could try:

mysql_query("INSERT INTO `members` (img, member_id) VALUES ('" . $_FILES["file"]["name"] . "', '" . $member_id . "');");
Zoe
  • 27,060
  • 21
  • 118
  • 148
jacoz
  • 3,508
  • 5
  • 26
  • 42
  • 1
    Third, avoid SQL injection vulnerabilities. – Martin Bean Dec 06 '12 at 14:45
  • +1 for your comment! Preparing query via `PDO` is very suggested and helps with that too! – jacoz Dec 06 '12 at 14:46
  • @jan267 One more ! It worked but it made a new table, it has to insert into a excisted one, so i tried with Member ID, the upload succeeds but the database doesnt contain the name ! `$member_id = $_SESSION['SESS_MEMBER_ID']; mysql_query("INSERT INTO 'members' (img) where member_id = '$member_id' VALUES ('{$_FILES["file"]["name"]}')");` – Dave Piersma Dec 06 '12 at 14:58