-5

I need help making this script work but all to no avail, its not updating in sql but it uploads to upload directory giving the name 0.jpg instead od the staff_id appended to the beging like 7.jpg, please i need the script to be corrected or reworked

<?php 
   $allowed_filetypes = array('.jpg','.pdf','.xlsx','.xls','.doc','.docx','.ppt','.pptx','.jpeg','.png','.gif','.pdf');
   $max_filesize = 52428800; // max file size = 50MB
   $target = "images/"; 
   $pic=($_FILES['photo']['name']);
$pic = mysql_real_escape_string(htmlspecialchars($_FILES['photo']['name']));



   //this gets all the other information from the form

 $pic=($_FILES['photo']['name']);

    $file = $_FILES['photo']['name']; // Get the name of the file (including file extension).
    $ext = substr($file, strpos($file,'.'), strlen($file)-1);
    if(!in_array($ext,$allowed_filetypes))//check if file type is allowed
        die('The file extension you attempted to upload is not allowed.'); //not allowed
    if(filesize($_FILES['photo']['tmp_name']) > $max_filesize) //check that filesize is less than 50MB
        die ('The file you attempted to upload is too large, compress it below 50MB.');


   // Connects to your Database
     mysql_connect("localhost", "root", "") or die(mysql_error()) ;
     mysql_select_db("office") or die(mysql_error()) ;

    //writes the information to the 



  $target = "images/" .mysql_insert_id() . $ext; 

  $staff_id = mysql_insert_id();
  $new_file_name = mysql_insert_id() . $ext;


  //I removed ,photo='$target' to display only id as picture name
  mysql_query("UPDATE development SET photo='$new_file_name' WHERE staff_id=$staff_id");


//writes the file to the server
if(move_uploaded_file($_FILES['photo']['tmp_name'], $target))
{

 //tells you if its all ok
  echo "The file ". basename( $_FILES['photo']['name']). " has been uploaded, and your information has been added to the directory";
}
else {

//gives and error if its not
 echo "Sorry, there was a problem uploading your file.";
}
?>
Sina R.
  • 1,781
  • 2
  • 19
  • 37
user2821383
  • 29
  • 1
  • 2
  • 5
  • Although presented as an error to be fixed, this question appears to be asking for others to simply write code to your requirements. According to [the "What topics can I ask about here?" help page](http://stackoverflow.com/help/on-topic) "Questions asking for code must demonstrate a minimal understanding of the problem being solved." – IMSoP Sep 27 '13 at 22:11
  • @DanielMorgan - is right " try using mysqli - http://www.php.net/manual/en/book.mysqli.php or pdo - http://www.php.net/manual/en/book.pdo.php‎ as mysql_* functions are deprecated." – Sina R. Sep 27 '13 at 22:17
  • 1
    **By building SQL statements with outside variables, you are leaving yourself wide open to SQL injection attacks.** Also, any input data with single quotes in it, like a name of "O'Malley", will blow up your SQL query. Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. http://bobby-tables.com/php has examples to get you started, and [this question](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has many examples in detail. – Andy Lester Sep 27 '13 at 22:19
  • I think suggesting a better SQL library to someone who hasn't yet got the hang of variable assignment (look at what happens to `$pic`...) might be pitching a bit high... – IMSoP Sep 27 '13 at 22:31

1 Answers1

2

For starters, you're trying to access the id's before you even run a query:

 $target = "images/" .mysql_insert_id() . $ext;

 $staff_id = mysql_insert_id();
 $new_file_name = mysql_insert_id() . $ext;

That won't work. You need to run the query first

Paul Dessert
  • 6,363
  • 8
  • 47
  • 74
  • 1
    I can see half a dozen basic coding errors in the script at a glance, but sure, this is one of them, so have a +1 :) – IMSoP Sep 27 '13 at 22:16