Saving file path to Database / SQL

Question

INTRO: I'm creating a 'Social network' site. It's more of a learning exercise than a business venture. I have created the simple version of login and registration (without encryption) they use PHPMyadmin and work.

I've created a form to upload a picture (to later be displayed). The picture saves to the server, then i need to store the path to the db... but thats the bit where is all going wrong!!

Every page includes "session_start();"

Form:

<form action="upload_ppl.php" method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="Submit">
</form>

upload_ppl.php:

<?php
session_start();

$allowedExts = array("gif", "jpeg", "jpg", "png");
$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp);
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/jpg")
|| ($_FILES["file"]["type"] == "image/pjpeg")
|| ($_FILES["file"]["type"] == "image/x-png")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] > 2000)
&& in_array($extension, $allowedExts))
  {
  if ($_FILES["file"]["error"] > 0)
    {
    echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
    }
  else
    {
    echo "Upload: " . $_FILES["file"]["name"] . "<br>";
    echo "Type: " . $_FILES["file"]["type"] . "<br>";
    echo "Size: " . ($_FILES["file"]["size"] / 1024) . " kB<br>";
    echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br>";

    if (file_exists("upload/" . $_FILES["file"]["name"]))
      {
      echo $_FILES["file"]["name"] . " already exists. ";
      }
    else
      {
          $image_name= $FILES["file"]["name"];
          $path=move_uploaded_file($_FILES["file"]["tmp_name"],
      "upload/" . rand().$_FILES["file"]["name"]);
      echo "Stored in: " . "upload/" . $_FILES["file"]["name"];

      if(mysql_query("INSERT INTO *table* (*column*) VALUES ('$path')")){
          echo "Successfull!!";} else {
            echo 'fail';}
      }
    } 
  }
else
  {
  echo "Invalid file";
  }
?>

Please note that on the 'connection.page' upon login the db connection is established! Do I need to carry this forward with a session variable, just create a new connection all together? I've tried tons. All suggestions appreciated. Thanks guys!

"It's more of a learning exercise than a business venture." - That's what they all say ;-) — Strawberry, Nov 11 '13 at 13:58
Please don't use `mysql_*` functions anymore, they are deprecated. See [Why shouldn't I use mysql_* functions in PHP?](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) for details. Instead you should learn about [prepared statements](http://bobby-tables.com/php.html) and use either [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli). If you can't decide which, [this article](http://php.net/manual/en/mysqlinfo.api.choosing.php) will help you. If you pick PDO, [here is a good tutorial](http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers). — Marcel Korpel, Nov 11 '13 at 14:01
@Strawberry If i was good enough to take on FB I wouldn't need to post this question lol. — justsimpleshh, Nov 11 '13 at 14:01
BTW, you're vulnerable to [SQL injection](https://www.owasp.org/index.php/SQL_Injection). — Marcel Korpel, Nov 11 '13 at 14:02
move_uploaded_file returns true/false. Try doing that first then setting the $path. — , Nov 11 '13 at 14:05
Have you got the values that are saved to the db instead of the path? — , Nov 11 '13 at 14:09

score 0 · Answer 1 · answered Nov 11 '13 at 14:38

Set a few varibles like so

$folder = "upload/"
$suffix = rand();

change this line

   $path=move_uploaded_file($_FILES["file"]["tmp_name"],
     "upload/" . rand().$_FILES["file"]["name"]);

to

 $path=move_uploaded_file($_FILES["file"]["tmp_name"],
      $folder . $suffix . $_FILES["file"]["name"]);

Then your path will be,

$fullPath = $folder . $suffix . $_FILES["file"]["name"]);

under your current code you cant pull the file path out cause you have not assigned it to a variable you can grab and store.

score 0 · Answer 2 · answered Nov 11 '13 at 14:52

0

your $path is all wrong. Correct your else with this

  else
     {
      $image_name = rand().$_FILES["file"]["name"];
      $path = "upload/" . $imagename;
      move_uploaded_file($_FILES["file"]["tmp_name"],$path);

  echo "Stored in: " . $path;

  if(mysql_query("INSERT INTO *table* (*column*) VALUES ('$path')")){
      echo "Successfull!!";} else {
        echo 'fail';}
  }

answered Nov 11 '13 at 14:52

Tim Knox

89
5

Am I right to presume // $path = "upload/" . $imagename; is supposed to be $image_name; ? – justsimpleshh Nov 11 '13 at 15:31

Saving file path to Database / SQL

2 Answers2

Linked