0

I have form which insert data in DB but nothing is inserted.

while uploading image part is working fine .

The code was working properly when it was only image input in the form , but after I added variables definition for the other inputs its stopped working .

Any help will be appreciated thanks.

Form:

<form method="post" name="form1" class="insert_form" action="insert-workshop-form.php"  enctype="multipart/form-data">


<table cellspacing="15px" >
    <tr valign="baseline">
     <td nowrap><label for="event_title">Title</label></td>
     <td><input type="text" name="event_title" id="event_title" value="" placeholder="enter title" size="50"></td>
    </tr>
    <tr valign="baseline">
     <td nowrap  valign="top"><label for="event_text">Event Details</label></td>
     <td><textarea name="event_text" cols="50" rows="5" id="event_text"></textarea></td>
    </tr>
    <tr valign="baseline">
     <td nowrap><label for="event_date">Date</label></td>
     <td><input type="date" name="event_date" id="event_date" value="" size="32"></td>
    </tr>
    <tr valign="baseline">
     <td nowrap ><label for="event_location">Location</label></td>
     <td><input type="text" name="event_location"  id="event_location" value="" size="60"></td>
    </tr>
    <tr valign="baseline">
     <td nowrap  valign="top"><label  for="events_notes">Notes</label></td>
     <td><textarea name="events_notes" id="events_notes" cols="50" rows="5"></textarea></td>
    </tr>
    <tr valign="baseline">
     <td nowrap  valign="top"><label for="event_additional_details">Additional<br>
 Details</label></td>
     <td><textarea name="event_additional_details" id="event_additional_details" cols="50" rows="5"></textarea></td>
    </tr>
    <tr valign="baseline">
     <td nowrap ><label for="event_img">Upload Image</label></td>
     <td><input type="file" name="event_img" id="event_img" value="" size="32"></td>
    </tr>
    <tr valign="baseline">
     <td nowrap >&nbsp;</td>
     <td align="right"><input type="submit" value="Post" id="insert_btn"></td>
    </tr>
   </table>
  </form>

Execution code:

<?php


$allowedExts = array("gif","jpeg","pjpeg", "jpg", "png","JIF","JPG","JPEG","PNG","PJPEG","X-PNG","x-png");
$temp = explode(".", $_FILES["event_img"]["name"]);
$extension = end($temp);
if (

(($_FILES["event_img"]["type"] == "image/gif")
|| ($_FILES["event_img"]["type"] == "image/jpeg")
|| ($_FILES["event_img"]["type"] == "image/jpg")
|| ($_FILES["event_img"]["type"] == "image/pjpeg")
|| ($_FILES["event_img"]["type"] == "image/png")
|| ($_FILES["event_img"]["type"] == "image/x-png")

|| ($_FILES["event_img"]["type"] == "image/PNG")
|| ($_FILES["event_img"]["type"] == "image/X-PNG")
|| ($_FILES["event_img"]["type"] == "image/GIF") 
|| ($_FILES["event_img"]["type"] == "image/JPEG")
|| ($_FILES["event_img"]["type"] == "image/JPG")
|| ($_FILES["event_img"]["type"] == "image/PJPEG"))

&& ($_FILES["event_img"]["size"] < 9999999)

&& in_array($extension, $allowedExts))



 {
  if ($_FILES["event_img"]["error"] > 0)
    {
    echo "Return Code: " . $_FILES["event_img"]["error"] . "<br>";
    }
  else
    {


if (file_exists("../images/" . $_FILES["event_img"]["name"]))
  {
  echo $_FILES["event_img"]["name"] . " already exists. ";
  }
else
  {
  move_uploaded_file($_FILES["event_img"]["tmp_name"],
  "../images/" . $_FILES["event_img"]["name"]);



 require_once('../Connections/bmer_conn.php'); 
  $event_title=$_POST['event_title'];
   $event_text=$_POST['event_text'];
 $event_date=$_POST['event_date'];
 $event_location=$_POST['event_location'];
 $event_notes=$_POST['event_notes'];
$event_additional_details=$_POST['event_additional_details'];


$event_img=($_FILES['event_img']['name']);




   $insert=mysql_query("INSERT INTO workshop(event_title,event_text,event_date,event_location,event_notes,event_additional_details,event_img) VALUES ('$event_title','$event_text','$event_date','$event_location','$event_notes','$event_additional_details','$event_img')");


   header("location:../workshop.php");

                          if($insert){
                              echo 'data inserted';}
                              else
                              {
                                  echo 'data not inserted';}

     }
    }
  }
else
  {
  echo "Invalid image ";
  }



?>
Jenz
  • 8,280
  • 7
  • 44
  • 77
user3152014
  • 29
  • 4
  • 2
    Error debuggin? add mysql_error after your query `'$event_img')") or die(mysql_error());` – Fabio Feb 24 '14 at 10:32
  • Check yor apache error log. that may be help you – Paresh Thummar Feb 24 '14 at 10:35
  • You should also change that big `IF` to something like `if ((in_array(strtolower($_FILES["event_img"]["type"]), array('image/jpeg', 'image/jpg', 'image/pjpeg', 'image/png', 'image/x-png', 'image/GIF')) && ($_FILES["event_img"]["size"] < 9999999) && in_array($extension, $allowedExts)))` – cornelb Feb 24 '14 at 10:38
  • As you are not using [`mysql_real_escape_string`](http://de1.php.net/mysql_real_escape_string) or prepared statements with e.g. [PDO](http://de1.php.net/manual/en/pdo.prepare.php) I would suspect, that one of your `$_POST`-fields contains an `'` and your statement fails because of this. – TheConstructor Feb 24 '14 at 10:38
  • i thin you are trying to insert file name so try `$event_img=basename($_FILES['event_img']['name'])` – krishna Feb 24 '14 at 10:39
  • @Fabio - thank you. your comment help me alot .The problem is in the field name event_notes.. – user3152014 Feb 24 '14 at 10:48
  • can you paste the error? – Fabio Feb 24 '14 at 10:49
  • here it is : it was events_notes. – user3152014 Feb 24 '14 at 10:50
  • i meant to post the entire mysql error – Fabio Feb 24 '14 at 10:53
  • Unknown column 'events_notes' in field list – user3152014 Feb 24 '14 at 11:00
  • @user3152014 so your query wasn't failing because somebody wrote "Tom's party". But you should probably escape your values, too. ;-) – TheConstructor Feb 24 '14 at 11:02

3 Answers3

0

First of all: Don't use mysql_* functions anymore, they are deprecated and will be removed in a near future version (or have they already been removed?)

Second, you could make your if clause more readable by using PHPs in_array function.

Third, you should check for MySQL error codes with the (again deprecated) function mysql_errno (and mysql_error) to see if there was an MySQL error.

I can't exactly tell where your error is, but try modifying your query to this:

$insert = mysql_query("INSERT INTO workshop(event_title,event_text,event_date,event_location,event_notes,event_additional_details,event_img) VALUES ('{$event_title}','{$event_text}','{$event_date}','{$event_location}','{$event_notes}','{$event_additional_details}','{$event_img}')");

That way PHP treats everything between the curly brackets as a variable name. Alternatively you could use string concatenation, but that's a matter of design choices.

Thiefbrain
  • 26
  • 1
  • @OfirH you should use `mysqli_* ` functions or `PDO` from `php > 5.2` – krishna Feb 24 '14 at 11:05
  • @krishna What is the diffrence between them? I'm asking because I see a lot of comment similar to Theifbarain comment and I want to learn one of the ways. – OfirH Feb 24 '14 at 11:10
  • function like `mysql_connect()` which start with `mysql_` is mentioned as `mysqli_*` functions. It is advised because `mysql_*` function has been deprecated from `php 5.5` . for more info check here http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?lq=1 – krishna Feb 24 '14 at 11:14
0

Any way one of your variables is containing ' or "?

When it happened to me mysql didn't return any error, but the Insert wasn't working.

If that's the reason, add mysql_real_escape_string() to your variables.

OfirH
  • 651
  • 1
  • 8
  • 19
0

Try if

$event_title=mysql_real_escape_string($_POST['event_title']);
$event_text=mysql_real_escape_string($_POST['event_text']);
$event_date=mysql_real_escape_string($_POST['event_date']);
$event_location=mysql_real_escape_string($_POST['event_location']);
$event_notes=mysql_real_escape_string($_POST['event_notes']);
$event_additional_details=mysql_real_escape_string($_POST['event_additional_details']);

$event_img=mysql_real_escape_string($_FILES['event_img']['name']);

$insert=mysql_query("INSERT INTO workshop(event_title,event_text,event_date,event_location,event_notes,event_additional_details,event_img) VALUES ('$event_title','$event_text','$event_date','$event_location','$event_notes','$event_additional_details','$event_img')");

works in which case you where suspect to a SQL-injection vulnerability. magic_quotes_gpc is now normally off which means you have to handle escaping yourself.

Personally I would recommend somethin like this, but mysqli also supports this (altough it seems you can not name the parameters to be replaced but have to use their positional index)

$dbh = new PDO('mysql:host=example.com;dbname=database', 'user', 'password');

$event_title=$_POST['event_title'];
$event_text=$_POST['event_text'];
$event_date=$_POST['event_date'];
$event_location=$_POST['event_location'];
$event_notes=$_POST['event_notes'];
$event_additional_details=$_POST['event_additional_details'];

$event_img=$_FILES['event_img']['name'];

$query = $dbh->prepare("INSERT INTO workshop(event_title,event_text,event_date,event_location,event_notes,event_additional_details,event_img) VALUES (:event_title,:event_text,:event_date,:event_location,:event_notes,:event_additional_details,:event_img)");
$success = $query->execute(Array(':event_title' => $event_title,':event_text' => $event_text,':event_date' => $event_date,':event_location' => $event_location,':event_notes' => $event_notes,':event_additional_details' => $event_additional_details,':event_img' => $event_img));

if($success) { ... }

Huge benefit of this solution is that the DB will never again execute user input as statements as it knows that the placeholders are data only.

TheConstructor
  • 4,285
  • 1
  • 31
  • 52