1

I am currently building a website that has a gallery which is accessed through php and mysql. When you view on the website the gallery takes the code from mysql and the image from my folder (on the machine).

I am having a problem that when I upload an image (using the php) the image_pathname comes up, so does the image_description (with the image_gallery database), but the author does not - and instead a number appears.

I think it's something maybe I can fix easily but I've been working on the site for a while and my brain is fried - and assuming it's something impossible.

This is my table syntax:

CREATE TABLE images(
id INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,
image_pathname VARCHAR( 50 ) ,
image_author VARCHAR( 50 ) ,
image_description VARCHAR( 50 ) ,
genreID VARCHAR( 100 )
)

This is my HTML:

<form method="post" action="upload_file.php" enctype="multipart/form-data">

            <p>
              Image Author:
            </p>
            <input type="text" name="image_author"/>

            <p>
              Please enter a decscription:
            </p>
            <input type="text" name="image_description"/>
            <p>
             Please upload an image.
            </p>
            <p>
              Photo:
            </p>
            <input type="hidden" name="size" value="350000">
            <input type="file" name="photo"> 


            <input TYPE="submit" name="upload" title="Add image/data to the Database" value="Add Image"/>
          </form>

and this is my php:

<?php

//This is the directory where images will be saved
$target = "images/";
$target = $target . basename( $_FILES['photo']['name']);

//This gets all the other information from the form
$name= (isset($_POST['image_author']));
$description= ($_POST['image_description']);
$pic=($_FILES['photo']['name']);


// Connects to your Database
mysql_connect("localhost", "root", "root") or die(mysql_error()) ;
mysql_select_db("image_gallery") or die(mysql_error()) ;

//Writes the information to the database
mysql_query("INSERT INTO images (image_author, image_description, image_pathname)
VALUES ('$name', '$description', '$pic')") ;

//Writes the photo to the server
if(move_uploaded_file($_FILES['photo']['tmp_name'], $target))
{

//Tells you if its all ok
echo "The file has been uploaded, and your information has been added to the directory <p> <a href='upload.php'> Go back</a>";
}
else {

//Gives and error if its not
echo "Sorry, there was a problem uploading your file.";
}
?>
John Conde
  • 217,595
  • 99
  • 455
  • 496
Coli-Eza
  • 29
  • 5
  • 1
    **Please, [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).** They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). **Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement)** instead, and **use [PDO](http://us1.php.net/pdo).** **[DANGER! You need to prevent SQL Injection!](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)** – Jay Blanchard Jan 20 '15 at 14:19
  • You can also use `mysqli` functions, which will be easier to integrate into your code. – Spencer Wieczorek Jan 20 '15 at 14:22
  • @SpencerWieczorek, would this be okay to use, or could this also be deprecated? – Coli-Eza Jan 20 '15 at 14:26
  • @Coli-Eza Yes it's ok to use. Prepared statements and `mysqli` are equivalent in security. – Spencer Wieczorek Jan 20 '15 at 14:29
  • whether you use PDO or mysqli, prepared statements should be implemented. – Strawberry Jan 20 '15 at 14:34

2 Answers2

3

You are erroneously calling isset() when assigning your value to your variable. The result is you get a boolean value, which is what isset() retuens) instead of the actual value of $_POST['image_author'].

 $name= (isset($_POST['image_author']));

should be

$name= $_POST['image_author'];

FYI, you are wide open to SQL injections and using an obsolete API.

Zoe
  • 27,060
  • 21
  • 118
  • 148
John Conde
  • 217,595
  • 99
  • 455
  • 496
0

You can assign your form variables like this way and see comment of Jay Blanchard about MYSQL API, use instead MYSQLI or PDO which will help you to write SQL INJECTION free code.

//This gets all the other information from the form
$name= (isset($_POST['image_author']))? $_POST['image_author']:'';
$description= (isset($_POST['image_description']))? $_POST['image_description']:'';
A l w a y s S u n n y
  • 36,497
  • 8
  • 60
  • 103