2

I am making an image uploading feature which stores the file name in the database and the photo in a folder called uploaded. These photos are being moved to the uploaded folder but for some reason I cannot save the file name in the database.

  • I have also ensured I have connected to the db and have all my columns referenced correctly. I am receiving no errors, the data is just not being stored in the database. 

    if(isset($_POST['pp_submit'])){
    session_start();
        $file = $_FILES['pp_file']['name'];
        $ppf_type = $_FILES['pp_file']['type'];
        $ppf_size = $_FILES['pp_file']['size'];
        $ppf_tmpname = $_FILES['pp_file']['tmp_name'];
        $ppf_err = $_FILES['pp_file']['error'];
    $var = $_SESSION['id'];

   if($ppf_err > 0){ header('Location: ../profile.php');}

    move_uploaded_file($ppf_tmpname,"../uploaded/".$file);
    mysql_query("INSERT INTO users (profile) VALUES ('$file') WHERE id = '$var'");


if(mysql_affected_rows()>0){
echo "Item added successfully.<br/>";}
else
{ echo "Item addition failed.<br/>"; }
header("Location: ../profile.php?id=$var");
}

My question is: Why isn't the file name passed through the database?

  • I am also curious as to why move_uploaded_file() is working but not the query directly below it.
Robert Tossly
  • 613
  • 1
  • 6
  • 14
  • 3
    `INSERT` with a `WHERE` clause? You are creating a new record. Surely you mean `UPDATE`? – Darragh Enright Aug 21 '15 at 08:50
  • 1
    Check `mysql_error()` after issuing the query. Besides, the `mysql_` functions are deprecated. Look into PDO or MySQLi and especially prepared statements. – Sirko Aug 21 '15 at 08:51
  • 3
    possible duplicate of [MySQL Insert Where query](http://stackoverflow.com/questions/485039/mysql-insert-where-query) – Darragh Enright Aug 21 '15 at 08:51
  • and also make sure that the 'uploaded' folder doesnt get served to the public, since that would probably allow for execution of files – BobbyTables Aug 21 '15 at 08:56

1 Answers1

6

That should be an update query instead of an insert query:

mysql_query("UPDATE users SET profile = '$file' WHERE id = '$var'");

Also note that:

  • You're using a deprecated API. Consider switching to the mysqli_* functions or using PDO.
  • You're wide open to SQL injection attacks. Consider using prepared statements.
Robby Cornelissen
  • 91,784
  • 22
  • 134
  • 156
  • Don't worry, I am definitely not finished yet. As for mysql_*, well blame the web hosting. I'd also like to know why `INSERT` does not work in this case? The field was empty previously. – Robert Tossly Aug 21 '15 at 08:53
  • `INSERT` inserts a new record, `UPDATE` updates an existing record. Whether or not the field is empty doesn't matter. – Robby Cornelissen Aug 21 '15 at 08:54
  • 1
    Ahhh ok, so a new instance would be `INSERT`, then any altercations (data change) to the instance after would be executed with `UPDATE`. – Robert Tossly Aug 21 '15 at 08:56
  • 1
    Why blame the web hosting? I'd be suprised a web hosting only allows the mysql_ library. If that really is the case, I'd change to a different hosting immediately. – Bv202 Aug 21 '15 at 09:02