0

I'm trying to upload a file using a PHP form.

The file gets uploaded correctly, but what I cannot do for some reason is to save the file's name into the database.

This is what I'm doing:

if (move_uploaded_file($tmp_name, "$root/docsCursos/$archivoFinal")) {
    $conectar = new PDO('mysql:host='.HOST.'; dbname='.DATABASE.'; charset=utf8', USER, PASS); 
    $guardarArchivo = $conectar->prepare('UPDATE contenidos
                                        SET archivoContenido="$archivoFinal"
                                        WHERE contenidoID=$contenidoID
                                        ');
    $guardarArchivo->execute();         
    echo 'Se cargo el archivo '.$archivoFinal.'<br>';
}

What I've checked:

The echo line "Se cargo el archivo ..." gets printed out.

The file is saved to the folder.

The names of the table and column are correct.

When I try to manually type the query into phpMyAdmin it works so I guess the query it's ok.

I've tried preparing the statement instead of doing it directly with the variables, but as it didn't worked, I figured that it would be easier to find the error if I try the query directly.

The database connection does work, as it is used in the same file and it's not closed.

I've printed out the query itself on the screen to see if the variables are printed and they are not null, and they do get printed.

The error log don't show me anything.

What I'm missing here?

Rosamunda
  • 14,620
  • 10
  • 40
  • 70
  • 2
    Unless my PHP knowledge is out of date, you can't reference variables inside single quotes, which your SQL query is using. I.e. `$foo = 'bar'; echo '$foo'` outputs "$foo". – Mitya Sep 23 '16 at 17:58
  • As hinted at above, switch your single- and double-quotes in your `prepare()` call. – Patrick Q Sep 23 '16 at 18:00
  • Can't believe it. Two hours figuring out what went wrong and yes... it was a silly mistake that was looking at me all the time. THANK YOU!! Please post the reply so I can accept it. – Rosamunda Sep 23 '16 at 18:01
  • **WARNING**: When using PDO you should be using [prepared statements](http://php.net/manual/en/pdo.prepared-statements.php) with placeholder values and supply any user data as separate arguments. In this code you have potentially severe [SQL injection bugs](http://bobby-tables.com/). Never use string interpolation or concatenation and instead use [prepared statements](http://php.net/manual/en/pdo.prepared-statements.php) and never put `$_POST` or `$_GET` data directly in your query. Refer to [PHP The Right Way](http://www.phptherightway.com/) for guidance with this and other problems. – tadman Sep 23 '16 at 19:07

1 Answers1

3

The problem is you're trying to reference variables inside single quotes, which PHP will just interpret literally.

$guardarArchivo = $conectar->prepare($sql = "UPDATE contenidos
                                    SET archivoContenido='$archivoFinal'
                                    WHERE contenidoID=$contenidoID
                                    ");

When you say the queries worked when you tried them manually, you weren't making this mistake. A good debug tip is to assign your compiled query to a var, like above, then just output that - then you'd have spotted the problem straight away:

echo $sql; //<-- oh-uh, obvious problem
Mitya
  • 33,629
  • 9
  • 60
  • 107