-2

i want to upload a file and save it to local host here is my php:

<?php
$error = "error";

$con = mysql_connect('localhost','bayash_user','u)nHf,Ac)') or die($error);
mysql_select_db('bayansh_bc',$con) or die($error);

if (isset($_POST['submit'])) {

    $doc_name = $_POST['doc_name'];

    $name = $_FILES['myfile']['name'];
    $tmp_name = $_FILES['myfile']['tmp_name'];

    if ($name && $doc_name) {

        $location = "documents/$name";
        move_uploaded_file($tmp_name, $location);
        $query = mysql_query("INSERT INTO documents (name.path) VALUES ('$doc_name','$location')");
        header('Location:index.php');
    }else

    die("Field to print");
}
?>

and here is my html code: 

<html>
<head>
    <title> Upload Documents</title>
</head>
<body>

    <form action="upload.php" method="post" enctype="multipart/form-data">

        <label>Document Name</label>
        <input type="text" name="doc_name">
        <input type="file" name="myfile">
        <input type="submit" name="submit" value="Upload">

    </form>
</body>
</html>

But the file upload successfully but it doesnt add to document table the name and path.

Farhad paikan
  • 89
  • 2
  • 10
  • 3
    **WARNING**: If you're just learning PHP, please, do not use the [`mysql_query`](http://php.net/manual/en/function.mysql-query.php) interface. It’s so awful and dangerous that it was removed in PHP 7. A replacement like [PDO is not hard to learn](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/) and a guide like [PHP The Right Way](http://www.phptherightway.com/) explains best practices. Your user parameters are **not** [properly escaped](http://bobby-tables.com/php) and there are [SQL injection bugs](http://bobby-tables.com/) that can be exploited. – tadman Nov 22 '16 at 06:05
  • **WARNING**: Don't take in user provided filenames as these can be hostile and can over-write sections of your code or worse. It's best to use some kind of randomly generated identifier, like a UUID, to avoid exposing yourself this way. – tadman Nov 22 '16 at 06:06
  • @tadman can you edit it for me then???? : ) – Farhad paikan Nov 22 '16 at 06:07
  • 1
    I've supplied a bunch of links there on how to fix these problems. This code is extremely hazardous and I wouldn't put it live until you've addressed them. – tadman Nov 22 '16 at 06:08
  • @tadman I am new so it is hard for me to fix it till you didn't guide me i tried much : ( – Farhad paikan Nov 22 '16 at 06:14
  • To troubleshoot things, easy way is to enable error reporting and the adding debug code. TO enable error reporting use error_reporting(E_ALL); ini_set("display_errors", 1); To know the flow of execution of code, you can echo some random string inside control structures – Ima Nov 22 '16 at 06:18
  • If you need mentoring that's understandable, and nothing to be ashamed of, but it's also a problem that Stack Overflow can't help with. The good news is there are many other sites that cater to exactly that thing. – tadman Nov 22 '16 at 06:18

1 Answers1

-1

try this,

<?php
$error = "error";

$con = mysql_connect('localhost','bayash_user','u)nHf,Ac)') or die($error);
mysql_select_db('bayansh_bc',$con) or die($error);

if (isset($_POST['submit'])) {

    $doc_name = $_POST['doc_name'];

    $name = $_FILES['myfile']['name'];
    $tmp_name = $_FILES['myfile']['tmp_name'];

    if ($name && $doc_name) {

        $location = "documents/".$name;
        move_uploaded_file($tmp_name, $location);
        $query = mysql_query("INSERT INTO documents (name,path) VALUES ('$doc_name','$location')");
        header('Location:index.php');
    }else

    die("Field to print");
}
?>
Dhaval Naphade
  • 555
  • 2
  • 21
  • care to mention (in your answer as an edit) as to what you did/change exactly? – Funk Forty Niner Nov 22 '16 at 12:49
  • I literally had to copy/paste both bodies of code to see the very minor difference. I'm not going to say what that is; you should have been the one to explain what you did and why it was needed. This makes for a very low-quality answer. Plus, you are leaving them open to an serious sql injection, – Funk Forty Niner Nov 22 '16 at 12:54