can't copy uploaded file (php)

Question

I'm creating a site that displays news uploaded on it's admin panel.
Each post has an image and a title (and description, but i haven't implemented it yet).
My problem is, that when i try to post (and upload image with it) the post is created, but the image doesn't exist.

uploader (php):

if (isset($_FILES['image'])) {

//this script
//connects to mysql database
//declares an array that contains table names (array name is db)
require_once("db.php");

//move file to the img folder
move_uploaded_file($_FILES['image']['tmp_name'], "img/" . $_FILES['image']['tmp_name']);

//upload the post to the database
$sql = "INSERT INTO `{$db["posts"]}` (`img`, `text`) VALUES ('img/{$_FILES['image']['tmp_name']}', '{$_POST["text"]}')";
if (!mysql_query($sql)) {
    //display error message
}

}

form (html):

<form action="post.php" method="POST" enctype="multipart/form-data">
    <label>Image: </label><input type="file" name="image" />
    <br />
    <label>Text: </label><input type="text" name="text" />
    <input type="submit" />
</form>

I check the files via ftp after posting, the image doesn't exist.

Every time you use [the `mysql_`](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) database extension in new code **[this happens](https://media.giphy.com/media/kg9t6wEQKV7u8/giphy.gif)** it is deprecated and has been for years and is gone for ever in PHP7. If you are just learning PHP, spend your energies learning the `PDO` or `mysqli` database extensions and prepared statements. [Start here](http://php.net/manual/en/book.pdo.php) — RiggsFolly, Apr 24 '17 at 17:02
Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — RiggsFolly, Apr 24 '17 at 17:03
Paste this on top of php file `ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL);` & check the errors. — Agam Banga, Apr 24 '17 at 17:03

score 0 · Accepted Answer · answered Apr 24 '17 at 17:04

0

$_FILES['image']['tmp_name'] is an absolute pathname like /var/tmp/something. When you concatenate it to img/, you get a pathname that points into a subdirectory, img//var/tmp/something. Since the subdirectory doesn't exist, move_uploaded_file() fails.

You should use basename() to get just the filename portion.

$filename = 'img/' . basename($_FILES['image']['tmp_name']);
move_uploaded_file($_FILES['image']['tmp_name'], $filename);
$text = mysql_real_escape_string($_POST['text']);
$sql = "INSERT INTO `{$db["posts"]}` (`img`, `text`) VALUES ('$filename', '$text')";

I'm not really sure how safe using the name of the temp file this way is, though. I don't think there's any guarantee that it will never repeat the same name for different uploads.

answered Apr 24 '17 at 17:04

Barmar

741,623
53
500
612

Thanks, it works! I don't know if temp names can repeat or not, i will check it and change if i need. – GDavid Apr 24 '17 at 17:43
You'll probably not be able to see repeats in testing, it's something that might only happen over a long period. – Barmar Apr 24 '17 at 17:46
A good solution to avoid duplicate names would be setting the file name to the upload's date and if already exist, add something to the end of the file name (for example a -). – GDavid Jun 02 '17 at 16:19

can't copy uploaded file (php)

1 Answers1