-2

ok so i setup my store and add items, but in some reason i got C:wamp64 mpphpB32E.tmp in database for picture name instead of image name ...can't find mistake in code: image 

$conn = mysqli_connect('localhost', 'root', '', 'webshop');

$cat = $_POST['cat'];
$subcat = $_POST['subcat'];
$name = $_POST['name'];
$brand = $_POST['brand'];
$img = $_FILES['file']['tmp_name'];
$img = $_FILES['fileone']['tmp_name'];
$price = $_POST['price'];
$desc = $_POST['description'];
$sale = 1;

if(isset($_POST["submit"])) {
    if(mysqli_query($conn, "insert into items ( category, subcategory, name,brand, img, price, description,sale ) values ('$cat', '$subcat', '$name', '$brand','$img','$price','$desc','$sale' )") === TRUE) {
        move_uploaded_file($_FILES['file']['tmp_name'], "../img_items/" . $_FILES['file']['name']);
        move_uploaded_file($_FILES['fileone']['tmp_name'], "../img_items/" . $_FILES['fileone']['name']);
        /* success */
    } else {
        /* failure */
        printf("Insert failed: %s\n", mysqli_error($conn));
    }

}
icecub
  • 8,615
  • 6
  • 41
  • 70
Sfjklm
  • 1
  • 4
  • you need to backtrack to where it was working and when things started going South. – Funk Forty Niner Jul 26 '17 at 19:13
  • you're also overwriting your `$_FILES` temp array and the HTML for this would be a given. – Funk Forty Niner Jul 26 '17 at 19:14
  • it was never work...the other items i got i add through phpmyadmin manualy...i got images in my img folder ,(2 images)with their names so no problem threre...but in database are tmp.name ...idk why is that... – Sfjklm Jul 26 '17 at 19:15
  • 1
    I would suggest taking a look at my answer here: https://stackoverflow.com/questions/38509334/full-secure-image-upload-script/38712921#38712921 It will teach you a lot about security and image uploads. And there's also a library at the bottom that will handle all of it for you. – icecub Jul 26 '17 at 19:15
  • Funny, that's not what your screenshot suggests. – Funk Forty Niner Jul 26 '17 at 19:15
  • 1
    you're also trying to insert the file's temp file instead of its actual name and is missing a slash for it. – Funk Forty Niner Jul 26 '17 at 19:16
  • **CAUTION**: [Little Bobby Tables](http://bobby-tables.com/) says that you are currently **at risk** of [SQL Injection](https://www.w3schools.com/sql/sql_injection.asp) – GrumpyCrouton Jul 26 '17 at 19:20
  • You should really check the contents of the files before putting them in a web accessible directory. – chris85 Jul 26 '17 at 19:33
  • il' do validation later (size,names etc...) for now just need to insert quick items into dadabase so i have something to work with on front page... – Sfjklm Jul 26 '17 at 20:09
  • Why don't you just download the Class at the bottom of the question I linked? It will give you everything you need. All you have to do is implement it in your own script. And if you open up the `index.php` file inside that class, it will tell you _exactly_ how to do that. – icecub Jul 26 '17 at 20:14
  • il check that... – Sfjklm Jul 26 '17 at 20:34

2 Answers2

1

Firstly, you're overwriting your $img variable here, so only the last one is used, you should use 2 different ones for each (temp/named) file.

$img=$_FILES['file']['tmp_name'];
$img=$_FILES['fileone']['tmp_name'];

which and if you want to use those temp files:

$img_temp_1 = $_FILES['file']['tmp_name'];
$img_temp_2 = $_FILES['fileone']['tmp_name'];

and use those in your move_uploaded_file() respectively.

Then, you're trying to insert the file's temp name into your database, rather than the name itself.

$img_name_in_db_1 =$_FILES['file']['name'];
$img_name_in_db_2 =$_FILES['fileone']['name'];

Use one of the variables above to be inserted in your database.

You're also open to an SQL injection, use a prepared statement:

Consult the manual on handling files on php.net:

Edit:

Taken from the OP's answer: (now deleted)

"near 'S"

That's because of an SQL injection being the apostrophe causing this, to which a prepared statement needs to be used, or a minimal escaping for it such as mysqli_real_escape_string().

However, a prepared statement is much better/safer:

You could also use stripslashes() to keep the apostrophe:

Yet, you still need to safeguard against an SQL injection and protect yourself against potential harmful user input.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
0

Try this code:

$info = pathinfo($_FILES['file']['name']);
$ext = $info['extension'];
$newname = "fileone." . $ext;
if (move_uploaded_file($_FILES["file"]["tmp_name"], $newname)) {
                            $path = "../img_items/" . $newname;
} else {
printf("Insert failed: %s\n", mysqli_error($conn));
}
Tanushree C
  • 76
  • 4