How do I upload this image along with my username?

Question

I've worked out this code to upload properly along with some help and now I can't see the username in the database when I do upload the image. Is there something I need to include like session_start() into the upload file? I think I already have my session set whenever I log in.

    <?php

       $msg = "";
if (isset($_POST['upload'])) {
    $target = "profile/images/".basename($_FILES['image']['name']);

    if (move_uploaded_file($_FILES['image']['tmp_name'], $target)) {
        $db = mysqli_connect("localhost", "root", "", "database");
        $result = mysqli_query($con, "SELECT * FROM users WHERE username = '" . $username. "'");
        if ($row = mysqli_fetch_array($result)) {
            $_SESSION['username'] = $row['username'];
        }
        $username = $row['username'];
        $images = $_FILES['image']['name'];
        $sql = "INSERT INTO user (images,username) VALUES ('$images', '$username')";
        mysqli_query($db, $sql);
        $msg = "Image Uploaded Successfully";
        header("Location: images.php?uploadsuccess");
    } else {
        $msg = "There Was A problem uploading image";
    }
}
?>

There might be something wrong with my query I believe.

 <?php
session_start();

if(isset($_SESSION['user_id'])) {
    header("Location: index.php");
}

include_once 'dbconnect.php';

//set validation error flag as false
$error = false;

//check if form is submitted
if (isset($_POST['signup'])) {
    $first_name = mysqli_real_escape_string($con, $_POST['first_name']);
    $last_name = mysqli_real_escape_string($con, $_POST['last_name']);
    $username = mysqli_real_escape_string($con, $_POST['username']);
    $email = mysqli_real_escape_string($con, $_POST['email']);
    $password = mysqli_real_escape_string($con, $_POST['password']);
    $cpassword = mysqli_real_escape_string($con, $_POST['cpassword']);
    $quote = mysqli_real_escape_string($con, $_POST['quote']);
    $who = mysqli_real_escape_string($con, $_POST['who']);

    //name can contain only alpha characters and space
        $sql = "SELECT * FROM users WHERE username = '".$username."'";
        $result = mysqli_query($con,$sql);
        if(mysqli_num_rows($result)>=1){
            $error = true;  
            $username_error ='<div class="error-notice">
                            <div class="oaerror danger">
                            <strong>Uh oh!</strong> - That Username is already taken. Please use a different Username.
                            </div>';


        }else{ 
         }
        $sql = "SELECT * FROM users WHERE email = '".$email."'";
        $result = mysqli_query($con,$sql);
        if(mysqli_num_rows($result)>=1){
            $error = true;  
            $email_exist ='<div class="error-notice">
                            <div class="oaerror danger">
                            <strong>Uh oh!</strong> - That E-mail already in use. Please use a different E-mail.
                            </div>';


        }else{ 
         }

    if (!preg_match("/^[a-zA-Z ]+$/",$first_name)) {
        $error = true;
        $firstname_error = '<div class="error-notice">
                            <div class="oaerror danger">
                            <strong>Uh oh!</strong> - First Name must contain only alphabets and space.
                            </div>';

    }

    if (!preg_match("/^[a-zA-Z ]+$/",$last_name)) {
        $error = true;
        $lastname_error = '<div class="error-notice">
                            <div class="oaerror danger">
                            <strong>Uh oh!</strong> - Last Name must contain only alphabets and space.
                            </div>';

    }

    if(!filter_var($email,FILTER_VALIDATE_EMAIL)) {
        $error = true;
        $email_error = '<div class="error-notice">
                            <div class="oaerror danger">
                            <strong>Uh oh!</strong> - Please Enter Valid E-mail.
                            </div>';
    }
    if(strlen($password) < 6) {
        $error = true;
        $password_error = '<div class="error-notice">
                            <div class="oaerror danger">
                            <strong>Uh oh!</strong> - Password must be minimum of 6 characters.
                            </div>';
    }
    if($password != $cpassword) {
        $error = true;
        $cpassword_error = '<div class="error-notice">
                            <div class="oaerror danger">
                            <strong>Uh oh!</strong> - Make sure your passwords match.
                            </div>';

    }
    if (!$error) {
        if(mysqli_query($con, "INSERT INTO users(first_name,last_name,username,email,password,quote,who) VALUES('" . $first_name . "', '" . $last_name . "', '" . $username . "', '" . $email . "', '" . md5($password) . "', '" . $quote . "', '" . $who . "')")) {
            $successmsg = '<div class="error-notice">
                            <div class="oaerror success">
                            <strong>Wooh!</strong> - Successfully Registered! <a href="login.php">Click here to Login</a>
                            </div>';

        } else {
            $errormsg = '<div class="error-notice">
                            <div class="oaerror info">
                            <strong>Hmm.</strong> - Error in registering...Please try again later.
                            </div>';


        }
    }
}
?>

Where are you setting `$username`? Have you looked in the error logs for errors? — Jay Blanchard, Aug 07 '17 at 19:42
You open the error logs for your web server in a text editor and look for the error generated when you tried to perform the query. — Jay Blanchard, Aug 07 '17 at 19:46
I don't see any errors of the query. It uploads successfully, it's just that the username doesn't appear in the table on the database. — Karen Page, Aug 07 '17 at 19:51
You are defining `$username` *after* you try to use it. You have to define it before you can use it. — Jay Blanchard, Aug 07 '17 at 19:56
I updated my question. I think there is where I defined username — Karen Page, Aug 07 '17 at 20:00
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Aug 07 '17 at 20:01
**Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Aug 07 '17 at 20:02
The new code I just inserted is where I register the user. I figure that is where you define the username @JayBlanchard — Karen Page, Aug 07 '17 at 20:03
Is the first code snippet separate from the second? If so, the first code snippet has no idea about `$username` until it is set in line 11. You try to use it in line 7, but since it isn't set yet, your query fails. It would appear that your logic is non-linear or assumes that once you set a variable it is remembered across scripts which is just not the case. — Jay Blanchard, Aug 07 '17 at 20:05
Everything works out great, I am able to display the values on the page. Can you give me an example of setting it? — Karen Page, Aug 07 '17 at 20:08
Because I am unable to follow your logic, I cannot give you an example. — Jay Blanchard, Aug 07 '17 at 20:11

score 0 · Answer 1 · answered Aug 07 '17 at 19:57

0

You've not set $username in your code. Your Select Query will not work properly. First of all you've to set $username. Otherwise you can get username from database by any other detail like useremail, userID etc.

answered Aug 07 '17 at 19:57

Muhammad Akif

76
1
6

In my code up there that I updated right under the first one, is that what you mean by defining the username? – Karen Page Aug 07 '17 at 20:01
No, he meant (as I did) defining `$username` in the first code block, which appears to be a separate script. – Jay Blanchard Aug 07 '17 at 20:18
Yes in second code your are defining $username. But second code is totally different from first one. Now where is the select query and table to show data in second code? – Muhammad Akif Aug 08 '17 at 10:10

How do I upload this image along with my username?

1 Answers1