-1

Please help anyone. i have been debugging for days.I am just having a problem i would be glad if u help me with.

My image is failing to upload to my data base. it doesnt even give me an error. it just uploads the other components of my query leaving the image behind. here is my code

<?php
global $connection;
if(isset($_POST['submit'])){

    $post_category_id = $_POST['post_category_id'];
    $post_title = $_POST['post_title'];
    $post_author = $_POST ['post_author'];
    $post_status = $_POST['post_status'];

    $post_image = isset($_FILES['post_image']['image_name']);
    $post_image_temp = isset($_FILES['post_image']['temp_name']);

    $post_tags = $_POST['post_tags'];
    $post_comment_count = 4;
    $post_date = date('d-m-y');
    $post_content = $_POST['post_content'];
    $post_status = $_POST['post_status'];
    move_uploaded_file($post_image_temp, '../images/$post_image');

    $query = "INSERT INTO posts (post_category_id, post_title, post_author, post_status, post_image, post_tags, post_comment_count, post_date, post_content) VALUES ('{$post_category_id}', '{$post_title}', '{$post_author}', '{$post_status}', '{$post_image}', '{$post_tags}', {$post_comment_count}, now(), '{$post_content}') ";

    $result = mysqli_query($connection, $query);
    if ($result){
        echo "Post Published";
     } else {
         echo "(Error Code:" . $_FILES['post_image']['error'] . ")";
     }
 }
?>


<form action="" method="post" enctype="multipart/form-data">

    <div class="form-group">
       <label for="post_title">Title</label>
        <input type="text" name ='post_title' class="form-control" >
    </div>
    <div class="form-group">
       <label for="Post_author">Post Author</label>
        <input type="text" name ='post_author' class="form-control">
    </div>

    <div class="form-group">
       <label for="post_category_id">Post Category</label>
        <input type="text" name ='post_category_id'class="form-control" >
    </div>
    <div class="form-group">
       <label for="post_status">Post Status</label>
        <input type="text" name ='post_status' class="form-control">
    </div>
     <div class="form-group">
       <label for="post_image">Upload Image</label>
        <input type="file" name ="post_image" id="post-image" class="form-control" >
    </div>
      <div class="post tags">
       <label for="post_tags">Post Tags</label>
        <input type="text" name ='post_tags'class="form-control" >
    </div>
    <div class="post comment count">
       <label for="post_comment_count">Post Comment Count</label>
        <input type="text" name ='post_comment_count'class="form-control" >
    </div>

    <div class="form-group">
       <label for="post_date">post date</label>
        <input type="date" name ='post_date'class="form-control" >
    </div>
    <div class="form-group">
       <label for="post_content">Post content</label>
        <textarea name="post_content" id="" cols="30" rows="10"></textarea>
    </div>
    <input class= "btn btn-primary"type="submit" name = "submit" value="Publish Post">

</form>

Please note i have give n full control permission to the location i am uploading from. Am sure you would notice the isset function on my image_name and image_temp_name this is because without it i just get an

undefined variable error

after clicking on my submit button

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Omene Joseph Ogheneruno
  • 261
  • 1
  • 3
  • 11
  • 2
    Learn about prepared Statements to prevent sql injection – Jens Aug 17 '17 at 15:07
  • 2
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Aug 17 '17 at 15:08
  • 2
    isset will not assign value to variable. – Ravinder Reddy Aug 17 '17 at 15:08
  • _Also_ `$post_image` will not be expanded in a single quoted string literal – RiggsFolly Aug 17 '17 at 15:10
  • isset returns a boolean true or false – user3718908x100 Aug 17 '17 at 15:10
  • 1
    _ALSO_ If you are getting an error mesage please show ___all of the error message___ in your question. – RiggsFolly Aug 17 '17 at 15:11
  • Add `ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` to the top of your script. This will force any `mysqli_` errors to generate an Exception that you can see on the browser and other errors will also be visible on your browser. – RiggsFolly Aug 17 '17 at 15:13

1 Answers1

0

you need to change the code for file upload

//check if there is file uploaded
$post_image = '';
if(!empty($_FILES['post_image']) && ($_FILES['post_image']['error']=='0' || $_FILES["pictures"]["error"] == UPLOAD_ERR_OK)){
    // get the file name
    $post_image = $_FILES['post_image']['name'];
    // get temp name
    $post_image_temp = $_FILES['post_image']['temp_name'];
    // code to move uploaded file to desired location on server
    if (move_uploaded_file($post_image_temp, "../images/$post_image")) {
      echo "File successfully uploaded.\n";
   } else {
      echo "File not uploaded\n";
   }
}
Ravinder Reddy
  • 3,869
  • 1
  • 13
  • 22
  • Reminder that moving files to wherever the user says to move them is a super bad idea, this could be used to overwrite parts of your application. Instead give them names you fully control, like a UUID. – tadman Aug 17 '17 at 15:34