-1

So I have a simple image uploading website I'm creating for a little project. It's all working just great, except for the file path column in the database.

For some reason it will sometimes include the variables i'm telling it to, and sometimes not.

$user = $_SESSION['user'];

//file properties
$fileName = $_FILES["uploadedImage"]["name"];
$fileType = $_FILES["uploadedImage"]["type"];
$fileSize = $_FILES["uploadedImage"]["size"];
$fileTempName = $_FILES["uploadedImage"]["tmp_name"];
$error = $_FILES["uploadedImage"]["error"];
$random = substr(md5(microtime()),rand(0,26),16); //create random characters to avoid name duplication.
$path = "uploads/" . $_SESSION['userName'] . $random . $fileName;

The path always contains "uploads/" but only sometimes would contain the session user name, random, and only rarely the filename, even on the same files. I'm echoing out these variables before I submit the form, and they are all correct before submitting the form and uploading to the database. All other columns are correctly filled when I submit the form. 

if ( isset( $_POST['formSubmit'] )) {

//prevent SQL injections and invalid inputs
$title = trim($_POST['title']);
$title = strip_tags($title);
$title = htmlspecialchars($title);
$title = mysqli_real_escape_string($db, $title);


$description = trim($_POST['description']);
$description = strip_tags($description);
$description = htmlspecialchars($description);
$description = mysqli_real_escape_string($db, $description);

if (empty($title) || strlen($title) < 1) {
    $titleError = "Title required.";
    $formError = true;
}


if ($formError) {
    $errorMessage = "Please fill out the upload form properly.";
} else {
    $query = mysqli_query($db, "INSERT INTO IMAGE(imageID,userID,title,description,path)
            VALUES('','$user','$title','$description','$path')");

Here's the form itself:

<form method="POST" action="<?php $_SERVER['PHP_SELF'] ?>">
        <div class="row">
            <div class="col-sm-12">
                <span class="errorText"><?php echo $errorMessage; ?></span>
                <br><br>
            </div>
        </div>
        <div class="row">
            <div class='col-sm-1'><!--spacer--></div>
            <div class="col-sm-2">
                <label for="title">Title:</label>
            </div>
            <div class="col-sm-6">
                <input  type="text" id="title" name="title" placeholder="Enter your image title here..." >
            </div>
            <div class="col-sm-2"><span class="errorText"><?php echo $titleError; ?></span></div>
            <div class='col-sm-1'><!--spacer--></div>
        </div>
        <br>
        <div class="row">
            <div class='col-sm-1'><!--spacer--></div>
            <div class="col-sm-2">
                <label for="description">Description:</label>
            </div>
            <div class="col-sm-6">
                <input type="text" id="description" name="description" placeholder="Describe your image here...">
            </div>
            <div class="col-sm-2"><span class="errorText"><?php echo $descriptionError; ?></span></div>
            <div class='col-sm-1'><!--spacer--></div>
        </div>
        <br>
        <br>
        <input type="submit" value="Submit" name = "formSubmit" id="formSubmit" class="btn">
        <br>
        <br>
    </form>
Martin
  • 22,212
  • 11
  • 70
  • 132
Bob Heinbokel
  • 19
  • 5

1 Answers1

1

The form is missing enctype="multipart/form-data" attribute.

<form method="POST" enctype="multipart/form-data">

Also, even if this is unrelated to the question, I strongly recommend you to use MySQLi prepared statement. It help you avoid SQL injection without the need to manually escaping parameters.

Jarzon
  • 615
  • 1
  • 6
  • 16