0

I have a HTML form where a user fills out a few details to register for a competition. I want them to be able to upload a photo. The PHP script successfully enters everything into the database except Photo Name and Photo, any ideas why?

HTML:

<form method="post" action="addboat.php">
  <p>Add your boat to the 2018 species hunt</p>

  <p>Boat Name :- <input type="text" name="boatname" size="42"></p>
  <p>Boat Make/Model :- <input type="text" name="boatmake" size="42"></p>
  <p>Skipper :- <input type="text" name="skipper"></p>
  <p>Photo:- <input type="file" name="file"></p>

   <input type="hidden" name="huntyear" value="2018">
  <p align="center"><input type="submit" value="Submit" name="B1"></p>
  <p align="center">&nbsp;</p>
</form>

PHP:

$huntyear = $_POST['huntyear'];
$boatname = $_POST['boatname'] ;
$boatmake = $_POST['boatmake'];
$skipper = $_POST['skipper'];

// Image add
$imagename=$_FILES["file"]["name"]; 

//Get the content of the image and then add slashes to it 
$imagetmp=addslashes (file_get_contents($_FILES['file']['tmp_name']));


$query_rsCatch = "INSERT INTO SpeciesHuntBoats (Year, BoatName, BoatMake, Skipper, PhotoName, Photo) VALUES

('$huntyear','$boatname','$boatmake','$skipper','$imagename','$imagetmp')";
$rsCatch = mysql_query($query_rsCatch, $webdb) or die(mysql_error());

enter image description here

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
OliVQ
  • 11
  • 5
  • Every time you use [the `mysql_`](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) database extension in new code **[this happens](https://media.giphy.com/media/kg9t6wEQKV7u8/giphy.gif)** it is deprecated and has been for years and is gone for ever in PHP7. If you are just learning PHP, spend your energies learning the `PDO` or `mysqli` database extensions and prepared statements. [Start here](http://php.net/manual/en/book.pdo.php) – RiggsFolly Dec 20 '17 at 11:03
  • Your script is wide open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Dec 20 '17 at 11:03
  • If you run `addslashes` on an image you are going to change the file. Probably into a format that NO LONGER is a valid image file – RiggsFolly Dec 20 '17 at 11:05
  • 1
    If you must store the actual file in a table, run base64encode on it first. But it is a whole lot simpler to store the file on the filesystem and just keep the location in the database – RiggsFolly Dec 20 '17 at 11:06
  • Thank you, I will research the above – OliVQ Dec 20 '17 at 11:17

2 Answers2

1

You should use multipart form-data in your form
<form action="action_page" method="post" enctype="multipart/form-data">

halojoy
  • 225
  • 2
  • 7
0

When you make a POST request, you need to encode the data that forms the body of the request HTML forms provides multipart/form-data is significantly more complicated but it allows entire files to be included in the data. enctype='multipart/form-data’ is used when you want to upload a file (images, text files etc.) to the server.

A.D.
  • 2,352
  • 2
  • 15
  • 25