-1

We have a simple file uploading page that works, the thing that doesn't work is the added inputs. We need the inputs because we need some admin info for when we upload the files such as a name some other info such as the place the file was found and more. The input that labels the image works just fine. The only problem is that we do not get any entry into the table of the database, where we need the image name stored for later use with our web application. As follows is our PHP code 

    <?php 
ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL);
$servername = 'localhost';
$db_username = 'masterchangedforpublicpost';
$db_pass = 'ChangedforPublicPost';
$dbname = 'ourdatabase';
// Other POST elements
$img_name = $_POST["img_name"];
$style_category = $_POST["style_category"];
$style_found = $_POST["style_found"];
$img_added = $_POST["img_added"];



$conn = new mysqli($servername, $db_username, $db_pass, $dbname);

if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}


$sql = "INSERT INTO Styles (img_name, style_category, style_found, img_added)  VALUES ('$img_name', '$style_category', '$style_found', '$img_added');";

if (isset($_POST['submit'])) {
    $file = $_FILES['file'];

    $fileName = $_FILES['file']['name'];
    $fileTmpName = $_FILES['file']['tmp_name'];
    $fileSize = $_FILES['file']['size'];
    $fileError = $_FILES['file']['error'];
    $fileType = $_FILES['file']['type'];

    $fileExt = explode('.', $fileName);
    $fileActualExt = strtolower(end($fileExt));

    $allowed = array('jpg', 'jpeg', 'png', 'gif');

    if (in_array($fileActualExt, $allowed)) {
        if ($fileError === 0) {
            if ($fileSize < 200000000) {
                $fileNameNew = uniqid('', true).".".$fileActualExt;
                $fileDestination = $_SERVER['DOCUMENT_ROOT'].'/styleuploads/';
                $moved = move_uploaded_file($fileTmpName, $fileDestination.$img_name.".".$fileNameNew);
                header("Location: index.php?uploadyay");
                exit;
            } else echo "Opps, your file is too big! It needs to be smaller than 200 Megabytes";
        } else {
            echo "There was an error uploading your file";
        }
    } else {
        echo "You can not upload files of that type";
    }
}
?>

As you can tell we put the connection and the php that we want to handle the data entry first before the upload php mainly we did this because we need the img_name to be added to the scope first.

Bama
  • 577
  • 4
  • 21
  • 2
    **Your code is vulnerable to SQL injection and will be hacked** even if [you are escaping inputs!](https://stackoverflow.com/a/5741264/2595450) Use [Prepared Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead. – Spoody Apr 11 '18 at 00:49
  • it doesn't work because `$sql` isn't executed – Kevin Apr 11 '18 at 00:52
  • but i second the comment above, don't directly inject variable in the statement, prepare them instead – Kevin Apr 11 '18 at 00:52
  • its gonna be on a password protected admin only page, but thank you so very much for the feedback and reminder. Could you explain how I can get the $sql to be executed? – Bama Apr 11 '18 at 00:54
  • @Bama You should not use it anywhere, since it is more error-prone and potentially dangerous even in your "admin only" environment. I mentioned a nice solution for inserting parameters in your queries in the future, see my answer. – jirig Apr 11 '18 at 01:00

1 Answers1

2

You have created your SQL query, but it hasn't been executed. You are missing something similar to this in your code:

mysqli_query($con,$sql);

You should have a look at the docs for more information - mysqli overview and an example

EDIT: It has been mentioned in the comments - please secure your SQL and never use this kind of code in production enviroments. For example see PDOStatement::bindParam, this is the preferred way.

jirig
  • 551
  • 6
  • 21