PHP insert form data and upload file to MySQL table

Question

I am trying to create a form that inserts user data into a database table and upload a file however I can't figure out how to add the file to a database. The form data enters no problem just not the file. Any help would be appreciated.

PHP Form:

<form method="post" action="index.php" id="frm_add" enctype="multipart/form-data">
      <input type="hidden" value="add" name="action" id="action">
              <div class="form-group">
                <label for="medID" class="control-label">ID</label>
                <input type="hidden" class="form-control" id="medID" name="medID"/> 
              </div>
      <div class="form-group">
                <label for="emp_id" class="control-label">Employee No:</label>
                <input type="text" class="form-control" id="emp_id" name="emp_id"/>
              </div>
              <div class="form-group">
                <label for="name" class="control-label">Full Name:</label>
                <input type="text" class="form-control" id="name" name="name"/>
              </div>
      <div class="form-group">
                <label for="title" class="control-label">Job Title:</label>
                <input type="text" class="form-control" id="title" name="title"/>
              </div>
      <div class="form-group">
        <label for="documents" class="control-label">Supporting Documents:</label>
        <input type="file" name="documents" class="form-control">
              </div>
        <div class="modal-footer">
            <button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
            <button type="button" id="btn_add" class="btn btn-primary">Save</button>
        </div>          
</form>

insert.php

    <?php
    //include connection file 
    include_once("connection2.php");

    $db = new dbObj();
    $connString =  $db->getConnstring();

    $params = $_REQUEST;

    $action = isset($params['action']) != '' ? $params['action'] : '';
    $empCls = new Student($connString);

    switch($action) {
     case 'add':
        $empCls->insertStudent($params);
     break;
     case 'edit':
        $empCls->updateStudent($params);
     break;
     case 'delete':
        $empCls->deleteStudent($params);
     break;
     default:
     $empCls->getStudents($params);
     return;
    }

    class Student {
    protected $conn;
    protected $data = array();
    function __construct($connString) {
        $this->conn = $connString;
    }

    public function getStudents($params) {

        $this->data = $this->getRecords($params);

        echo json_encode($this->data);
    }
    function insertStudent($params) {
        $data = array();
        $sql = "INSERT INTO `employee` (emp_id, name, title, documents) VALUES('" . $params["emp_id"] . "', '" . $params["name"] . "','" . $params["title"] . "', '" . $params["documents"] . "');  "; 
echo $result = mysqli_query($this->conn, $sql) or die("error to insert student data");
}

What am I doing wrong, what do I need to add to documents? Any help will be appreciated.

Thanks

Please read about [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection). Instead of building queries with string concatenation, use [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) with [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). See [**this page**](https://phptherightway.com/#databases) and [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) for some good examples. — Alex Howansky, Jan 08 '19 at 16:55
`$_REQUEST` that covers GET and POST arrays, not FILES. Having error reporting enabled, would have thrown you an undefined index. You need to do a bit of a rewrite here. — Funk Forty Niner, Jan 08 '19 at 16:58
Hi Talha. In the web you can investigate a lot of examples to how to manage uploaded files with php. Here you can view one: https://www.w3schools.com/php/php_file_upload.asp Storing files at DB is not very common. If you really want to do it, you can use blob fields. But you can store them in filesystem or in a external storage system. — Curlas, Jan 08 '19 at 17:07
@Curlas Please avoid linking to w3schools. It's very low-quality content and is often full of serious security holes and terrible advice. Whenever possible link to the [official manual](http://php.net/manual/en/index.php), or a higher-quality tutorial or explainer otherwise. — tadman, Jan 08 '19 at 17:43
: "It looks like you're writing your own ORM. Have you considered using one that's already written, tested, and widely supported like [RedBeanPHP](https://redbeanphp.com/), [Doctrine](http://www.doctrine-project.org/), [Propel](http://propelorm.org/) or [Eloquent](https://laravel.com/docs/master/eloquent)?" — tadman, Jan 08 '19 at 17:43

score 1 · Answer 1 · answered Jan 08 '19 at 17:01

1

It's pointless to save a file inside the database. Get the file name only, nothing else

$info = pathinfo($_FILES['userFile']['name']);
$ext = $info['extension']; // get the extension of the file
$newname = "newname.".$ext; 

$target = 'images/'.$newname;
move_uploaded_file( $_FILES['userFile']['tmp_name'], $target);

The code above is from here : How to upload & Save Files with Desired name

So what you need to do is save the name in your database and than just access that name with the path to that file that holds said "Name"

answered Jan 08 '19 at 17:01

Frosty

299
5
31

you are right, but you can also save the file to db by converting to to `blob` format, also you need to set the datatype of the `table column to blob` – Vinay Sheoran Jan 08 '19 at 17:06
Thank you for that information, so the $target is the folder path where it stores the file and only adds the name to the database? I have tried that but it's not actually adding anything to the database and I am guessing the problem is with my INSERT section: what do I change the document value too? currently, it is '" . $params["documents"] . "' – Talha S Jan 08 '19 at 17:32
@TalhaS Debug your form with die(); before the insert method and print out your $_POST see if something is missing there , if nothing is missing than the issues is in the INSERT method – Frosty Jan 08 '19 at 17:34
The form is entering all the data into the database but it is still not entering the file name or uploading the file to the folder. – Talha S Jan 09 '19 at 08:37

PHP insert form data and upload file to MySQL table

1 Answers1