Auto submit is not posting data to database

Question

I am trying to post a file into a Blob. I have created a HTML form that automatically posts when A file is selected:

<form id="target" method="post" name="frmImage" class="frmImageUpload" action="./post.php">  
  <div id="pic1">
    <input type="file" name="userfile" id="userfile" class="userfile"/>
  </div>
</form>

<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script type="text/javascript">
  $('#pic1').click(function(){ 
    $('#userfile').trigger('click'); 
  });
</script>

<script type="text/javascript">
  $('#userfile').change(function() {
    $('#target').submit();
  });
</script>

When I select a file the script is navigating me to post.php. But it is not posting anything to the database.

Here is my post.php:

<?php
    include_once '../../../../includes/connect.php';
    include_once '../../../../includes/functions.php';

    sec_session_start();

    $correct = true;

    if(isset($_POST['userfile']) && $_FILES['userfile']['size'] > 0) {
      $fileName = $_FILES['userfile']['name'];
      $tmpName  = $_FILES['userfile']['tmp_name'];
      $fileSize = $_FILES['userfile']['size'];
      $fileType = $_FILES['userfile']['type'];
      $_SESSION['user_id'];

      $fp = fopen($tmpName, 'rb');
      $content = fread($fp, filesize($tmpName));
      $content = addslashes($content);
      fclose($fp);

        if(!get_magic_quotes_gpc())
        {
          $fileName = addslashes($fileName);
        }

        $query = "INSERT INTO temp (user_id, content) VALUES (". $_SESSION['user_id'] .", '$content')";
        mysql_query($query) or die(mysql_error()); 
        $msg = "<br>File <b>$fileName</b> uploaded<br>";

    }
    else
    {
        $msg = "<br>File <b>$fileName</b> not uploaded<br>";
    }
?>

Does someone know what is wrong with my script?

Edit: the error message received are the following:

Notice: Undefined index: userfile in (...) on line 12

and

Notice: Undefined variable: fileName in in (...) on line 37

I get a notice. `Notice: Undefined index: userfile in (...) on line 12` and `Notice: Undefined variable: fileName in in (...) on line 37` — John, Apr 08 '19 at 15:20

devpro · Answer 1 · 2019-04-08T15:41:17.633

According to your comment, you are getting undefined index notice due to multipart/form-data,

You need to use enctype="multipart/form-data" in your <form> as:

<form id="target" method="post" name="frmImage" class="frmImageUpload" action="./post.php" enctype="multipart/form-data">

Second, you need to define $fileName as $fileName = ''; at top level declaration, otherwise you will get another undefined variable notice

You need to declare it before this line:

if(isset($_POST['userfile']) && $_FILES['userfile']['size'] > 0) {

as:

$fileName = '';
if(isset($_POST['userfile']) && $_FILES['userfile']['size'] > 0) {

Third, mysql_* is deprecated extension and closed in PHP7, i suggest you to use mysqli_* or PDO.

Fourth, you code is wide open for SQL injection, preventing for SQL injection, you can use PDO.

Fifth, and dont know what is it? $_SESSION['user_id'];

Some useful links:

How can I prevent SQL injection in PHP?

Are PDO prepared statements sufficient to prevent SQL injection?

It solved the notice on line 12. But it is stil not posting into my database. I still get `Notice: Undefined variable: fileName in in (...) on line 37` — John, Apr 08 '19 at 15:26
@John: bcox u need to define this variable at top level `$fileName` — devpro, Apr 08 '19 at 15:28

lcssanches · Answer 2 · 2019-04-08T15:29:49.450

2

You form must include enctype='multipart/form-data' attribute. This attribute is required to upload files.

It'll look like:

<form id="target" method="post" enctype='multipart/form-data' name="frmImage" class="frmImageUpload" action="./post.php">  
  <div id="pic1">
    <input type="file" name="userfile" id="userfile" class="userfile"/>
  </div>
</form>

I recommend you using move_uploaded_file. See more.

edited Apr 08 '19 at 15:29

answered Apr 08 '19 at 15:22

lcssanches

995
12
33

It solved the notice on line 12. But it is stil not posting into my database. I still get `Notice: Undefined variable: fileName in in (...) on line 37` – John Apr 08 '19 at 15:26
@John, you do not need to check `isset($_POST['userfile'])` – lcssanches Apr 08 '19 at 15:27
@devpro, then, in this case `is_uploaded_file` – lcssanches Apr 08 '19 at 15:42
its enough `if(isset($_POST['userfile']) && $_FILES['userfile']['size'] > 0) {` ???? isnt it? – devpro Apr 08 '19 at 15:48
@devpro it is not about checking if we have or not a file, it is about security. Please, read: https://www.php.net/manual/function.is-uploaded-file.php – lcssanches Apr 08 '19 at 15:57

Auto submit is not posting data to database

2 Answers2

Linked