-1

I'm developing a back end for my blog, the code to upload images is working as expected but in database nothing is writing. When i submit it uploads the image and moves it to the designated folder but in the database there is no record inserted. Here is the php for uploading. Is there any way to solve this issue?


<form method="POST" action="functionabout.php" enctype="multipart/form-data">

                <div class="col-md-9">
                    <!-- general form elements -->
                    <div class="box box-primary">                         <div class="box-header with-border">
                            <h3 class="box-title">Add About Content</h3>
                        </div>
                        <!-- /.box-body -->

                        <div class="box-body">
    <div class="form-group">
        <label for="heading">Heading</label>
        <input placeholder="Write Heading" class="form-control" name="heading" type="text" id="heading" required>
            </div>
    <div class="form-group">
        <label for="subheading">Sub Heading</label>
        <textarea class="form-control" placeholder="Write Sub Heading" name="subheading" cols="50" rows="10" id="subheading" required></textarea>
            </div>
    <div class="form-group">
        <label for="message">Message</label>
        <textarea placeholder="Write Details" class="form-control" name="message" cols="50" rows="10" id="message" required></textarea>
            </div>
        <div class="form-group">
        <label for="Filename">Signature</label>
        <input name="Filename" type="file">
            </div>
</div>
                        <div class="box-footer fboxm">
                            <button type="submit" class="btn btn-primary"><i class="fa fa-check icheck"></i>Submit</button>
                            <button type="reset" class="btn btn-warning"><i class="fa fa-undo icheck"></i>Reset</button>
                        </div>
                    </div>
                </div>


                    </div>
                    <!-- /.box -->

                </div>
                <!-- right column -->
            </form>

<?php
//This is the directory where images will be saved
$target = "images/";
$target = $target . basename( $_FILES['Filename']['name']);

//This gets all the other information from the form
$Filename=basename( $_FILES['Filename']['name']);
$heading=$_POST['heading'];
$subheading=$_POST['subheading'];
$message=$_POST['message'];


//Writes the Filename to the server
if(move_uploaded_file($_FILES['Filename']['tmp_name'], $target)) {
    //Tells you if its all ok
    echo "The file ". basename( $_FILES['Filename']['name']). " has been uploaded, and your information has been added to the directory";
    // Connects to your Database
    $conn = mysqli_connect('localhost', 'root', '', 'db');
    //Writes the information to the database
    mysqli_query($conn,"INSERT INTO about (subheading,heading,message,signature)
    VALUES ('$subheading',$heading','$message','$Filename')") ;

} else {
    //Gives and error if its not
    echo "Sorry, there was a problem uploading your file.";
}



?>

id int(11) PK
subheading varchar(255)
heading varchar(255)
message varchar(255)
signature varchar(255)

I expect to upload both the file and update the database too.

Dharman
  • 30,962
  • 25
  • 85
  • 135
Sambad Bidari
  • 3
  • 1
  • Did you get any error message? If not, you can use ```error_reporting(E_ALL); ini_set('display_errors', TRUE); ini_set('display_startup_errors', TRUE);```. Futhermore, escape your query arguments. Your current code is highly vulerable to SQL Injection Attacks. – Simon May 25 '19 at 09:01
  • And if `error_reporting` isn't enough for some reason you can try the `mysqli_error($conn)` function as described in the [examples here](https://www.php.net/manual/de/mysqli.query.php#refsect1-mysqli.query-examples). – dweipert May 25 '19 at 09:03
  • I have added those lines but still same. No any errors shown, no any database input, but uploads file to server. – Sambad Bidari May 25 '19 at 09:05
  • You are vulnerable to SQL injection. Please use prepared statements! – Dharman May 25 '19 at 09:07
  • tried ```mysqli_error($conn)``` no any changes. – Sambad Bidari May 25 '19 at 09:07
  • Its about no query executed in database not about SQL Injection. I will make the sql injection fixed later. – Sambad Bidari May 25 '19 at 09:09
  • SQL injection means that your query will fail for certain inputs whether you care about security or not. – Dharman May 25 '19 at 09:15
  • Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Dharman May 25 '19 at 09:20

1 Answers1

0

Try this :

$conn = mysqli_connect('localhost', 'root', '', 'db');
    //Writes the information to the database
    mysqli_query($conn,'INSERT INTO about (subheading,heading,message,signature)
    VALUES ("'.$subheading.'","'.$heading.'","'.$message.'","'.$Filename.'")') ;
ximewatch
  • 73
  • 1
  • 9
  • No explanation and still vulnerable to SQL injection. – Dharman May 25 '19 at 09:08
  • User is not asking about security, If he asks then i will update the code to a more secure one. Prepared statements. – ximewatch May 25 '19 at 09:11
  • This is not only about security. This is incorrect way of making SQL statements. – Dharman May 25 '19 at 09:14
  • 1
    NP, Don't use it in production, Use prepared sql statements instead. :) – ximewatch May 25 '19 at 09:14
  • @Dharman I'm mobile, and i don't have any kind of ide or tool installed on mobile, and you want me to write full functional production code with mobile. You can't understand how hard is to type code with mobile. – ximewatch May 25 '19 at 09:23
  • You can do it later once you are at the computer desk. Or just delete the answer since it was just a typo caused by the fact that OP didn't use prepared statements. I VTC as duplicate. – Dharman May 25 '19 at 09:26