-2

I am creating a forum that allows users to upload an image through an HTML form, which is then saved to a specific folder using PHP. Then I plan to use an SQL query to add a row to a table and include the filepath of an image selected, so that I can display it on another page.

I am fairly new to PHP and mySQL, and as such I have been using Google for a lot of my answers. However, I haven't been able to find anyone else who has encountered this issue and I haven't found any other SQL queries in my forum that encounter similar issues. Also, I haven't received any errors from my code.

<?php
include("../../../dbconn.php");
$cid = 1;
$scid = 1;
$topic_title = $_POST['topic-title'];
$content = $_POST['topic-content'];

$target_dir = "Saved Images/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;
$imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));
// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
    $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
    if($check !== false) {
        echo "File is an image - " . $check["mime"] . ".";
        $uploadOk = 1;
    } else {
        echo "File is not an image.";
        $uploadOk = 0;
    }
}
// Check if file already exists
if (file_exists($target_file)) {
    echo "Sorry, file already exists.";
    $uploadOk = 0;
}
// Check file size
if ($_FILES["fileToUpload"]["size"] > 500000) {
    echo "Sorry, your file is too large.";
    $uploadOk = 0;
}
// Allow certain file formats
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) {
    echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";
    $uploadOk = 0;
}
// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
    echo "Sorry, your file was not uploaded.</br>";
// if everything is ok, try to upload file
} else {
    if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
        echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded.";
    mysqli_query($con, "INSERT INTO Artists_Looking_For_Writers (`category_id`, `subcategory_id`, `title`, `content`, `date_posted`, `imgName1`) VALUES ('".$cid."', '".$scid."', '".$topic_title."', '".$content."', NOW(), '".$_FILES['fileToUpload']['name']."');");
    } else {
        echo "Sorry, there was an error uploading your file.";
    }
}
?>

This should create a row in my table that contains a category id, subcategory id, title, content, date posted, and the name of my image. Instead, nothing is added to the table. This only happens when I include the imgName1 column in my SQL query. If I remove that and the command to get the name of the uploaded file then it runs perfectly.

Isaac Petersen
  • 1
  • 1
  • 2
    Also, you should really consider using prepared statements, this code is wide open to SQL injections attacks. – Jonnix Jul 26 '19 at 21:47
  • 1
    Using a prepared statement would also mean you wouldn't have to worry about quoting issues like this. – Don't Panic Jul 26 '19 at 21:59
  • One thing that will really help you is to set things up so that you can see MySQL errors. https://stackoverflow.com/questions/22662488/how-to-get-mysqli-error-information-in-different-environments-mysqli-fetch-as – Don't Panic Jul 26 '19 at 22:01
  • @Jonnix I'm not seeing where I messed up on my backticks, double quotes, and single quotes. Could you please point out where? – Isaac Petersen Jul 26 '19 at 23:11
  • @Don'tPanic I added that line to it and it gave me this error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''my Image'')' at line 1 in /Applications/XAMPP/xamppfiles/htdocs/dev/cc-Forum/topics/1/2/submit_topic.php:47 Stack trace: #0 /Applications/XAMPP/xamppfiles/htdocs/dev/cc-Forum/topics/1/2/submit_topic.php(47): mysqli_query(Object(mysqli), 'INSERT INTO Art...') #1 {main} thrown in /Applications/XAMPP/xamppfiles/htdocs/dev/cc-Forum/topics/1/2/submit_topic.php on line 47 – Isaac Petersen Jul 26 '19 at 23:17
  • @IsaacPetersen `$_FILES['fileToUpload']['name']` is a string. It's not quoted in your SQL. – Jonnix Jul 27 '19 at 09:48
  • @Jonnix I removed the quotation marks from it but that still didn't fix the problem. the issue seems to be with how the Query is being run, but I'm not sure what is in error. The query works just fine when I remove the imgName1 column selector. – Isaac Petersen Jul 27 '19 at 17:57
  • What? That made no sense. You removed quotes from what? I'm saying you're _missing_ quotes. – Jonnix Jul 27 '19 at 17:59
  • After removing the quotes from around that string, it gave me this error: `Uncaught mysqli_sql_exception: Unknown column 'laptop' in 'field list'`, but no where in my code is there the word 'laptop' – Isaac Petersen Jul 27 '19 at 18:01
  • I removed the single quotes that I was including around `@_FILES['fileToUpload']['name']` and it gave me that error instead. EDIT sorry I just realized that the code I posted here didn't have the single quotes in it. sorry – Isaac Petersen Jul 27 '19 at 18:04
  • Look at is this way. Echo your SQL statement like `echo "INSERT INTO Artists_Looking_For_Writers (\`category_id\`, \`subcategory_id\`, \`title\`, \`content\`, \`date_posted\`, \`imgName1\`) VALUES ('".$cid."', '".$scid."', '".$topic_title."', '".$content."', NOW(), ".$_FILES['fileToUpload']['name'].");";` You should see no quotes around the filename. If you're telling me your code in the question isn't correct, please update is asap. – Jonnix Jul 27 '19 at 18:13
  • Ok so when I `echo`ed the statement, it returned all of the correct results. The output I got from that was the same as what it should be adding to the database. And yeah the code in my question is updated now sorry. – Isaac Petersen Jul 27 '19 at 18:18
  • Ok so I fixed the problem. I just moved the Query out of the `if` statement, and it works now. – Isaac Petersen Jul 27 '19 at 18:24

1 Answers1

0

I fixed the problem. The problem was with my use of single and double quotes, and then I moved the query into a separate if statement, which resolved the issue.

Isaac Petersen
  • 1
  • 1