1

I would like to upload multiple images at once in php but the images aren't moved to the folder and my media_image column in phpmyadmin remains empty

<form action="" method="post" enctype="multipart/form-data">    
    <div class="form-group">
        <label for="post_status">ALBUM</label>
        <select name="media_post_id" id="">
            <?php show_albums_add_media_page(); ?>
        </select>
    </div>
    <div class="form-group">
        <label for="post_image">Post Image</label>
         <input name="file[]" type="file" multiple="multiple" />
    </div>
    <div class="form-group">
        <input class="btn btn-primary" type="submit" name="create_media" value="Publish Media">
    </div>
</form>

function add_media(){
    if(isset($_POST['create_media'])) {

        $media_post_id     = escape_string($_POST['media_post_id']);

        foreach ($_FILES['file']['tmp_name'] as $index => $tmpName) {
            if( !empty( $tmpName ) && is_uploaded_file( $tmpName ) )
            {
                $post_image        = escape_string($_FILES['file']['name']);
                $post_image_temp   = escape_string($_FILES['file']['tmp_name']);
                move_uploaded_file($post_image_temp, "../images/$post_image" );
                $query = query("INSERT INTO mediatar(media_image,media_post_id) VALUES('{$post_image}','{$media_post_id}') ");  
                confirm($query);

            }
        }

        set_message("<h4 class='bg-success'>New medias have been added!</h4>");
        redirect("index.php?media");
    }
}
Otto Fischer
  • 23
  • 7
  • i advice you to read [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1), as i assume `escape_string()` uses `mysqli_real_escape_string()` ? `mysqli_real_escape_string()` can still be prone to injections when used wrong and also `mysqli_real_escape_string()` is completly unsafe to use without setting a charset first with `mysqli_set_charset()` like the PHP manual mentiones. – Raymond Nijland Aug 06 '19 at 17:06
  • Also your code seams not to really check if the uploaded file is in fact a image, meaning PHP files can also be uploaded and executed on the server i assume that is not what you want – Raymond Nijland Aug 06 '19 at 17:09
  • this code snippet is integrated to the admin page of a website so the sql injection shouldn't be a big concern in this case. What should I change in order to upload those files? – Otto Fischer Aug 06 '19 at 17:11
  • *" What should I change in order to upload those files?"* i would suggest using a battle tested upload module of a PHP framework, as making it yourself can be (very) time consuming and still you can get it wrong. – Raymond Nijland Aug 06 '19 at 17:13
  • Thank you for your suggestion :) However, since this is a portfolio for photos and the client isn't a noob, I don't think that we need verifications and so on. Just to upload them. I think that I have some problems at the foreach loop but I can't identify it :/ – Otto Fischer Aug 06 '19 at 17:18

0 Answers0