Insert text in a database with a photo with $SQLStatement problem in the strucuture

Question

I want to insert text in a datatable with $SQLStatement, I don't know about a lot of this topic, but I search a lot of information. I did with $SQLStatement to insert the rute of a photo in a folder in the database, and after see the photo, but now i can't do it the same but with text,with the text I only want to insert the text in the database, no to do route. SO the problem that i have is that I can't insert text with the same method that i insert the route of the photos. Because here the problem is I have a photo, and the name of the photo. The route of the photo inserts correctly but with the text I don't know who to do it all together, not separate.

Here the formulare to put the data:

<!DOCTYPE html>
<html lang="en">
<head>
 <meta charset="UTF-8">
 <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
 <link rel="stylesheet" href="lib/css/bootstrap.min.css">
 <title>Subir Imagen</title>
</head>
<?php
 /*Incluyendo la conexion y enviando el Arreglo Files a la funcion*/
 include 'MOST.coneccion.php';
 if(isset($_POST['save']))
 {
  $DBImagen->uploadImage($_FILES);
 }
?>
<body style="padding-top:80px;">
 <div class="container col-lg-6 col-lg-offset-3">
  <div class="panel panel-default">
   <div class="panel-heading" style="background-color:#81BEF7;">
    <div class="panel-title">
     <center><h3>Guardar Imagen con PHP</h3></center>
    </div>
   </div>
   <div class="panel-body">
    <form method="post" enctype="multipart/form-data">
    <div>
    <input name="price" placeholder="Price">
    </div>
    <div>
    <input name="name" placeholder="Name of the ph">
    </div>
     <div class="form-group">
      <input type="file" name="imagen"> 
     </div>
     <input type="submit" name="save" class="btn btn-primary">
    </form>
    <br>
    <table class="table">
     <tr>
      <th>#</th>
      <th>Imagen</th>
     </tr>
     
    </table>
   </div>
  </div>
 </div>
 Ejecutar

Here the function with the $SQLStatement:

<?php

class DBImagen
{

 private $DBConexion;

 function __construct($Conexion)
 {
  $this->DBConexion = $Conexion;
 }

 
 /**********************************
 to save the picture, i don't know if I need to do the same for the text
 **********************************/
 public function uploadImage($Imagen)
 {
  $ruta = 'imagenes2/'.$Imagen['imagen']['name'];
  move_uploaded_file($Imagen['imagen']['tmp_name'],$ruta);
  $SQLStatement = $this->DBConexion->prepare("INSERT INTO productosima (imagen) VALUES (:url)");
  $SQLStatement->bindParam(":url",$ruta);
  $SQLStatement->execute();
     
 }

Im open a new ideas, thank you for help, you make this community better.

You tagged as mysqli but what you have there is pdo. – Funk Forty Niner Oct 05 '19 at 02:52 — Funk Forty Niner, Oct 05 '19 at 02:52
Changed, sorry i made a mistake – Jack More Oct 05 '19 at 03:01 — Jack More, Oct 05 '19 at 03:01

Roldan · Answer 1 · 2019-10-05T02:58:53.750

-1

You can catch the values of your form using the $_POST super global:

$price = $_POST['price'];
$name = $_POST['name'];

Then use them to prepare the SQL STATEMENT:

public function uploadImage($Imagen)
{
    $ruta = 'imagenes2/'.$Imagen['imagen']['name'];
    move_uploaded_file($Imagen['imagen']['tmp_name'],$ruta);
    $SQLStatement = $this->DBConexion->prepare("INSERT INTO productosima (imagen,precio,nombre) VALUES (?,?,?)");
    $SQLStatement->bind_param('sds', $ruta,$price,$name);
    $SQLStatement->execute();

}

Just to remind: The argument may be one of four types: i - integer d - double s - string b - BLOB

Check out this answer for further explanation: Binding multiple values in pdo

edited Oct 05 '19 at 02:58

answered Oct 05 '19 at 02:38

Roldan

225
2
14

now im using th $img, its bad or its the same? because the $POST is see the data? – Jack More Oct 05 '19 at 02:41
Seem that the code you post is not complete. I'm assuming you have access to $_POST super global. There is no way to know how the class populate the $IMAGEN array using the feedback you enter in the question. – Roldan Oct 05 '19 at 02:47
I recived this; Uncaught PDOException: SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokensin the $SQLStatement-> execute(); – Jack More Oct 05 '19 at 02:54
Im sorry Roldan, the problem that I have now is with the $SQLStatement->execute(); thanks – Jack More Oct 05 '19 at 03:07

Thomas Ludewig · Accepted Answer · 2019-10-06T01:07:16.410

Some general advices. Use some database abstraction layer kind of sql library. I use adodb for exapmle. I do not want to rewrite all my code just cause the DB has changed by the provider etc. For sure the paths has to be adjusted acc. your environment.

        <?php
        $LW = substr($_SERVER['SCRIPT_FILENAME'], 0, 1); // i run this thing on 
                                                         // windows so i need a 
                                                         // drive letter for 
                                                         // sqlite
        include_once $LW . ':/WAMP64/www/adodb5/adodb.inc.php';
        include_once $LW . ':/WAMP64/www/adodb5/adodb-pager.inc.php';
        include_once $LW . ':/WAMP64/www/adodb5/toexport.inc.php';
        include_once $LW . ':/WAMP64/www/adodb5/tohtml.inc.php';
        include_once $LW . ':/WAMP64/www/adodb5/rsfilter.inc.php';

now the thing is installed. We now has to define the connector - i use sqlite - in your case password etc. might be required. This should be include by a not web reacheable file. In my case its simple, its just a intranet tool for me, so this is enough. You has to read the ADODB manual for your type of database. SQLITE has no user and no password (in my case) so this fields are set to false. ADODB CONNECT manual

  $db = null;
  $db = newAdoConnection("sqlite3");
  $db->connect($init->dbfile, null, null, null);

Now the connector know where the sqlite file is and how to handle this type of database. This is the only thing which depends on the database engine. See the adodb docs for your database. And now we are ready to generate a sql string. there are plenty of ways to transmit the text string into your php script. The classic POST and GET globals, some session things. We keep it here simple.

 $txt=$_POST["txt"];

A totally bad idea would be, to transfer the complete SQL string - A maximum horror scenario would be to use alsoo $_GET for this. DO NOT !!! (Then everybody can fire up SQl commands just from the browser location field...) We generate the SQL Statement HARDCODED ! So it will be impossible to change from outside. It might also be a idea too check for "funny" characters in the text. Or if the text is way to long etc.

$sql="INSERT INTO artists (name) VALUES($txt);

And now we just fire the thing up

$db->execute($sql);

That's it.

It works like that for all databases and connectors. Slightly different syntax but the things in basic are the same.

As told even i use sqlite you can use whatever database you want. The only thing which changes by ADODB is the setup for the connector. Which can be nicely included. So if you wanna change your database later you just has to change change the include file with the connector settings. ADODB has also some more tricks under the hood. Its worth to read a bit there.

Have fun !

ADODB Database abstraction layer

As i tried this first times i was talking bad words the whole day :D — Thomas Ludewig, Oct 06 '19 at 00:58
hey, one question, what do you thing about this: I create a search bar in my website, and i work a lot with the thing of always of the if msqli %%like an all of this stuff, like predetermined that all people us. SO I thing, if I do this $SQLStatement = $this->DBConexion->prepare("SELECT * FROM productosima WHERE name LIKE'%$search%'"); Its a bad thing or its corretly, it does works perfectly but its into a public function. What is your opinion? — Jack More, Oct 06 '19 at 02:29
Sooner or later you has to do something with the User data ;). But i wont let the user prepare the statement by self. I would fetch the string values, check them, use some SQL escape library to ensure that the database can not even interpret parts of them as command. google sql injection. It will be save if the user string is escaped and can ONLY be understood as text by the SQL interpreter. Then YOU can add the $sql= "SELECT * from table where xyz='.escape($Userdata).';" Idont write escape thing by myselv i would use a paranoic opensource community lib ! — Thomas Ludewig, Oct 06 '19 at 11:58

Insert text in a database with a photo with $SQLStatement problem in the strucuture

2 Answers2