PHP Not Passing Variables to Insert?

Question

Any idea why this wouldn't pass PO, AP, and Facility to the SQL insert statement? I tested with literal values and it works otherwise when I run query to look for the values.l

I'm at a loss, help?

<?php
if (! empty($_FILES)) {
    $imagePath = isset($_FILES["file"]["name"]) ? $_FILES["file"]["name"] : "Undefined";
    $targetPath = "uploads/";
    $imagePath = $targetPath . $imagePath;
    $tempFile = $_FILES['file']['tmp_name'];

    $targetFile = $targetPath . $_FILES['file']['name'];

    if (move_uploaded_file($tempFile, $targetFile)) {
        echo "true";
    } else {
        echo "false";
    }
}
$po = $_GET["po"];
$ap = $_GET["ap"];
$facility = $_GET["facility"];

if (! empty($_GET["action"]) && $_GET["action"] == "save") {

    require_once ("db.php");

    print $sql = "INSERT INTO images_info (image_path, po, ap, facility) VALUES ('" . $imagePath . "', '" . $_GET["po"] . "', '" . $ap . "', '" . $facility . "')";

    mysqli_query($conn, $sql);
    $current_id = mysqli_insert_id($conn);
}
?>
<html>
<head>
<title>Add New Image</title>
<link rel="stylesheet" type="text/css" href="css/styles.css" />

<link rel="stylesheet" type="text/css" href="dropzone/dropzone.css" />
<?php echo "PO#: ".$po."<br />" ?>
<?php echo "AP#: ".$ap."<br />"  ?>
<?php echo "Facility#: ".$facility."<br />"  ?>
<script type="text/javascript" src="dropzone/dropzone.js"></script>
</head>
<body>
    <form name="frmImage" action="image-add.php?action=save"
        class="dropzone"></form>
    <div class="btn-menu">
        <a href="index.php" class="link">Back to List</a>
    </div>
</body>
</html>

`$imagePath` is outside the `(! empty($_FILES))` `IF` statement, is there a chance your instantiation of this variable (& others like it) aren't able to be accessed outside the `(! empty($_FILES)) ` `IF` statement? Move everything below & including `$po = $_GET["po"];` inside the upper `IF`statement & try! — EGC, Oct 29 '19 at 23:26
Please read about **[SQL injection](https://en.wikipedia.org/wiki/SQL_injection)**. Instead of building queries with string concatenation, use **[prepared statements](https://secure.php.net/manual/en/pdo.prepare.php)** with **[bound parameters](https://secure.php.net/manual/en/pdostatement.bindparam.php)**. See **[this page](https://phptherightway.com/#databases)** and **[this post](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)** for some good examples. — John Conde, Oct 29 '19 at 23:34
You don't know what's wrong because you don't check for errors in your code. Never assume the code is always going to work flawlessly. Use [`mysqli_error()`](http://php.net/manual/en/mysqli.error.php) to get a detailed error message from the database. — John Conde, Oct 29 '19 at 23:35
Does this answer your question? [How to include a PHP variable inside a MySQL statement](https://stackoverflow.com/questions/7537377/how-to-include-a-php-variable-inside-a-mysql-statement) — Dharman, Oct 29 '19 at 23:35
[How to get the error message in MySQLi?](https://stackoverflow.com/a/22662582/1839439) — Dharman, Oct 29 '19 at 23:36
I don't see any of the inputs that are supposed to correspond with what you're using. — Funk Forty Niner, Oct 30 '19 at 00:53

score -1 · Accepted Answer · answered Oct 30 '19 at 00:10

I do not see any input fields in your form. Have a look at this comment on an Dropzone.js with PHP example. The gist itself should help you solve your problem.

So the form should be like this:

<form name="frmImage" action="image-add.php?action=save" class="dropzone">
    <input type="hidden" name="po" value="<?php echo $po; ?>">
    <input type="hidden" name="ap" value="<?php echo $ap; ?>">
    <input type="hidden" name="facility" value="<?php echo $facility; ?>">
</form>

Since it appears that you are not using a submit button in your form, here an example snippet to pass form data along with your files in your post request:

myDropzone.on("sending", function(file, xhr, formData) {
    poValue = document.querySelector("input[name=po]").value;
    formData.append("po", poValue ); 
    apValue = document.querySelector("input[name=ap]").value;
    formData.append("ap", apValue ); 
    facilityValue = document.querySelector("input[name=facility]").value;
    formData.append("facility", facilityValue ); 
});

You will have to adjust to your needs.

PHP Not Passing Variables to Insert?

1 Answers1