1

I need to upload some information like Name, Image to database using PHP.

I tried doing this:

Add_tour.php:

<?php
$app=new app();  
$targetDir = "/upload/";
if(isset($_POST['tour_name'])) {
    $tour_name=isset($_POST['tour_name'])?trim($_POST['tour_name']):'';
    $_SESSION['tour_name']=$tour_name;
}

if(isset($_POST['tour_img'])) {
    $tour_img=isset($_POST['tour_img'])?trim($_POST['tour_img']):'';
    $_SESSION['tour_img']=$tour_img;
    move_uploaded_file($_FILES["tour_img"]["tmp_name"],$targetDir);
}

$ID=$app->add_tour();
?>

<form action="/admin/add_tour.php" method="post">     
    <input type="text" class="form-control" id="tour_name" name="tour_name">
    <input type="file" data-toggle="custom-file-input" id="tour_img" name="tour_img">                
</form>

And then my app.class.php file:

public function add_tour(){ 
$tour_name=isset($_SESSION['tour_name'])?$_SESSION['tour_name']:'';
$tour_img=isset($_SESSION['tour_img'])?$_SESSION['tour_img']:'';

$data="

tour_name       ='".$this->db->escape($tour_name)."' ,
tour_img        ='".$this->db->escape($tour_img)."'
";

$id=0;      

if($tour_name!='' && $tour_img!='')
{           
    //find row
        $res=$this->db->RawQuery("SELECT id FROM table WHERE
        tour_name       ='".$this->db->escape($tour_name)."' AND
        tour_img        ='".$this->db->escape($tour_img)."'
        LIMIT 1;");
foreach($res as $row)
    $id=$row['id'];     
if($id==0)  
{
    $id=$this->db->RawQuery("INSERT INTO table SET $data ;");

    $html.=ob_get_contents();
    ob_end_clean();

}

        return $id;

}

The problem is that only the name of the file will be added to the database. The file itself is not getting uploaded to the "upload" directory.

Martijn
  • 15,791
  • 4
  • 36
  • 68
Amine Khaoui
  • 119
  • 2
  • 13
  • I don't know what is in `$this->db->escape()`, but this is certainly not preventing SQL injections. Use prepared statements instead – Cid Nov 29 '19 at 09:28
  • @Cid `$this->db->escape()` is codeigniter function to escape query inputs. – jagad89 Nov 29 '19 at 09:33
  • @Cid, [go and read](https://codeigniter.com/userguide2/database/queries.html) and [this](https://stackoverflow.com/questions/5857386/how-to-avoid-sql-injection-in-codeigniter) – Aksen P Nov 29 '19 at 09:35

2 Answers2

1

You have an error in your code:

move_uploaded_file($_FILES["tour_img"]["tmp_name"], $targetDir);

You forgot to pass the file name as well. Code should be:

move_uploaded_file($_FILES["tour_img"]["tmp_name"], $targetDir . $_FILES["tour_img"]["name"]);

Also make sure you have enctype="multipart/form-data" in your tag.

DarkBee
  • 16,592
  • 6
  • 46
  • 58
slab-dev
  • 11
  • 2
  • _“Code should be:”_ - no, it should rather not. `$_FILES["tour_img"]["name"]` was specified by the client, so it should not be trusted, at least not without any further validation. – 04FS Nov 29 '19 at 09:46
  • I'm now getting Undefined index: tour_img in /admin/add_tour.php on line 26. line 26 is: move_uploaded_file($_FILES["tour_img"]["tmp_name"],$targetDir . $_FILES["tour_img"]["name"]); – Amine Khaoui Nov 29 '19 at 09:58
  • that mean you are not getting file here, Can you try to print $_FILES and see if its Printing you a file array? – slab-dev Nov 29 '19 at 10:03
  • I did all that. And I fixed the undefined index error by adding if(isset($_POST['submit'])) . I also added the tag you mentioned to
    , and now nothing is added to the DB (even the image name). I believe the problem is in the file app.class.php
     – Amine Khaoui Nov 29 '19 at 10:10
  • I'm Still stuck in this problem. Any ideas on what to try? – Amine Khaoui Nov 30 '19 at 10:45
0

Use the following attribute in your form

enctype="multipart/form-data"
DarkBee
  • 16,592
  • 6
  • 46
  • 58
Spy.Murad
  • 53
  • 1
  • 10