0

I am an intermediate level PHP and SQL developer working in a local XAMPP environment building my first database-driven website. I am at the stage of moving from testing to implementation in a live context. I have been reusing my code during the testing period and have had all elements working, being able to upload files of all types and insert into DB and call back.

I am getting a warning in the new implementation project which I am having great difficulty understanding as I have been following the same procedures throughout my testing period without much difficulty.

I simply want to upload a profile picture into a project DB. I have completed this process many times in testing.

Warning: Undefined array key "uploadFile" in C:\xampp\htdocs\phpTutorial\includes\pf.dbh.inc.php on line 18* Failure

upload.php (submit the file)

<form action="includes/pf.upload_proj.inc.php" method="post" enctype="multipart/form-data">
<input type="submit" name="submit" value="Upload Image"/><br />
            
    
    <input type="file" accept="image/*" name="uploadFile"   onchange="preview_image(event);"><br>
</form>

pf.upload_proj.inc.php

require_once 'config.php';
        require_once 'pf.functions_proj.inc.php';
        require_once 'pf.dbh.inc.php';

if(isset($_POST['submit'])) {
        
        $projName = $projAbrv = $projDesc = $uploadFile = "";
        
        $newFileName = $_POST['projAbrv'];
        if (empty($newFileName)){
        $newFileName = "uploadFile";
        } else {
        $newFileName = strtolower(str_replace(" ", "-", $newFileName));
        }
        
        $projName = $_POST['projName'];
        $projAbrv = $_POST['projAbrv'];
        $projDesc = $_POST['projDesc'];
                        
$file = $_FILES['uploadFile'];

        $fileName = $file['name'];
        $fileType = $file['type'];
        $fileTempName = $file['tmp_name'];
        $fileError = $file['error'];
        $fileSize = $file['size'];.....

pf.dbh.inc.php'(connect to the DB)

$projName = mysqli_real_escape_string($conn, $_POST["projName"]);
$projAbrv = mysqli_real_escape_string($conn, $_POST["projAbrv"]);
$projDesc = mysqli_real_escape_string($conn, $_POST["projDesc"]);
$uploadFile = mysqli_real_escape_string($conn, $_POST["uploadFile"]); *
//$projOrder = mysqli_real_escape_string($conn, $_POST["projOrder"]);

$sql = "INSERT INTO `project` ('projName', 'projAbrv', 'projDesc', 'uploadFile') VALUES ($projName, $projAbrv, $projDesc, $uploadFile);INSERT INTO `profile` (projName) VALUES ($projName);";.....

'pf.functions_proj.inc.php(bind parameters)

mysqli_stmt_bind_param($stmt, "ssss", $projName, $projAbrv, $projDesc, $uploadFile);
    mysqli_stmt_execute($stmt);

    $resultData = mysqli_stmt_get_result($stmt);

    if ($row = mysqli_fetch_assoc($resultData)) {
        return $row;
    }
    else {
        $result = false;
        return $result;
    }

    mysqli_stmt_close($stmt);
}

function createUser($conn, $projName, $projAbrv, $projDesc, $uploadFile, $projOrder) {
    $sql = "INSERT INTO `project` (projName, projAbrv, projDesc, uploadFile, projOrder) VALUES (?, ?, ?, ?, ?);INSERT INTO `profile` (projName) VALUES ($projName);";
    $stmt = mysqli_stmt_init($conn);....
brombeer
  • 8,716
  • 5
  • 21
  • 27
SecretLife
  • 1
  • 2
  • Please don't make code syntax invalid. Use code comments. – Markus Zeller Mar 29 '21 at 10:38
  • 2
    `$_POST["uploadFile"]` in that file should be `$_FILES["uploadFile"]`. Are you sure this all worked correctly during testing period? – brombeer Mar 29 '21 at 10:40
  • 1
    And `$_FILES["uploadFile"]` must be processed. Because you can not add an array into a mySQL field. – Markus Zeller Mar 29 '21 at 10:41
  • 1
    You seem to be mixing both prepared statements and direct parameter injection. Stick to prepared statements whenever your query has a parameter, as that will protect you from SQL injection and automatically take care of quoting and escaping. Then you won't need to manually escape anymore, which is also a good thing, as that's [not enough to protect you from injection](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string). – El_Vanja Mar 29 '21 at 10:52
  • Hi @brombeer, which file are you referring to? I have changed in 'pf.dbh.inc.php' and in 'pf.upload_proj.inc.php' with the same warning. I have copied and pasted from working examples, I have also tried various combinations of " " & ' ' syntax – SecretLife Mar 29 '21 at 10:54
  • The `pf.dbh.inc.php` mentioned in the error. You somehow have `$_POST["uploadFile"]` in there. In `pf.upload_proj.inc.php` you used `$_FILES['uploadFile']`, which is correct – brombeer Mar 29 '21 at 10:55

1 Answers1

0

Thanks for all your comments on this issue. I have found a solution.

  1. First removed reference to "pf.functions_proj.inc.php".

  2. Removed reference to 2nd "INSERT INTO profile..." from the $sql statement in "pf.upload_proj.inc.php" & "pf.dbh.inc.php". (I believe that this is where the problem lay)

  3. Renamed all instances of "uploadFile" to"upload_file".

SecretLife
  • 1
  • 2