0

the 5 pictures i want to upload are used to display the product with a gallery that you click on each image to see individually, i'm new to this so any feedback on how to improve my code is appreciated :)

config.php:

<?php 
   session_start();
   
   // connect to database
   
      $servername = "localhost";
      $username = "root";
      $password = "";
      $dbname = "ecommerce_site";
      
      // Create connection
      $conn = new mysqli($servername, $username, $password, $dbname);
      // Check connection
      if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
      }
   
   ?>

manage.php:

<form method="POST" action="manage.php" enctype="multipart/form-data">
<input type="file" name="image[]" multiple>
<button type="submit" name="upload_product">Post</button>
</form>

admin-functions.php:

<?php

  if (isset($_POST['upload_product'])){
    $filecount = count($_FILES['image']['name']);
    for($i = 0 ; $i < $filecount ; $i++){
      $filename = $_FILES['image']['name'][$i];
      $sql      = "INSERT INTO products (picture, picture_2, picture_3, picture_4, picture_5) VALUES ('$filename', '$filename', '$filename', '$filename', '$filename',)";

      if($conn->query($sql) === TRUE){
        echo"success";
      }
      else{
        echo "error";
      }
      move_uploaded_file($_FILES['image']['tmp_name'][$i], '../static/images/'.$filename);
    }
  }
  $result = mysqli_query($conn, "SELECT * FROM products");

?>

database

Ziad Choukri
  • 19
  • 2
  • Do you want a single row containing all five pictures, each in their own column, or do you want five rows each containing their own picture? – Martheen May 23 '21 at 01:34
  • I want each row to contain one image please. – Ziad Choukri May 23 '21 at 01:42
  • 1
    Your $sql variable contains and extra COMMA at the end of VALUES parenthesis that will result into "You have an error in your SQL statement...". Also, this is a super inefficient approach by issuing queries multiple times. You could combine the row values in parenthesis and could execute one single query to insert them all in the database. – Broken Arrow May 23 '21 at 02:28
  • Then why do you create five columns? – Martheen May 23 '21 at 02:32
  • It worked! Thank you Broken Arrow, rookie mistake... I know my code is inefficient, and I will try my best to improve it. – Ziad Choukri May 23 '21 at 07:06
  • 2
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman May 23 '21 at 09:51

0 Answers0