Upload object including image (PHP/Html)

Question

I am trying to create a way to upload an image with data to my server. I am successfully moving the image into the server folder but the data will not insert into the database.

Here is the webpage which has a form to fill out and select files, also establishes a connection to DB:

<?php
session_start();
    include("shopconnection.php");
    include("shopfunctions.php");

    $user_data = check_admin($con);
?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <link rel="stylesheet" href="../Presidio-Plants/style.css">
    <link rel="stylesheet" href="../public/shopitem.css">
    
    <title>Presidio Plants | Shop</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
    <div class="header">
    </div>
    <div class="navbar">
        <nav>
            <ul>
              <li><a href="index.html">Home</a></li>
              <li><a href="gardening.html" class="active">Gardening Forum</a></li>
              <li><a href="plant_exchange.html">Plant Exchange</a></li>
              <li><a href="about.html">About</a></li>
              <li><a href="login.html">Log in</a></li>
            <li><a href="signup.html">Sign up</a></li>
            </ul>
        </nav>
    </div>
    <!-- Shop upload area -->
    <div id="upload-container">
        <!--div to contain form for css purposes-->
        <div id="data">
            <!--form input-->
            <form action="upload.php" method="POST" enctype="multipart/form-data">
                <label for="plantimage">Plant Image:</label><br>
                <input type="file" id="plantimage" name="plantimage"/><br>
                <label for="plantName">Plant name:</label><br>
                <input type="text" id="plantName" name="plantName"/><br>
                <label for="price">Price:</label><br>
                <input type="text" id="price" name="price"/><br>
                <label for="description">Description:</label><br>
                <input type="text" id="description" name="description"/><br>
                <button type="submit" name="upload">Add to Shop</button>



            </form>

        </div>
        
    </div>

</body>
</html>

This is shopconnection.php:

<?php
$dbhost = "localhost";
$dbuser = "root";
$dbpass = "";
$dbname = "admin_list";

if(!$con = mysqli_connect($dbhost,$dbuser,$dbpass,$dbname))
{
    die("failed to connect");
}

And finally upload.php file:

<?php
/* if submit is clicked*/
if ($_SERVER['REQUEST_METHOD'] == "POST"){
    $plantimage = $_FILES['plantimage'];
    $plantname = $_POST['plantName'];
    $plantprice = $_POST['price'];
    $plantdesc = $_POST['description'];

    $fileExt = explode('.',$_FILES['plantimage']['name']);
    $fileActualExt = strtolower(end($fileExt));

    /* create filename for image */
    $imagename = $plantname.".".$fileActualExt;
    $destination = 'items/'.$imagename;

    /* SAVE IMAGE TO DB */
    move_uploaded_file($_FILES['plantimage']['tmp_name'], $destination);

    /* PUSH OBJECT VALUES TO DB TABLE */
    $query = "INSERT INTO plants (imgloc,plantname,price,desc) VALUES ('$destination','$plantname','$plantprice','$plantdesc');";
    mysqli_query($con, $query);
    header("Location: shopupload.php?fileuploaded");
    die();
}

Make sure PHP and MySQL error reporting are turned on. When doing this kind of work, your code should stop at the problem line. For instance, if data isn't going into the database, don't perform a redirect or a die, just let your code continue, and possibly dump variables out to see. It is possible an error is showing and you are losing it with the redirect — Chris Haas, Sep 27 '21 at 20:26
in Addition to @ChrisHaas comment, please use PDO or at-least escape user posted data before inserting it into the database. Right now your code is vulnerable to SQL injection. — TheBritishAreComing, Sep 27 '21 at 20:28
Check your insert query! You’re having semi colons inside the double quotes — Shakti Goyal, Sep 27 '21 at 20:48
thanks for the tips, I figured out the issue was twofold: a)the connection was not established for the upload from the input page and b) i had a column titled desc in the database which was screwing up the query — Kirkulese, Sep 27 '21 at 20:54
**Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) — Dharman, Sep 27 '21 at 22:24

score 0 · Answer 1 · edited Sep 28 '21 at 06:19

0

I figured out the issue was twofold:

The connection was not established for the upload from the input page.
I had a column titled desc in the database which was screwing up the query since it is a keyword.

edited Sep 28 '21 at 06:19

ouflak

2,458
10
44
49

answered Sep 27 '21 at 20:54

Kirkulese

21
1

Upload object including image (PHP/Html)

1 Answers1