0

I am creating a library management system, and I am also adding e-books. Adding e-book with pdf file and image are working. They are stored in their designated folders at inserted into the database. But the problem now is when I create the "edit e-book" part. I added a feature that if they want to overwrite the existing pdf file or image, they can update it. I used checkboxes so that they could pick what to update and include: a pdf file, an image, or both of them. The problem is that when I include any of the two and click the update button, it just unlinks the pdf file and the image. So in the database, the pdf name and the image name of the old ones are still there, and the new file I chose is not inserted.

https://i.stack.imgur.com/0MEXh.jpg (Picture of the checkboxes I wanted to work)

My code:

 <!-- PDF -->
                            <div class="form-group">
                                <input id="checkbox-id" type="checkbox" name="upload[]" value="PDF File" class="righty">
                                <label class="rightx" for="checkbox-id"> Include E-Book
                                </label>
                                <label class="control-label col-md-4" for="file"></label>
                                <div class="col-md-4">
                                <input id="subject" type="file" name="pdf" value="" class="form-control col-md-7 col-xs-12">
                                    
                                    <?php
                                    include '../include/dbcon.php';

                                    if (isset($_POST['update11'])) {
                                        $checkbox=$_POST['upload']; 

                                        foreach($checkbox as $item){

                                            $sql="SELECT pdf FROM ebooks WHERE ebook_id = " . $_GET['ebook_id'];
                                            $query=mysqli_query($con,$sql);
                                                while ($info=mysqli_fetch_array($query)) {
                                                    unlink("../../ebooks/" . $info['pdf']);
                                                }                                    

                                            $pdf=$_FILES['pdf']['name'];
                                            $pdf_type=$_FILES['pdf']['type'];
                                            $pdf_size=$_FILES['pdf']['size'];
                                            $pdf_tem_loc=$_FILES['pdf']['tmp_name'];
                                            $pdf_store="../../ebooks/".$pdf; // This line is for editing the PATH for storing PDF Files.
                                            
                                            try {
                                            move_uploaded_file($pdf_tem_loc,$pdf_store);
                                            } catch(\Exception $e) {
                                                die($e);
                                            }
                                            
                                                mysqli_query($con," UPDATE ebooks SET pdf='$pdf',pdf_type='$pdf_type',pdf_size='$pdf_size',pdf_tem_loc='$pdf_tem_loc',pdf_store='$pdf_store' WHERE ebook_id = '$id' ")or die(mysql_error());
                                                echo "<script>alert('Successfully updated!); history.go(-2
                                                );</script>";  
                                    } 
                                }
                                    ?>
                                </div>
                            </div>

                            <!-- Image -->
                            <div class="form-group">
                                <input id="checkbox-id2" type="checkbox" name="upload[]" value="Image File" class="rights">
                                <label class="rightx" for="checkbox-id2"> Include Image
                                </label>
                                <label class="control-label col-md-4" for="file"></label>
                                <div class="col-md-4">
                                <input id="subject" type="file" name="image" value="" class="form-control col-md-7 col-xs-12">
                                    
                                    <?php
                                    include '../include/dbcon.php';
                                    
                                    if (isset($_POST['update11'])) {
                                        $checkbox=$_POST['upload']; 

                                        foreach($checkbox as $item){

                                            $sql="SELECT ebook_img FROM ebooks WHERE ebook_id = " . $_GET['ebook_id'];
                                            $query=mysqli_query($con,$sql);
                                                while ($deli=mysqli_fetch_array($query)) {
                                                    unlink("../../images/" . $deli['ebook_img']);
                                                }                                    

                                            $ebook_img=$_FILES['image']['name'];
                                            $img_size=$_FILES['image']['size'];
                                            $img_tem_loc=$_FILES['image']['tmp_name'];
                                            $img_store="../../images/".$ebook_img; // This line is for editing the PATH for storing Images.
                                                
                                                try {
                                                move_uploaded_file($img_tem_loc,$img_store);
                                                } catch(\Exception $e) {
                                                    die($e);
                                                }
                                        
                                            mysqli_query($con," UPDATE ebooks SET ebook_img='$ebook_img',img_size='$img_size',img_tem_loc='$img_tem_loc',img_store='$img_store' WHERE ebook_id = '$id' ")or die(mysql_error());
                                            echo "<script>alert('Successfully updated!); history.go(-2
                                            );</script>"; 
                                    }  
                                }
                                    ?>
                                </div>
                            </div>


                            <div class="ln_solid"></div>
                            <div class="form-group">
                                <div class="col-md-9 col-sm-9 col-xs-12 col-md-offset-5">
                                    <a href="ebook.php"><button type="button" class="btn btn-primary"><i class="fa fa-times-circle-o"></i> Cancel</button></a>
                                    <button type="submit" name="update11" class="btn btn-success"><i class="glyphicon glyphicon-save"></i> Update</button>
                                </div>
Noobie
  • 9
  • 2
  • 1
    In your updates, you have `WHERE ebook_id = '$id'`, but you never defined `$id`. It actually should throw an error since the query would result in: `WHERE ebook_id =` which is invalid. – M. Eriksson Jun 04 '22 at 14:37
  • **Warning!** You're open to [SQL injection attacks](https://owasp.org/www-community/attacks/SQL_Injection)! Read [how to prevent SQL injection in PHP](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) by using prepared statements with bound parameters instead of injecting variables directly into your queries. It's not just about security. If your data contains, for example, a single quote `'`, your query will break. – M. Eriksson Jun 04 '22 at 14:38
  • Does this answer your question? [How to deal with mysqli problems? mysqli\_fetch\_array(): Argument #1 must be of type mysqli\_result](https://stackoverflow.com/questions/22662488/how-to-deal-with-mysqli-problems-mysqli-fetch-array-argument-1-must-be-of-t) – M. Eriksson Jun 04 '22 at 14:41
  • And since you're mixing `mysql_*` and `mysqli_*` functions, you should also read [Can I mix MySQL APIs in PHP?](https://stackoverflow.com/questions/17498216/can-i-mix-mysql-apis-in-php) – M. Eriksson Jun 04 '22 at 14:42
  • Btw, wouldn't it be better to check if they submitted a new file before removing the old one? As it is now if someone would accidently submit the form with one of the checkboxes checked but didn't add a new file, you will remove the old file and then your code would error out (since the corresponding `$_FILES` array would be empty). – M. Eriksson Jun 04 '22 at 14:45
  • First of all, thank you sir @M.Eriksson! I forgot to define the '$id'. It is now updating, but the problem now is I tried to upload a new pdf file and leave the image file as it is. The new one now overwrites the pdf file, but the image gets unlinked, and the image name in the database was erased, just like what you are pertaining to your last comment. I did not check the "include image" and still got updated. – Noobie Jun 04 '22 at 15:14
  • I will take notes about how to prevent SQL injection and about the MySQL APIs. This will help because I am now self-studying, and creating this project is to assess myself to what I have learned for a month. – Noobie Jun 04 '22 at 15:20
  • That's because you never actually check _which_ checkboxes are checked. You do `$checkbox=$_POST['upload'];` and then `foreach($checkbox as $item)` but never actually do anything with `$item` anywhere. Just remove the checkboxes and check if `$_FILES['pdf']` and `$_FILES['image']` are set instead. – M. Eriksson Jun 04 '22 at 15:24
  • @M.Eriksson, `is_uploaded_file()` function the one I should use? Thanks again. – Noobie Jun 04 '22 at 15:37
  • ...or just `if (empty($_FILES['pdf']['tmp_name']) === false)`. Then you should also check that `$_FILES['pdf']['error']` is equal to `0` (any other value means that there was an error with the upload). You can read [here](https://www.php.net/manual/en/features.file-upload.errors.php) what the different error codes mean. – M. Eriksson Jun 04 '22 at 15:44

0 Answers0