Why can't the value of the $uploader variable be inserted into the mysql query?

Question

I am not able to enter the value of $uploader variable in mysql query please help me with this. I checked $author it is getting value with post.

<?php
        include("config.php");

        $author = $_POST['uname'];

        if(isset($_POST['but_upload'])){
            $maxsize = 5242880 * 80; // 400MB
                       
            $name = $_FILES['file']['name'];
            $target_dir = "videos/";
            $target_file = $target_dir . $_FILES["file"]["name"];
            $uploader = $author;
            // Select file type
            $videoFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));

            // Valid file extensions
            $extensions_arr = array("mp4","avi","3gp","mov","mpeg");

            // Check extension
            if( in_array($videoFileType,$extensions_arr) ){
                
                // Check file size
                if(($_FILES['file']['size'] >= $maxsize) || ($_FILES["file"]["size"] == 0)) {
                    echo "File too large. File must be less than 5MB.";
                }else{
                    // Upload
                    if(move_uploaded_file($_FILES['file']['tmp_name'],$target_file)){
                        // Insert record
                        $query = "INSERT INTO videos(name,location,author) VALUES('$name','$target_file','$uploader')";
                        mysqli_query($con,$query);
                        echo "Upload successfully.";
                        echo $query;
                    }
                }

            }else{
                echo "Invalid file extension.";
            }
        
        }
        ?>

Result:

INSERT INTO videos(name,location,author) VALUES('$name','$target_file','')

Can you expand on the problem please? What happens that should not, or does not happen that should? Do you get error messages if you check to see whether your query worked? Does your query work in phpmyadmin? — droopsnoot, Jul 17 '22 at 17:00
You really should be using Prepared Statements instead of sticking variables directly into your query like that. Is the uploader a string or a number? If it's a number, you shouldn't have quotes around it. If you used Prepared Statements, it would handle that for you, along with stuff like the name containing single-quotes. — droopsnoot, Jul 17 '22 at 17:01
Why do you create a variable called `$uploader`? Why not just use `$author` in your query instead, as you already have it? Especially as you're inserting it into a column called `author`. — droopsnoot, Jul 17 '22 at 17:03
Hello @droopsnoot I checked my query in phpmyadmin and this query works. `$uploader` is string. I want insert data to DB like that:```INSERT INTO videos(name,location,author) VALUES('$name','$target_file','John Doe')``` But i can not this — Jahongir Sobirov, Jul 17 '22 at 17:05
Dear @droopsnoot I think variable `$author` doesn't send data to ``` if(isset($_POST['but_upload'])){``` — Jahongir Sobirov, Jul 17 '22 at 17:09
That size is quite above the usual default. Is the file being uploaded or is there a size restriction in place? Try var_dump($_FILES) to see what you have. — kissumisha, Jul 17 '22 at 17:45
**STOP**. **USING**. **STRING**. **INTERPOLATION**. This is trivial to do with prepared statements. It's a complete mess if you just smash it into a string. Your query should look like `VALUES(?,?,?)` and you can trivially supply the data as arguments to your query execute call. — tadman, Jul 18 '22 at 02:04
All the values in the query are wrong (it shouldn't show up as *literally* `$name` between the quotes in the query). The people here telling you not to just stick stings into queries are mostly concerned with security (you WILL get hacked with that code), but if you do it the "safe" way, you will also be doing it the was that is more difficult to get wrong. Please read about prepared statements https://www.php.net/manual/en/class.mysqli-stmt.php (examples when you read about specific methods) — Jerry, Jul 18 '22 at 06:41
Is your "result" what you actually see, or have you put back the variable names so we don't see actual data? It would make it clearer if you'd put some sample data in there, because now you've confused matters to suggest that your variable values are not being substituted. What is in `$author` and `$uploader` when you `var_dump()` them at appropriate points in the code for debugging? — droopsnoot, Jul 18 '22 at 07:13
You should also have a look at "Database Normalisation" - IMO there's no way you should be storing the uploader name in there, you should have a table with uploaders, each with a unique ID, and store the ID in that table. That's why I presumed that the uploader might be a number - because I think it should be. — droopsnoot, Jul 18 '22 at 07:14
**Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) — Dharman, Jul 18 '22 at 10:14

Why can't the value of the $uploader variable be inserted into the mysql query?

0 Answers0