1

I have no idea what I need to do to make this function. After the update button has been pressed on this page, the contact's information should be updated. The information is read from the database and entered into the page along with the ID number as values. The inputs are then updated as necessary, and the server is updated. However, for some reason, the Update statement is not being executed, and nothing is changing. It should also be able to upload an image and make it part of the update.

This is my database:

<?php
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', '');
define('DB_NAME', 'project');
 
/* Attempt to connect to MySQL database */
$link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
 
// Check connection
if($link === false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
}
?>

This is my form:

<form method="post" action="action/update-certificate.php?id=<?php echo $_GET['viewid']?>" class="main-right" id="mainbar" enctype="multipart/form-data">
<div class="grid-3">
    <div class="grid-item">
        <p class="grid-title">certificate of employment signature</p>
        <input type="file" name="coe_signature" class="cert-int">
    </div>
</div>
<button class="btn-add" type="submit" name="update_certificate"></button>
</form>

This is my code:

<?php

include '../../../config.php';

if (isset($_POST['update_certificate'])) {

    if (isset($_POST['coe_signature'])) {
        $file = $_FILES['coe_signature'] ?? "";
        $filename = $_FILES['coe_signature']['name'] ?? "";
        $fileTmpName = $_FILES['coe_signature']['tmp_name'] ?? "";
        $fileSize = $_FILES['coe_signature']['size'] ?? "";
        $fileError = $_FILES['coe_signature']['error'] ?? "";
        $fileType = $_FILES['coe_signature']['type'] ?? "";

        $fileExt = explode('.', $filename);

        $fileActualExt = strtolower(end($fileExt));

        $allowed = array('jpg', 'jpeg', 'png');

        if (in_array($fileActualExt, $allowed)) {
            if ($fileError === 0) {
                if ($fileSize < 5000000000000000) {
                    $fileNameNew = uniqid('', true).".".$fileActualExt;
                    $fileDestination = 'uploads/'.$fileNameNew;
                    move_uploaded_file($fileTmpName, $fileDestination);

                    $coe_signature = $_POST['coe_signature'];

                    $coe_signature_sql = "UPDATE certficate SET coe_signature = '".$coe_signature."' WHERE viewid = ".$_GET['id']." ";
                    mysqli_query($link, $coe_signature_sql);
                }
                else{
                    echo "Your file is too big";
                }
            }
            else{
                echo "There was an error uploading your file";
            }
        }
        else{
            echo "Cannot upload this file type";
        }
    }
}
else{
    echo "ERROR contact the developer";
}

?>
Mark nicholas Razon
  • 29
  • 2
  • 3
    Your script is vulnerable to [SQL Injection Attack](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even if [you are escaping variables, its not safe](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string%5D)! You should always use [prepared statements and parameterized queries](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either MYSQLI or PDO instead of concatenating user provided values into the query. – Barmar Sep 09 '22 at 00:42
  • 3
    File inputs aren't put in `$_POST` they're put in `$_FILES`. Read a tutorial on uploading files with PHP. – Barmar Sep 09 '22 at 00:42
  • 1
    5 petabyte images? – Lawrence Cherone Sep 09 '22 at 01:22

1 Answers1

2

I believe this line:

if (isset($_POST['coe_signature'])) {

should actually be checking for the file in the $_FILES array instead of the $_POST array. Like this:

if (isset($_FILES['coe_signature'])) {
chrispd
  • 53
  • 6