0

I am new to PHP web development and making a simple website for adding products and categories and I am facing an issue with the update CRUD operation for the categories when I upload an image.

Updating the image when less than 2MB is ok and the old image will be deleted, for the other scenarios when image is more than 2MB or upload different image extension than the allowed ones it's not being validated only the image name gets added to the database, below is my code and appreciate the help

include("../config/dbconn.php");
if (isset($_POST['update'])) {
    $cat_id = mysqli_real_escape_string($dbconn, $_POST['cat_id']);
    $cat_name = mysqli_real_escape_string($dbconn, $_POST['cat_name']);

    $pervious_cat_name = filter_var($_POST['pervious_cat_name'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
    $cat_img = $_FILES['cat_img'];

    // checking empty fields
    if (empty($cat_name) || empty($cat_img)) {

        if (empty($cat_name)) {
            echo "<font color='red'>category name field is empty!</font><br/>";
        }

        if (empty($cat_img)) {
            echo "<font color='red'>image field is empty!</font><br/>";
        }
    } else {

        //updating the table
        if ($cat_img['name']) {

            $pervious_cat_path = '../../uploads/' . $pervious_cat_name;

            if ($pervious_cat_path) {
                unlink($pervious_cat_path);
            }

            $cat_img_name = $cat_img['name'];
            $cat_temp_name = $cat_img['tmp_name'];
            $cat_img_destination_path = '../../uploads/' . $cat_img_name;

            $allow_files = ['png', 'jpg', 'jpeg','webp'];
            $extension = explode('.', $cat_img_name);
            $extension = end($extension);

            if (in_array($extension, $allow_files)) {
                if ($cat_img['size'] < 2000000) {
                    move_uploaded_file($cat_temp_name, $cat_img_destination_path);
                } else {
                    $_SESSION['category_update'] = "couldn't update category, image size is too large";
                }
            } else {
                $_SESSION['category_update'] = "couldn't update category, image should be png, jpg, jpeg";
            }
        }

        $cat_img_to_insert = $cat_img_name ?? $pervious_cat_name;

        $query = "UPDATE category SET cat_name='$cat_name', cat_img='$cat_img_to_insert'  WHERE cat_id=$cat_id";
        $result = mysqli_query($dbconn, $query);

        if ($result) {
            //redirecting to the display page. In our case, it is index.php
            header("Location: admin_panel.php");
        }
    }
}
?>

below are a couple of images to see the results: ok uploaded an image less than 2MB and in the allowed extensions. enter image description here

image bigger than 2MB and in the allowed extensions. enter image description here

not allowed image extensions: enter image description here

appreciate the support.

Shadow
  • 33,525
  • 10
  • 51
  • 64
yazan_bader
  • 33
  • 7
  • Your PHP or webserver settings probably limit the maximum file upload size. Amend the settings (you can easily google how to do this). – ADyson Jan 04 '23 at 11:22
  • Your code should really be checking `$_FILES['cat_img']['error']` so you can detect any problems in the upload, and the code can respond appropriately. Currently your code is not doing that. See https://www.php.net/manual/en/features.file-upload.post-method.php and https://www.php.net/manual/en/features.file-upload.errors.php – ADyson Jan 04 '23 at 11:23
  • Also it would probably make logical sense not to initiate the INSERT query without checking whether `move_uploaded_file` succeeded, or whether the file extension is ok too. Again, your code does not do that - it just carries on with the query regardless of whether anything else previously has worked or not. – ADyson Jan 04 '23 at 11:24
  • **Warning:** Your code is vulnerable to SQL Injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. **Never** insert unsanitised data directly into your SQL. The way your code is written now, someone could easily steal, incorrectly change, or even delete your data. `mysqli_real_escape_string` is obsolete and does not protect against everything – ADyson Jan 04 '23 at 11:26
  • https://phpdelusions.net/mysqli also contains good examples of writing safe SQL using mysqli. See also the [mysqli documentation](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) and this: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) . Parameterising your queries will also greatly reduce the risk of accidental syntax errors as a result of un-escaped or incorrectly quoted input values. If you learnt your current technique from a tutorial or book, please don't use that resource again. – ADyson Jan 04 '23 at 11:26
  • thank you @ADyson found another solution appreciate the help – yazan_bader Jan 04 '23 at 14:18
  • No problem. You should add your solution below as an Answer in case anyone has a similar issue. – ADyson Jan 04 '23 at 14:20

0 Answers0