-3

Below is my code to upload images and update the database with the respective image names.

Upload is working fine but have some problems in syntax to update mysql database.

function storeimage()
{
    $files = array();

    $target_path1 = $_FILES['file1']['tmp_name'];
    $target_path2 = $_FILES['file2']['tmp_name'];
    $target_path3 = $_FILES['file3']['tmp_name'];

    $files = array(1=>'file1',2=>'file2',3=>'file3');
    //uploadimages($files)    
    //$target_path = "images/";

    foreach($files as $data)
    {
        $target_path = $_FILES[$data]['name']; 
        if(move_uploaded_file($_FILES[$data]['tmp_name'], "images/".$target_path)) 
        {
            $publish = $_POST['publish'];
            $databaseupdate = "INSERT INTO `uploadfiles`.`uploads` 
                (`id`, `name1`, `name2`, `name3`, `publish`)
                VALUES (NULL, '$files['file1']','$files['file2']','$files['file3']','$publish')";
            $mysqlupdate = mysql_query($databaseupdate);
            echo "The file ".  basename($_FILES[$data]['name']). 
                " has been uploaded<BR>";
        } 
        else
        {
            echo "There was an error uploading the file, please try again!";
        }
        $target_path ="";
    }
}
gen_Eric
  • 223,194
  • 41
  • 299
  • 337
user1110597
  • 77
  • 1
  • 4
  • 10
  • Please don't write titles in all caps. – Alex Turpin Dec 21 '11 at 20:48
  • I dont think that inline-replace works with arrays. Try to use `'".$files['file1']."'` – Corubba Dec 21 '11 at 20:50
  • 1
    what does "but have some problems in syntax to update mysql database"? Are you getting errors and what are they? Or do you just not like it and want it rewritten by someone else? – Robert Dec 21 '11 at 20:50
  • Welcome to Stack Overflow! You are not doing any error checking in your query, so it's little wonder that your script fails silently. You *need* to do that after a `mysql_query()` call. Otherwise, your script will break if the query fails. How to do this is outlined in the [manual on `mysql_query()`](http://php.net/mysql_query) or in this [reference question.](http://stackoverflow.com/questions/6198104/reference-what-is-a-perfect-code-sample-using-the-mysql-extension) – Pekka Dec 21 '11 at 20:52
  • [SQL injection](http://en.wikipedia.org/wiki/SQL_injection)! – Lambda Fairy Dec 21 '11 at 21:07

2 Answers2

0

It is PHP syntax you have issues with, not SQL. 

$sql = "INSERT INTO uploads 
        VALUES (NULL,'$files[file1]','$files[file2]','$files[file3]','$publish')";

would work.

However, it is not only your problem.
It seems you are inserting unexisting variables and do not sanitize them for the query. and you are trying to insert all three in a single query and run it three times. Looks like you may want to move the query outside of the loop.

$names = array();     
foreach($_FILES as $file)
{     
    if(move_uploaded_file($file['tmp_name'], "images/".$file['name']))
    {
        $names[] = $file['name'];
    } else {
        $names[] = '';
    }
}
if (array_filter($names)) { // at least one file uploaded successfully
  $publish = mysql_real_escape_string($_POST['publish']);
  foreach ($names as $i => $name) {
    $names[$i] = mysql_real_escape_string($name);
  }
  $sql = "INSERT INTO uploads VALUES (NULL,'$files[0]','$files[1]','$files[2]','$publish')";
  mysql_query($sql) or trigger_error(mysql_error().$sql);     
}

something like this

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • Yes, and alternatively you can do something like this: '{$files['file1']}' - if you want to insert an value of an array item into a string – rroche Dec 21 '11 at 20:55
  • 1
    Can you index arrays without using quotes? I'd suggest `"VALUES(NULL, '{$files['file1']}, {$files['file2']}, ...)"` instead. – gen_Eric Dec 21 '11 at 20:55
  • @Rocket it's 4 additional symbols per variable. Seems too much overkill to me. Oh and yes, you can, inside of double quoted string. – Your Common Sense Dec 21 '11 at 20:59
  • @Col.Shrapnel: Wouldn't it throw a notice though? Like if you did `$arr[abc]` outside of a string, it'd say "invalid constant, assuming string". – gen_Eric Dec 21 '11 at 21:01
  • @Col.Shrapnel: Ah, didn't realize you could do it that way inside double quoted strings. – gen_Eric Dec 21 '11 at 21:16
0

Firstly, Why are you using $files['file1'], etc, to try to get the file name? Shouldn't you be using $_FILES[$data]['name']? Or $_FILES['file1']['name'], $_FILES['file2']['name'], etc.

Also there are some quoting issues with your SQL. What about something like this:

$databaseupdate = "INSERT INTO `uploadfiles`.`uploads`
    (`id`, `name1`, `name2`, `name3`, `publish`)
    VALUES (NULL, '" . $_FILES['file1']['name'] .
    "','" . $_FILES['file2']['name'] .
    "','" . $_FILES['file3']['name'] ."','$publish')";

Secondly, you are iterating over 'file1', 'file2', and 'file3', but you seem to be trying to insert them all into one row in the table. If you have three files, and you want to insert them all into the database, shouldn't you be inserting one row per file? In which case the table only needs one 'name' column.

Rob W
  • 341,306
  • 83
  • 791
  • 678
kclair
  • 2,124
  • 1
  • 14
  • 18
  • This looks very suitable for a comment. Improve the answer, or delete it, and post the same notice/comment as a comment at the OP. – Rob W Dec 21 '11 at 21:16
  • I don't have the ability to add comments to the question. – kclair Dec 21 '11 at 21:17
  • 1
    This looks very suitable for the answer to a question to me. Welcome to Stackoverflow. Don't let the bastards in this community grind you down, or they will. – phpmeh Dec 21 '11 at 21:23
  • @phpmeh Check the revision history, and choose your words more wisely. **To kclair** Your post looks better now. Tip: Use backticks, `\`` for inline code formatting. Blocks of code can be formatted by prefixing a blank line, then four space for each line of code. – Rob W Dec 21 '11 at 21:26