The first argument to addFile()
needs to be the full path to the image, but you are using a relative path with wp-content/...
. The template for this page is most likely in your wp-content/themes/
directory so the call to file_exists()
fails which means that nothing is ever passed to ZipArchive
. WordPress provides a constant that contains the absolute path to the wp-content
folder called WP_CONTENT_DIR
- or if you aren't sure what theme you will be in you can use get_template_directory()
.
Using WP_CONTENT_DIR
:
if( ! empty( $image ) ){
$filename = WP_CONTENT_DIR.'/themes/twentyfourteen/upload/character/'.$image;
if ( file_exists( $filename ) ){
// Adding files into zip
$zip->addFile( $filename, $image );
}
}
Using get_template_directory()
:
$filename = get_template_directory().'/upload/character/'.$image;
SQL INJECTION WARNING
You also have a SQL injection vulnerability where it is possible to pass arbitrary SQL in the order_id
of the request. Use $wpdb->prepare()
to protect against it.
global $wpdb;
$order_id = isset( $_REQUEST['order_id'] )? $_REQUEST['order_id'] : 0;
$query = $wpdb->prepare( "SELECT optional_image FROM order_listing WHERE order_no = %s", $order_id );
$query2 = $wpdb->prepare( "SELECT main_image FROM character_order WHERE order_id = %s", $order_id );