PHP image upload and write to database

StackOverflow https://stackoverflow.com/questions/16509273

  •  21-04-2022
  •  | 
  •  

Question

I'm quite new to PHP and trying to upload an image to the server and then write it to the database using a form and php using the code and form below but it doesnt seem to be working for, if I take all of the photo content out the form works perfectly well with the other variables and content such as writing the out the article title and content, would anyone be able to tell me where I'm going wrong at all? thanks in advance guys.

<?php

session_start();

include_once('../php/connection.php');

if (isset($_SESSION['logged_in'])) {
    if (isset($_POST['title'], $_POST['content'], $_FILES['photo1'])) {
        $title = $_POST['title'];
        $content = nl2br($_POST ['content']);
        $photo1=($_FILES['photo1']);
        $target = "../lifestlye";
        $target = $target . basename( $_FILES['photo1']);


        $query =$pdo->prepare('INSERT INTO article (article_title, article_content, photo_1) VALUES (?,?,?)');

        $query->bindValue(1, $title);
        $query->bindValue(2, $content);
        $query->bindValue(3, $photo1);

        $query->execute();
        move_uploaded_file($_FILES['photo1'], $target);
{

}


        header('Location: index.php');
    }

    ?>




 <form action="add.php" method="post" autocomplete="off"/>


    <dl class="field four columns centered">
                    <dd><label for="title">Article Title</label></dd>
                    <dt class="text"><input type="text" name="title" id="title"/>
                    </dt>
                    </dl>
                    <dl class="field nine columns centered">
                <dd><label for="content">Content</label></dd>
                <dt class="textarea">
                <textarea name="content" id="message"></textarea></dt>
                </dl>
                <p class="blacktext">Photo</p>
                <input type="file" name="photo1">
                <input type="submit" id="add article"/>
                </form>
Was it helpful?

Solution

Try this code:

<?php

session_start();

include_once('../php/connection.php');

if (isset($_SESSION['logged_in'])) {

    if (isset($_POST['title'], $_POST['content'], $_FILES['photo1'])) {

        $title    = $_POST['title'];
        $content  = nl2br($_POST['content']);
        $name     = $_FILES['photo1']['name'];
        $tmp_name = $_FILES['photo1']['tmp_name'];

        $target = '../lifestlye/'.$name;

        if (move_uploaded_file($tmp_name,$target)) {

            $stmt = $pdo->prepare('INSERT INTO article (article_title, article_content, photo_1) VALUES (?,?,?)');
            $stmt->execute(array($title,$content,$name));
            header('Location: index.php');
            exit();

        }

    }

}

OTHER TIPS

You are making it way too simple. You need to read the manual page: http://www.php.net/manual/en/features.file-upload.post-method.php

First, add this to your form as parameter: enctype="multipart/form-data"

Then, understand that $_FILES['photo1'] will be an array, and $_FILES['photo1']['tmp_name'] will contain a temporary filename, which is the uploaded file. You can then move the file to a new location, or read it and put it into the database as a BLOB (but why do you want to keep binary data in a database?)

  1. You should use absolute paths for moving the file. If you want to do something in the current dir, use __DIR__ or dirname(__FILE__) depending on your php version. The first one is to preferred if it's available.
  2. You should do error checking - read up on $_FILES array on php.net manual for what to look out for.
  3. Check the return value of move_uploaded_file, errors, notices - there might also be a problem with writing permissions (the target directory/file has to be writable by the webserver)
  4. You should consider generating a filename, otherwise if 2 ppl upload a file with the same name, the second one will override the first one. Then starts the fun about race conditions and the impossibility of php itself to do an atomic lock (using mysql get lock is the best I've come up so far, as semaphores and file locking suck in a web context with php)
  5. You should add some security checking, e.g. str_replace("\0", "", $filename) for avoding nul poisoning (and depending on your system and filesystem there are probably other things you should filter/check)
  6. This is just a tip, but really: Don't do anything with user input, especially file upload, in the open (e.g. publicly available web address) if you haven't got enough experience in regards to php/security. Otherwise you will see your server crashed, taken over, ... in a very short time. PHP is already very insecure as it is, adding in mysql and file upload doesn't really make it better. There is no guarantuee that the filename you get from $_FILES is safe - an attacker could send ANY filename (i can easily do with a few lines of script myself, and I'm not a real hacker).

Also, basename does not filter filenames, it just gives you whatever is before the last '.'.

Edit: + everything Palantir wrote, to make it work (sorry, there were so many things on this that I skipped some)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top