Click here to Skip to main content
15,311,717 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
Helo Coders

I'm trying to insert text along with text to mysql database but it is not working. I would like to restrict the image type to jpg only. Here is my code.

PHP
<?php
$username= "root";
$password= "";
$hostname= "localhost";
$dbhandle=mysql_connect($hostname, $username, $password) or die("could not connect to the database");

$selected=mysql_select_db("unic", $dbhandle);
$imageName=mysql_real_escape_string($_FILES["image"]["name"]);
$imageData=mysql_real_escape_string($_FILES["image"]["tmp_name"]);
$imageType=mysql_real_escape_string($_FILES["image"]["type"]);
$extension=strtolower(substr($imageName, strpos($imageName, '.')+ 1));
if(isset($_POST['FullName']) && isset($_POST['YourGender']) && isset($_POST['AgeGroup'])  && isset($_POST['Institution'])  && isset($_POST['Purpose']) && isset($_POST['NRC'])  && isset($_POST['Province']) && isset($_POST['dbDate']) && isset($_POST['NRC'])  && isset($_POST['Province']) && isset($_POST['Address'])){
if(isset($imageName)){
if(!empty($imageName)){
if(($extension=='jpg'||$extension=='jpeg')&&$imageType=='image/jpeg'){
$name=$_POST['FullName'];
$gender=$_POST['YourGender'];
$age=$_POST['AgeGroup'];
$institution=$_POST['Institution'];
$purpose=$_POST['Purpose'];
$nrc=$_POST['NRC'];
$province=$_POST['Province'];
$dbdate=$_POST['dbDate'];
$address=$_POST['Address'];
$query = mysql_query("SELECT * FROM students WHERE NRC='$nrc'");
if(mysql_num_rows($query) > 0){
echo ' The NRC you entered is already taken ';
}else{
mysql_query("INSERT INTO `students` set FullName='$name', Gender='$gender', AgeGroup='$age', Organisation='$institution', Purpose='$purpose', NRC='$nrc', Province='$province', dbDate='$dbdate', Address='$address' Image='$imageName'");
echo("Record was Succesfully Entered");
}
}else{
echo 'Only jpg Images allowed';
}
}
}
}
mysql_close();
?>
Posted
Comments
PIEBALDconsult 17-Dec-14 9:35am
   
Find out how to use a parameterized statement, because what you have now can't do it.
Chubby Ninja 17-Dec-14 10:26am
   
What isn't working currently? Do you get an error from the sql query? - is it an option for you to look at prepared statements like PHP PDO?

1 solution

There's a couple of issues, including that you are not actually moving the image into a upload directory - check out my modifications which include sanitizing your data

PHP
$username= "root";
$password= "";
$hostname= "localhost";

$allowed_ext = array( 'jpg', 'jpeg' ); // allowed extensions
$allowed_mime = array( 'image/jpeg' ); // allowed mime types
$upload_dir = $_SERVER['DOCUMENT_ROOT'] . '/uploads/'; // change this to your upload directory - include the trailing slash

$required = array( 'FullName', 'YourGender', 'AgeGroup', 'Institution', 'Purpose', 'NRC', 'Province', 'dbDate', 'Address');
$sanitized = array( );

$error = false;

// loop through each required POST field and sanatize it
foreach( $required as $req )
{
    if( !isset($_POST[ $req ]) )
    {
        $error = true;
    } else {
        $sanitized[ $req ] = mysql_real_escape_string( $_POST[ $req ] );
    }
}

// if not all the required fields are set
if( $error )
{
    die( 'Error - Not all required fields posted' );
}

// check if upload has been sent
if( !isset( $_FILES ) )
{
    die( 'Error - No file sent' );
}

$imageName=mysql_real_escape_string($_FILES["image"]["name"]);
// check if the imagename is set
if( empty( $imageName ) )
{
    die( 'Not image name set' );
}
$sanitized['Image'] = $imageName;


$imageType=mysql_real_escape_string($_FILES["image"]["type"]);
$extension=strtolower(substr($imageName, strpos($imageName, '.')+ 1));
// check if the extension is in the allowed list
if( !in_array($extension, $allowed_ext ) || !in_array($imageType, $allowed_mime) )
{
    die( 'Only JPG images allowed' );
}


$imageData=mysql_real_escape_string($_FILES["image"]["tmp_name"]);
// try move the file
if( !move_uploaded_file($imageData, $upload_dir . $imageName ) )
{
    die( 'Could not move file into upload directory' );
}

// all error checks have passed, assume all is ok


$dbhandle=mysql_connect($hostname, $username, $password) or die("could not connect to the database");
$selected=mysql_select_db("unic", $dbhandle);

$query = mysql_query("SELECT * FROM `students` WHERE `NRC`='" . $sanitized['NRC'] . "'");

if(mysql_num_rows($query) > 0)
{
    echo ' The NRC you entered is already taken ';
}else{
    mysql_query("INSERT INTO `students` (" . implode(',', array_keys($sanitized)) . ") VALUES ('" . implode( "','", $sanitized ) . "')");
    echo("Record was Succesfully Entered");
}

mysql_close();
   
Comments
Member 11301170 17-Dec-14 10:54am
   
Thanks Chubby let me try it your way.
Chubby Ninja 18-Dec-14 4:02am
   
How did it go? if this solution helped you please mark it as an accepted answer

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900