Click here to Skip to main content
14,691,952 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
I have the following codes which I think is okay. Unfortunately, it doesn't work as expected. Can anyone help me figure out the errors of the following codes inside the codes.php?

if(isset($_POST['upload_image_btn'])){

    $image = $_POST['image_name']['name'];
    $category = $_POST['add_category'];
    $title = $_POST['add_title'];
    $description = $_POST['add_description'];
    $author = $_POST['add_author'];
    $division = $_POST['add_division'];
    $image_path = 'images/illustration/'.$image;

    if(file_exists('images/illustration/'.$_FILES['image_name']['name']))
    {
        $store = $_FILES['image_name']['name'];
        $_SESSION['status']= "The Illustration "$store" you are uploading already exist. You may rename the file if you think it is a system error. Thank you.";
        header ('Location: media_upload.php');
    }
    else  
    {   
                    $query = "INSERT INTO `illustration` (`illustration_image`, `category`, `title`, `description`, `author`, `division`, `path`)
                                VALUES ('$image', '$category', '$title', '$description', '$author', '$division', '$image_path')";

                    $query_run = mysqli_query($connection, $query);

                            if($query_run)
                            {
                                move_uploaded_file($_FILES['image_name']['tmp_name'], 'images/illustration/'.$_FILES['image_name']['name']);
                                $_SESSION ['success'] = "New Illustration Successfully Added!";
                                header ('Location: media_upload.php');
                            }
                            else
                            {
                                $_SESSION ['status'] = "New Illustration Add Failed!";
                                header ('Location: media_upload.php');
                            }
    }

}


Below is the form code inside media_upload.php.

<form action="codes.php" method='POST' enctype="multipart/form-data">
            <div class="form-group">
              <label>Illustration</label>
              <input type="file" name="image_name" class="form-control-file" required>
            </div>
            <div class="form-group">
              <label>Category</label>
              <select name="add_category" class="form-control" required>
                <option value="" selected hidden>Select a Category</option>
                <option value="Arts">Arts</option>
                <option value="Business and Enterprise">Business and Enterprise</option>
                <option value="Earth and Space">Earth and Space</option>
                <option value="Education">Education</option>
                <option value="Health">Health</option>
                <option value="History">History</option>
                <option value="Humanities (Society)">Humanities (Society)</option>
                <option value="Language">Language</option>
                <option value="Life Science">Life Science</option>
                <option value="Mathematics">Mathematics</option>
                <option value="Physical Science">Physical Science</option>
                <option value="Technology">Technology</option>
                <option value="Miscellaneous">Miscellaneous</option>
              </select>
            </div>
            <div class="form-group">
              <label>Title</label>
              <input type="text" name="add_title" class="form-control" placeholder="Enter Illustration Title" required>
            </div>
            <div class="form-group">
              <label>Description</label>
              <input type="text" name="add_description" class="form-control"

                placeholder="Enter Illustration Description" required>
            </div>
            <div class="form-group">
              <label>Author</label>
              <input type="text" name="add_author" class="form-control" placeholder="Enter Name of Illustrator"

                required>
            </div>
            <div class="form-group">
              <label>Division</label>
              <input type="text" name="add_division" class="form-control" placeholder="Enter Illustrator Division"

                required>
              <input type="hidden" name="add_date">
            </div>
            <hr><br>
            <button type="button" class="btn btn-secondary" data-dismiss="modal">Close</button>
            <button type="submit" name="upload_image_btn" class="btn btn-success">Upload Image</button>
          </form>


What I have tried:

I have not tried anything because as I see, the codes are all okay. But I guess I have not seen the error.
Posted
Updated 10-Sep-20 19:22pm
Comments
Richard Deeming 11-Sep-20 4:12am
   
Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation / interpolation to build a SQL query. ALWAYS use a parameterized query.

PHP: SQL Injection - Manual[^]

1 solution

I have found the solution myself. Instead of using
$image = $_POST['image_name']['name'];
I replaced
$_POST
with
$_FILES
and everything works fine. :)
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900