how come my real escape strings are getting entered into my table as blank entries - if i don't escape them, they enter just fine.... Any ideas?
<?php
session_id($_POST['current_email']);
session_start();
if (!empty($_FILES)) {
$con = mysql_connect("xxx", "xxx", "xxx") or die("cannot connect");
mysql_select_db("xxx", $con) or die("cannot select DB");
$tempFile = $_FILES["Filedata"]["tmp_name"];
$name = $_FILES["Filedata"]["name"];
$targetPath = "uploads/";
$targetFile = str_replace('//', '/', $targetPath) . $_FILES["Filedata"]['name'];
$size = $_FILES["Filedata"]["size"];
$oext = getExtension($name);
$ext = strtolower($oext);
$whois = $_SERVER['REMOTE_ADDR'];
$email = $_POST['current_email'];
if ($ext == "jpg" || $ext == "jpeg" || $ext == "bmp" || $ext == "gif") {
if ($size < 1024 * 1024) {
if (file_exists("uploads/" . $name)) {
move_uploaded_file($tempFile, "uploads/" . $name);
$qry = "select id from pictures where file='$name' and type='$ext'";
$res = mysql_fetch_array(mysql_query($qry));
$id = $res['id'];
$safename = mysql_real_escape_string($name);
$safesize = mysql_real_escape_string($size);
$safeext = mysql_real_escape_string($ext);
$safewhois = mysql_real_escape_string($whois);
$safeemail = mysql_real_escape_string($email);
$qry = "UPDATE pictures SET file='$safename', type='$safeext', size='$safesize', whois='$safewhois', date=NOW() where id=$id";
mysql_query($qry);
echo "1";
} else {
move_uploaded_file($tempFile, "uploads/" . $name);
$qry = "INSERT INTO pictures(id, file, type, size, email, whois, date) VALUES ('', '$safename', '$safeext', '$safesize', '$safeemail', '$safewhois', NOW())";
mysql_query($qry, $con);
echo "1";
}
}
}
}
function getExtension($image_name)
{
return substr($image_name, strrpos($image_name, '.') + 1);
}
?>