PHP and mysql Upload files

Question

zebnoon1 -3 Newbie Poster

8 Years Ago

dear friends,
I have created Php form to store data in my mysql database. But i am facing problem in updating file data to store in database. Please check my code below

 $edate=$_POST['edate'];
    //$edate=date("d-m-y h:i:s a",time());
    $ldate=$_POST['ldate'];
    //$ldate=date("d-m-y h:i:s a");
    $cdetail=$_POST['cdetail'];
    $tenNo=$_POST['tenNo'];
    $tdetail=$_POST['tdetail'];

    $name = ($_FILES['uploaded_file']['name']);
    $mime = ($_FILES['uploaded_file']['type']);
    $data = (file_get_contents($_FILES  ['uploaded_file']['tmp_name']));
    $size = intval($_FILES['uploaded_file']['size']);

$sql1="INSERT INTO tentb(edate,ldate,cdetail,tenNo,tdetail,size,data,name,mime) VALUES('$edate','$ldate','$cdetail','$tenNo','$tdetail','$size','$data','$name','$mime')";

      $result1=$conn1->query($sql1);
    if($result1){
    echo "<script>
    alert('Data has saved')
    </script>";
    header("Refresh:2; url=tenderadd.php");}
    else{
        $msg='Error'. $conn1->connect_error;
        header("refresh:2; url=tenderadd.php");
    }
    }

uploaded_file is upload file tag name.

mysql php

4 Contributors
10 Replies
406 Views
1 Week Discussion Span
Latest Post 8 Years Ago Latest Post by diafol

AndrisP 193 Posting Pro in Training

8 Years Ago

Raed this topic https://www.daniweb.com/programming/web-development/threads/505941/insert-user-details-with-photo-into-database#post2209304

diafol

8 Years Ago

This code is unsafe as you have not sanitized the data. The best way to run the insert is to create a prepared statement (mysqli or PDO).

Perhaps my tutorial: https://www.daniweb.com/programming/web-development/tutorials/499320/common-issues-with-mysql-and-php may be of use?

diafol

8 Years Ago

The max file size should go to the file input tag. Check for errors, e.g.

if($_FILES['userfile']['error']) echo "Error: " . $_FILES['userfile']['error'];

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Phaelax 52 Practically a Posting Shark · Answer 1 · 2016-10-23T01:17:41+00:00

I strongly back up what diafol has said. Right now you're vulnerable to injection attacks. Many folks think that because they can't see POST data that it can't be tampered with, but it's rather simple to not only view it but alter it as well. Look into using filter_var

zebnoon1 -3 Newbie Poster · Answer 2 · 2016-10-30T14:08:36+00:00

Ok i changed my code please, check

<!DOCTYPE html>
<?php

//include(headeradmin.php);
date_default_timezone_set("Asia/Karachi");
include('conn1.php');
session_start();
 $epr='';
 $msg='';

    if(isset($_GET['epr'] ))
        $epr=$_GET['epr'];
//***************** Save Record***************************
if($epr=='save' && $_FILES['userfile']['size'] > 0){
            $fileName = $_FILES['userfile']['name'];
            $tmpName  = $_FILES['userfile']['tmp_name'];
            $fileSize = $_FILES['userfile']['size'];
            $fileType = $_FILES['userfile']['type'];

     $edate=$conn1->real_escape_string($_POST['edate']);
     $ldate=$conn1->real_escape_string($_POST['ldate']);
     $cdetail=$conn1->real_escape_string($_POST['cdetail']);
    $tenNo=$conn1->real_escape_string($_POST['tenNo']);
    $tdetail=$conn1->real_escape_string($_POST['tdetail']);

$fp      = fopen($tmpName, 'r');
$content = fread($fp, filesize($tmpName));
$content = addslashes($content);
fclose($fp);

        $sql1="INSERT INTO tentb(edate,ldate,cdetail,tenNo,tdetail,'size',data','name','mime') VALUES('$edate','$ldate','$cdetail','$tenNo','$tdetail','$fileName', '$fileSize', '$fileType', '$content')";

        $result1=$conn1->query($sql1);
    if($result1){
    echo "<script>
    alert('Data has saved')
    </script>";
    header("Refresh:2; url=tenderadd.php");}
    else{
        $msg='Error'. $conn1->connect_error;
        header("refresh:2; url=tenderadd.php");
    }
    }
    ?>

here is my form

<form  method="POST" action='tenderadd.php?epr=save'>
 <h1> New Tender</h1>
        <table align='center'>
                    <tr>
                     <td> </td>
                   <td><input type="hidden" name="sr" /></td>
                    </tr>
                    <tr>
                     <td> Current Date </td>
                   <td><input  type="text" value="<?php echo date("d-m-Y"); ?>" readonly="readonly" style='background-color:Black; color:Lime;'   /></td>
                    </tr>

                     <input type="hidden" name="edate"  value='<?php echo date('Y-m-d')?>' readonly="readonly"/></td>

                     <tr>
                     <td> Last Date</td>
                     <td><input id='date' type="text" name="ldate" readonly="readonly" /></td>
                     </tr>

                      <tr>
                      <td> Client Detail</td>
                      <td><input type="text" name="cdetail" size="70" maxlength="200" /></td>
                      </tr>

                      <tr>
                      <td> Tender No.</td>
                      <td><input type="text" name="tenNo" size="70" maxlength="200" /></td>
                      </tr>

                      <tr>
                      <td>Tender Detail</td>
                      <td><input type="text" name="tdetail" size="70" maxlength="200" /></td>
                      </tr>

                      <tr>
                      <td>Tender Upload</td>
                      <td><input type="file" name="userfile" /></td>
                      </tr>

                      <tr>
                      <td> </td>
                      <td><input type="submit" value="submit" /></td>
                      </tr>

        </table>
 </form>

I got
Notice: Undefined index: userfile in C:\wamp\www\SprintWeb\tenderadd.php on line 14
Error,please guide me.

diafol · Answer 3 · 2016-10-30T15:17:21+00:00

In order to send files you need the form attribute enctype set to:

<form  method="POST" action='tenderadd.php?epr=save' enctype='multipart/form-data'>

This was mentioned in my tutorial if you read it.

zebnoon1 -3 Newbie Poster · Answer 4 · 2016-10-31T05:48:26+00:00

Dear Diafol Boss,
I put

 enctype='multipart/form-data'

But same error.
Please, check my code and tell me where cn i use
$_FILES['userfile']['size'] > 0
in my code, code is bellow

$epr='';
 $msg='';

    if(isset($_GET['epr'] ))
        $epr=$_GET['epr'];
//***************** Save Record***************************
if($epr=='save' ){

            $fileName = $_FILES['userfile']['name'];
            $tmpName  = $_FILES['userfile']['tmp_name'];
            $fileSize = $_FILES['userfile']['size'];
            $fileType = $_FILES['userfile']['type'];

    $edate=$conn1->real_escape_string($_POST['edate']);
    $ldate=$conn1->real_escape_string($_POST['ldate']);
    $cdetail=$conn1->real_escape_string($_POST['cdetail']);
    $tenNo=$conn1->real_escape_string($_POST['tenNo']);
    $tdetail=$conn1->real_escape_string($_POST['tdetail']);

$fp      = fopen($tmpName, 'r');
$content = fread($fp, filesize($tmpName));
$content = addslashes($content);
fclose($fp);

        $sql1="INSERT INTO tentb(edate,ldate,cdetail,tenNo,tdetail,'size',data','name','mime') VALUES('$edate','$ldate','$cdetail','$tenNo','$tdetail','$fileName', '$fileSize', '$fileType', '$content')";

        $result1=$conn1->query($sql1);
    if($result1){
    echo "<script>
    alert('Data has saved')
    </script>";
    header("Refresh:2; url=tenderadd.php");}
    else{
        $msg='Error'. $conn1->connect_error;
        header("refresh:2; url=tenderadd.php");
    }
    }

and form HTML Code is here

<form  method="POST" action='tenderadd.php?epr=save' enctype='multipart/form-data'>
 <h1> New Tender</h1>
        <table align='center'>
                    <tr>
                     <td> </td>
                   <td><input type="hidden" name="sr" /></td>
                    </tr>
                    <tr>
                     <td> Current Date </td>
                   <td><input  type="text" value="<?php echo date("d-m-Y"); ?>" readonly="readonly" style='background-color:Black; color:Lime;'   /></td>
                    </tr>

                     <input type="hidden" name="edate"  value='<?php echo date('Y-m-d')?>' readonly="readonly"/></td>

                     <tr>
                     <td> Last Date</td>
                     <td><input id='date' type="text" name="ldate" readonly="readonly" /></td>
                     </tr>

                      <tr>
                      <td> Client Detail</td>
                      <td><input type="text" name="cdetail" size="70" maxlength="200" /></td>
                      </tr>

                      <tr>
                      <td> Tender No.</td>
                      <td><input type="text" name="tenNo" size="70" maxlength="200" /></td>
                      </tr>

                      <tr>
                      <td>Tender Detail</td>
                      <td><input type="text" name="tdetail" size="70" maxlength="200" /></td>
                      </tr>

                      <tr>
                      <td>Tender Upload</td>
                      <input type="hidden" name="MAX_FILE_SIZE" value="2000000">
                      <td><input type="file" name="userfile" /></td>
                      </tr>

                      <tr>
                      <td> </td>
                      <td><input type="submit" value="submit" /></td>
                      </tr>

        </table>
 </form>

zebnoon1 -3 Newbie Poster · Answer 5 · 2016-11-01T06:28:30+00:00

Ok I soved Problem with upload file
One more How can download File From Own my Database Mysql?

zebnoon1 -3 Newbie Poster · Answer 6 · 2016-11-01T07:20:53+00:00

I tried this code But does not download File

 while ($row = $result->fetch_assoc()) {

                    $filename=$row['name'];

                echo "<tr>";
                echo "<td>".$i."</td>";
                echo "<td>".$row ['cdetail']. "</td>";
                echo "<td>".$row ['tenNo']. "</td>";
                echo "<td>".$row ['tdetail']. "</td>";
                echo "<td>".$row['ldate']."</td>";
                echo "<td> <a href=adminfrm.php?file=".$filename."target='_blank'>Download</a></td>";

Please, guide me

diafol · Answer 7 · 2016-11-01T07:21:13+00:00

That.s a new question, so new thread.