Page 1 of 1

Upload Question Pt.II (Naming Conventions)

Posted: Wed Sep 28, 2005 10:35 am
by $var
Yesterday I was asking about how to get the files onto the server, via mkdir...
Success! Thanks everyone...

Today, I have a question about the file names.

The files are being copied, but the data entered into the table
is still the default 'none' that I have put as the VALUE of the image.

Here's what I've got:

Code: Select all

$sql = "INSERT INTO members (
		Mem_Logo,
		Mem_CImage,
		Mem_Password,
		Mem_Username) 
		VALUES (
		'none'
		'none'
		'".$_POST["password"]."',
		'".$_POST["username"]."')";
               if(!$result = mysql_query($sql))
			{
				echo mysql_error();
				echo "error on select";
			}
			
		$sql = "SELECT 
		Mem_ID, 
		Mem_Username, 
		Mem_Password FROM members WHERE 
		Mem_Username='".str_replace("'","'",$_POST["username"])."' AND 
                Mem_Password ='".str_replace("'","'",$_POST["password"])."'";
			
                        $memberresults = mysql_fetch_array($result);
			$memberid = $memberresults["Mem_ID"];
			//setcookie ("Mem_ID", $memberid);
			mkdir("f:/www/vhosts/advantageboard.com/httpdocs/Imi/Mem_Img/".$memberid);
			$picname="noimage.jpg";
			$picname2="noimage2.jpg";
			$Mem_Image = "Mem_Logo";	
			$Mem_CImage = "Mem_CImage";	
			foreach( $HTTP_POST_FILES as $aFile )
			{
				if ($aFile['type'] == "image/gif" || 
                                    $aFile['type'] == "image/jpeg" ||         
                                    $aFile['type']=="image/pjpeg")
				{
					copy ($aFile['tmp_name'],       
                                        "Path/".$memberid."/".$aFile['name']) 
					or die ("Could not copy"); 
					echo "";
				
				//	$picname=$aFile['name'];
				
				}
			}


- The 2 image field values are imagefile1, imagefile2
- Files are going to the server
- The database is reading the files default value as if nothing were being entered into imagefile

Posted: Thu Sep 29, 2005 12:46 am
by ruchit
are you sure this is working??

Code: Select all

$sql = "INSERT INTO members (
        Mem_Logo,
        Mem_CImage,
        Mem_Password,
        Mem_Username)
        VALUES (
        'none'
        'none'
        '".$_POST["password"]."',
        '".$_POST["username"]."')";
there's an error here, it should look like

Code: Select all

$sql = "INSERT INTO members (
        Mem_Logo,
        Mem_CImage,
        Mem_Password,
        Mem_Username)
        VALUES (
        'none',
        'none',
        '".$_POST["password"]."',
        '".$_POST["username"]."')";
Now if you are inserting 'none', how can you expect the image name to show up in the database, since i see no update queries in the code you've posted.

Re: Upload Question Pt.II (Naming Conventions)

Posted: Thu Sep 29, 2005 2:51 am
by omega-systems
You forgot to update members tsable after uploading.

Code: Select all

$sql = "update members set 
  Mem_Logo='".$Mem_Image."', 
  Mem_CImage'".$Mem_CImage."'
  where
	Mem_ID='".$memberid."';
 if(!$result = mysql_query($sql)) 
   { 
    echo mysql_error(); 
    echo "error on select"; 
   }
Regards,
Michael.

Project Manager
Omega Systems Ltd
Email: info@omega-systems.biz
ICQ: 264962449
MSN: omega-systems@hotmail.com
AIM: OmegaSys Ltd

Posted: Thu Sep 29, 2005 8:27 am
by feyd
SQL Injection alert. :)