Page 1 of 1

My submit code does nothing???

Posted: Mon Jan 29, 2007 1:50 am
by cturner
When I test the code that is below nothing happens. Can someone please tell me why? Thanks in advance.

Code: Select all

require "config.php";
$findphoto = mysql_real_escape_string($_FILES['findphoto']);
$photo = mysql_real_escape_string($_POST['photo']);
$id = mysql_real_escape_string($_GET['id']);
$arrErrors = array();
if (isset($_POST['btnsubmit'])) {	
	if($_FILES['findphoto']['name'] == '') {
       $arrErrors['findphoto'] = 'You did not select a photo to upload';
    }
	if ($photo == '') {
		$arrErrors['photo'] = 'Please enter a photo name and file extension that you wish to upload for this clearing sale.';
	}	
	if (count($arrErrors) == 0) {
		$query = mysql_query("SELECT `id` FROM `clearingsales` WHERE `id` = '$id'") or die("Could not query because:" .mysql_error());
		$row = mysql_fetch_assoc($query);
		$parent_id = $row['id'];
		$insert = "INSERT INTO `clearingsales_photos` (`parent_id`, `photos`) VALUES ('$parent_id', '$photo')";
		if (mysql_query ($insert)) {
			print "<strong>Photo has been added to the database. Please don't forget to upload the photos via ftp.</strong><br /><br />";
		} else {
			print "<p>Could not add the entry because: <b>" . mysql_error() . "</b>. The query was $insert.</p>";
		}
	} else {
        // The error array had something in it. There was an error.
        // Start adding error text to an error string.
        $strError = '<div class="formerror"><p>Please check the following and try again:</p><ul>';
        // Get each error and add it to the error string
        // as a list item.
        foreach ($arrErrors as $error) {
            $strError .= "<li>$error</li>";
        }
        $strError .= '</ul></div>';
	}
}
The form:

Code: Select all

<form action="<?php echo $PHP_SELF; ?>" method="get" enctype="multipart/form-data" name="attachForm" id="attachForm">
<input type="hidden" name="id" value="<?php echo $id; ?>" />
Before selecting the photo please make sure the photo size is 100 x 100 and make sure the photo's file extension is a jpg.<br /><br />
Please find the product photo then copy the file name and extension only then paste the file name in the textbox below. After you have done that you will need to upload the file via ftp.
  <p<?php if (!empty($arrErrors['findphoto'])) echo ' class="formerror"'; ?>><input type="file" name="findphoto" />
  <br />
  <p<?php if (!empty($arrErrors['photo'])) echo ' class="formerror"'; ?>><input type="text" name="photo" />
  <br />
  <input name="btnsubmit" type="submit" id="btnsubmit" value="SUBMIT" />
</form>

Posted: Mon Jan 29, 2007 1:59 am
by louie35
the form method is set to get while your php code is looking for post. change your form from get to post like this:

Code: Select all

<form action="<?php echo $PHP_SELF; ?>" method="post" enctype="multipart/form-data" name="attachForm" id="attachForm">
and also change this in ypur php code

Code: Select all

//$id = mysql_real_escape_string($_GET['id']);
//to 
$id = mysql_real_escape_string($_POST['id']);

Posted: Mon Jan 29, 2007 8:17 am
by feyd
Don't use PHP_SELF.

Long explanations short, it contains user input which allows someone to insert HTML into your page.