php/mysql problem

[ashton]

Hi I've been working on making a database that takes the user submitted file and uploads it into the folder uploads and sends the link to that file to the mysql server so I can have it redirected to a image gallery page. Makes sense I hope? I'm very new all of this so bare with me.Here is my code so far...this is the upload.php which will grab the users file and send it over to uploader.php for processing.

<form enctype="multipart/form-data" action="uploader.php" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="200000" />Choose a file to upload: <input name="uploadedfile" id="image" type="file" /><br /><input type="submit" value="Upload File" /></form>

here is the uploader.php file which sends the image to the uploads folder and sends the information to the database.. however.. I cant get the link to go into image..

<?php// Where the file is going to be placed $target_path = "uploads/";/* Add the original filename to our target path.  Result is "uploads/filename.extension" */$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); $_FILES['uploadedfile']['tmp_name']; $target_path = "uploads/";$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {	echo "The file ".  basename( $_FILES['uploadedfile']['name']). 	" has been uploaded";} else{	echo "There was an error uploading the file, please try again!";}?><?php$con = mysql_connect("localhost","username","password");if (!$con)  {  die('Could not connect: ' . mysql_error());  }mysql_select_db("localhost", $con);$sql="INSERT INTO gallery (description, image)VALUES('$_POST[description]','$_POST[image]')";if (!mysql_query($sql,$con))  {  die('Error: ' . mysql_error());  }echo "<br />success";mysql_close($con)?>

my apolgies again if this all seems... weird but like I said I'm very new to web coding just trying to get better is all.

[justsomeguy]

I saw your intro post so I know you're just starting. First, whenever you refer to an associated array (an array with words for indexes instead of numbers), you need to refer to the key in quotes, like this:$_POST['image']If you do this:$_POST[image]PHP will first look for a defined constant called image. If there is no defined constant, PHP will issue a notice (the lowest level of error) and instead use the string value "image". Since you just want to use the string value anyway, you can skip the overhead of looking up the constant and issuing the notice and just use the literal string value. When you use an associative array inside a double-quoted string you can do it like this:

"... ('{$_POST['description']}','{$_POST['image']}')";

Anyway, the filename for an uploaded file does not go into $_POST, all file info goes into $_FILES. One other thing to mention is that these lines are redundant:

$target_path = "uploads/";/* Add the original filename to our target path.  Result is "uploads/filename.extension" */$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); $_FILES['uploadedfile']['tmp_name']; // this line doesn't do anything at all$target_path = "uploads/";$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);

You set target_path 4 times. You can replace all of that with this:

$target_path = "uploads/" . basename($_FILES['uploadedfile']['name']);

Now you could just put $target_path into the database, but I prefer to put only the filename, no path information. That way if you change the path of the uploaded files you can just update the script that points to the files and don't need to update the entire database. So, since you aren't renaming the file, you can just use the original filename in the database statement. The last thing to mention is that whenever you use any values from $_GET, $_POST, or $_COOKIE in a SQL statement you need to make sure to sanitize the information to avoid SQL attacks where people would type in SQL code into, for example, the description field and have their code executed when you build your query. You can sanitize everything with the mysql_real_escape_string function.

$sql="INSERT INTO gallery (description, image)VALUES('" . mysql_real_escape_string($_POST['description']) . "','{$_FILES['uploadedfile']['name']}')";

Also, there's not a good reason to have different names and IDs on the file input element, it's better if the name and ID are the same.

[ashton]

Thanks for the reply. However now I'm getting another error after I made the corrections you suggested. This error is in the uploader.php file. Parse error: parse error, unexpected T_STRING in /home/cleargam/public_html/care/uploader.php on line 38code is:

<?php// Where the file is going to be placed $target_path = "uploads/" . basename($_FILES['uploadedfile']['name']);if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {	echo "The file ".  basename( $_FILES['uploadedfile']['name']). 	" has been uploaded";} else{	echo "There was an error uploading the file, please try again!";}?><?php$con = mysql_connect("localhost","username","password");if (!$con)  {  die('Could not connect: ' . mysql_error());  }mysql_select_db("localhost", $con);$sql="INSERT INTO gallery (description, image)VALUES('" . mysql_real_escape_string($_POST['description']) . "','{$_FILES['uploadedfile']['name']}')";('{$_POST['description']}','{$_POST['image']}')";if (!mysql_query($sql,$con))  {  die('Error: ' . mysql_error());  }echo "<br />success";mysql_close($con)?>

as you can see the error points to this line:

('{$_POST['description']}','{$_POST['image']}')";

[justsomeguy]

You can just delete that line, it doesn't need to be there.

[ashton]

Ah I see because you put it into the escape, gotcha. Thanks alot mate. Works perfect now, thanks. Now to make the actual gallery accessing it.

[ashton]

Well now I have a bit different of a problem. All the uploading and everything is working but now I added a new entry to it and it gives this error and doesnt show the input

The file CARE.JPG has been uploaded Error: Column count doesn't match value count at row 1

it worked fine till I added the extra entry here so... I know its a simple solution but sometimes its hard to find it eh? So if I can get some help.. here is the code thats generating the error

('" . mysql_real_escape_string($_POST['who']  .  $_POST['description']) . "','{$_FILES['uploadedfile']['name']}')";

[justsomeguy]

You still have 2 fields in the value clause. If you added a third field to the insert field list you need to add another field to the values. Adding another variable into mysql_real_escape_string still only produces one result, it doesn't produce two different results for the one function call.

('" . mysql_real_escape_string($_POST['who']) . "', '"  .  mysql_real_escape_string($_POST['description']) . "','{$_FILES['uploadedfile']['name']}')";

[ashton]

man you reply fast ! Thanks man.

[ashton]

One more question on this subject >.< I'm so tired haha.. brain isnt functioning so yeah here it is. I'm working on the gallery.php and of course its outputting image as care.jpg or whatever the name is of it. Now how do I get the image to display properly? Anyway here is the code I have so far so yeah.. advice would be nice.

<!DOCTYPE htmlPUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html><head><style type="text/css">body {background-color: black}h1, h2, h3, h4, h5, h6 {color: #33BB77; text-align: center}p {color: #00AADD; text-align: left}ul, ol {color: white; text-align: left}table {background-color:; color: white}</style><title>Gallery</title></head><?php$con = mysql_connect("localhost","user","pass");if (!$con)  {  die('Could not connect: ' . mysql_error());  }mysql_select_db("localhost", $con);$result = mysql_query("SELECT * FROM gallery");echo "<table border='1' CELLPADDING='1' CELLSPACING='3'><tr><th>submitted by:</th><th>Description:</th><th>Image:</th></td></tr>";while($row = mysql_fetch_array($result))  {  echo "<tr>";  echo "<td>" . $row['who'] . "</td>";  echo "<td>" . $row['description'] . "</td>";  echo "<td>" . $row['image'] . "</td>";  echo "</tr>";  }echo "</table>";mysql_close($con);?> </html>

I have the html tags around it because I plan on using html in the doc after I get the output displaying properly. And if there is a better way then a html table then let me know please -. After this I'll get rest I promise ! brain needs refreshing.

[justsomeguy]

You just need to add on the path to wherever the file is. With things like paths, or usernames and passwords or certain system-wide data, it's best to keep it all in a file that you can include everywhere else. So if you set up a file like this and call it, for example, global.conf.php:

<?phpglobal $UPLOAD_FILE_PATH;$UPLOAD_FILE_PATH = 'http://www.domain.com/uploads/';?>

You can define whatever constants, variables, functions etc need to be defined for all of your pages to use. Then on the gallery page you can include that file and use whatever values were defined, in this case a global variable:

require_once('global.conf.php');// ... other codewhile($row = mysql_fetch_array($result)){  echo "<tr>";  echo "<td>" . $row['who'] . "</td>";  echo "<td>" . $row['description'] . "</td>";  echo "<td><img src=\"{$UPLOAD_FILE_PATH}{$row['image']}\"></td>";  echo "</tr>";}

That way if you ever change where the files are being saved you can just update that include file to get everything to point to the new place.

[ashton]

would you say a html table is the best way to display this information or what would be?

[justsomeguy]

I would use a table.