data is not being uploaded

[Alfraganus]

Dear all,

I've been trying to upload my datas to directly server, but somethis is wrong with it, my localhost is not saying any error but only (mysql_errno) messaging me "post has not been published succesfully":

 

I dont know what wrong with it, I tried different ways but not working(((, I would be very glad if someones can fix it

 

here are the codes:

<?php

mysql_connect("localhost","root","");

mysql_select_db("yangiliklar");

if (isset($_POST['submit'])) {

$post_title=$_POST ['title'];

// $post_date= date ('y-m-d');

$post_author=$_POST ['author'];

$post_keywords=$_POST ['keywords'];

$post_content=$_POST ['content'];

$post_image=$_FILES ['image']['name'];

$image_tmp= $_FILES ['image']['tmp_name'];

if($post_title=='' or $post_keywords=='' or $post_content=='' or

$post_author=='') {

echo "<script>alert ('any on the field is empty') </script>";

exit ();

} else {

move_uploaded_file($image_tmp, "images/$post_image");

$insert_query="insert into posts

(posts_title, post_author, post_image, post_keywords, post_content)

values ('$post_title, '$post_author', '$post_image', '$post_keywords', '$post_content')";

if (mysql_query($insert_query)) {

echo "<center><h1>post published succesfully </h1></center>";

} else {

echo "post has not been published succesfully"; } (this message is coming)

}

}

?>

[Ingolme]

You can see why it's not working by checking what mysql_error() returns.

echo "post has not been published succesfully. Reason: " . mysql_error();

Your code is vulnerable to hacking. The mysql library is outdated and by passing POST data right into the query you're leaving it open to SQL injection. Here's an excerpt from the mysqli_error() manual page:

 

 

Warning

This extension was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0. Instead, the MySQLi or PDO_MySQL extension should be used. See also MySQL: choosing an API guide and related FAQ for more information. Alternatives to this function include:

[*]mysqli_error()[*]PDO::errorInfo()

[Alfraganus]

I changed mysql in mysqli but the result is the same, what can help me?

[justsomeguy]

Did you add any error checking? Using mysqli isn't as simple as renaming some functions. You also need to use prepared statements, the old mysql extension does not support prepared statements so that's new code, not renaming things.http://php.net/manual/en/mysqli.quickstart.prepared-statements.phpOne of the reasons to use prepared statements is to remove the data from the actual query and let the database server handle the data itself.