HELP multipart/form-data HELP

Ok so the problem I’m having is that the image is being uploaded to the server I’ve specified and so are the rest of the text. But what’s happening is that when I upload an image with the “file” field the database will not store the name, it simply just get’s put in as NULL everything else on my form/page is working perfectly and inserting perfectly it’s just that one part where it will not store the images name in the database… the VALUES (%s, %s, %s) works fine. Can anyone tell me how I can fix this? I’ve even tried changing the structure of my database…

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "status")) {
  $insertSQL = sprintf("INSERT INTO Posts (UserID, Status, `File`) VALUES (%s, %s, %s)",
                       GetSQLValueString($_POST['userID'], "int"),
                       GetSQLValueString($_POST['status'], "text"),
                       GetSQLValueString($_POST['post_upload'], "text"));

$fileName = $_FILES["post_upload"]["name"];
$fileTmpLoc = $_FILES["post_upload"]["tmp_name"];
$moveResult = move_uploaded_file($fileTmpLoc, "posts/$fileName");

That code leaves you a sitting duck for an sql injection attack as you’re not validating any of the user submitted data and you’re not using prepared statements. I you’re using the old mysql_* extension you should be aware that it was deprecated in version 5.5 of PHP and is being removed in version 7 of PHP

I know that, that’s only a little bit of the code

GetSQLValueString($_POST['post_upload'], "text"));

Hint: $_POST['post_upload'] is not how you access the name of your file…



Do you have what you expect?

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.