Multiple upload images PHP and Mysql

Below code uploads images one by one. I want to upload multiple images!

        	$id = $_GET['id'];
        	$q = mysql_query("SELECT * FROM books WHERE id='$id'") or die(mysql_error());
        	$row = mysql_fetch_array($q);
        	$name = $row['name'];
        	echo '<div class="center-top"> NAME: <strong style="font-size:22px;">'.$name.'</strong>  </div>';
        //begin upload
        	$title = htmlspecialchars($_POST['title'],ENT_QUOTES);
        		$path = "./upload/images/";
        		$name_pic = $_FILES['file']['name'];
                $ext = strtolower(substr(strrchr($name_pic, "."), 1));
                $allow = array("jpg", "jpeg", "JPG", "JPEG", "png", "gif");
        	   $uptype = ($_FILES['file']['tmp_name']);
                if (in_array($ext, $allow))

//md5 hash for random image name

        			   $rand = rand(0,10000);
        			   $md5  = md5($rand);
        			   $new_file_name = "{$md5}.{$ext}";
        			   $move_file = move_uploaded_file($_FILES['file']['tmp_name'], $path.$new_file_name);
        			   if($move_file) {
        					mysql_query("INSERT INTO images (id, link, title, bid)
        					VALUES (NULL, '$new_file_name', '$title', '$id')") or die (mysql_error());
        					echo "<div class='yes'>succesfully added!</div>";	
        echo '
    	//form uploads
        <form method="post" action="images.php?id='.$id.'"  enctype="multipart/form-data"> 
        <br />title: <br /><input type="text" name="title" value="'.$name.'"/><br />
        <br /><br/><input name="file" type="file" />
        <br /><input type="submit" name="submit" value="UPLOAD" /><br /><br />

//end form

With this code delete an image:

$id = $_GET['id']; 
$result = mysql_query("DELETE FROM images WHERE `id`='$id'");
echo "<div class='yes'>successfully deleted picture!</div>";

Then your form will want multiple inputs to create an array of files and tiles.

Plus, some words of warning.
Mysql is now extinct and has been removed from php. You should be using either Mysqli or PDO.
Also passing the id on as a url variable and inserting the un-sanitized $_GET into an sql statement is extremely insecure.
Better to pass it by $_POST via a hidden form field and then sanitize, before putting it into a statement. Using a prepared statement is another line of defence against sql injection.

Yes I want to upload multiple files!
I know for that mysql is unsecure but I think I can’t use mysql and mysqli at same time in script.
Can you help?

You need to get rid of the mysql and only use mysqli - the mysql interface no longer exists, it was deleted from PHP last year.

You should not be using mysql at all. Use only mysqli or pdo.

It is not so much that mysql is insecure, but the way you are using it.

Php is not my area of expertise, I’m sure other can advise you better, but I do know enough to spot the huge security hole in the script.
If the id is an integer, which I imagine it will be, it can easily be sanitized to remove any unwanted characters.

$id = preg_replace('#[^0-9]#i', '', $_POST["id"]) ;

You should also check the string is not empty after this.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.