The form with the input element is below:
<?php
$post_new_file=$_FILES['post_new_file'];
if(isset($_POST['update'])){
if (!empty($post_new_file)) {
$post_file=$_FILES['post_new_file']['name'];
$post_file_temp=$_FILES['post_new_file']['tmp_name'];
move_uploaded_file($post_file_temp,"../pdf/$post_file");
}
$query="UPDATE posts SET post_file='{$post_file}' WHERE post_id='{$the_post_id}' ";
$create_post_query= mysqli_query($connect, $query);
confirmQuery($create_post_query);
?>
<form action="edit.php?source=<?php echo $the_post_id ?>" method="post" enctype="multipart/form-data">
<div class="form-group" style="border: solid #000 3px;">
<label for="post_file">Select New File</label>
<input type="file" name="post_new_file" >
</div>
</form>
I have problem when the $post_new_file exist. In this case when updating I lost the data in my db and the post can’t have access into the file. In a few words I don’t want changing the access of the file when I haven’t insert a new file. Thanks
Where is the value for $the_post_id coming from?
It’s a bad idea to be just placing user submitted data into a query without sanitizing it. If it’s numeric then you can quickly sanitize it by typecasting it as an integer
I will sanitize the data when i refactoring the code
Fair enough. Please post the newer code when you get done refactoring it.
It is not this problem now my friend. I am asking an another thing. If you have any answer for this I will appreciate.
Is that the full code? That is, does the html form you show at the end, submit to the PHP code you show at the start? If so, I also wonder where $the_post_id is coming from. I can see a variable that you pass as part of the URL, but that’s called $_GET['source'], and I can’t see where you retrieve that in the PHP code.
And is it intentional that your query runs whether or not there is something in $post_new_file, perhaps to blank out the filename from the database? If so, wouldn’t you erase the uploaded file as well?
ETA - can’t be the entire thing, as the html form seems to be lacking a submit button, and the label is for a field name that isn’t shown. Could the missing parts be affecting how it works?
The full code is here:
<?php ob_start(); ?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Lumino - Forms</title>
<link href="css/bootstrap.min.css" rel="stylesheet">
<link href="css/datepicker3.css" rel="stylesheet">
<link href="css/styles.css" rel="stylesheet">
<script src="../admin/js/scripts.js"></script>
<script src="../admin/js/plugins/ckeditor/ckeditor.js"></script>
<!--Icons-->
<script src="js/lumino.glyphs.js"></script>
</head>
<body>
<!--Header-->
<?php include 'includes/header.php';
include '../main_includes/connect_db.php';
include 'includes/functions.php';
?>
<!--end Header-->
<!-- .SIDEBAR -->
<?php include 'includes/sidebar.php'; ?>
<!--/.sidebar-->
<div class="col-sm-9 col-sm-offset-3 col-lg-10 col-lg-offset-2 main" >
<div class="row">
<ol class="breadcrumb">
<li><a href="#"><svg class="glyph stroked home"><use xlink:href="#stroked-home"></use></svg></a></li>
<li class="active">Icons</li>
</ol>
</div><!--/.row-->
<div class="row">
<div class="col-lg-12">
<h1 class="page-header"><span style="color: #ff0000;">Φόρμα Ανανέωσης Δημοσίευσης</span></h1>
</div>
</div><!--/.row-->
<?php
//Φωρτώνει απο την βάση δεδομένων στην form/table
global $connect;
if(isset($_GET['source'])){
$the_post_id=$_GET['source'];
}
$query="SELECT * FROM posts WHERE post_id=$the_post_id ";
$select_posts_by_id= mysqli_query($connect, $query);
confirmQuery($select_posts_by_id);
while($row= mysqli_fetch_assoc($select_posts_by_id)){
$post_title=$row['post_title'];
$post_keimeno=$row['post_keimeno'];
$post_publisher=$row['post_publisher'];
$post_cat_title=$row['post_cat_title'];
$post_image=$row['post_image'];
$post_file=$row['post_file'];
$post_date= $row['post_date'];
}
//Το παρακάτω κάνει update
if(isset($_POST['update'])){
$post_title=$_POST['post_title'];
$post_keimeno=$_POST['post_keimeno'];
$post_publisher=$_POST['post_publisher'];
$post_cat_title=$_POST['post_cat_title'];
$post_new_image=$_FILES['post_new_image'];
var_dump($post_new_image);
$post_new_file=$_FILES['post_new_file']['tmp_name'];
var_dump($post_new_file);
//φωρτωνει εάν δεν επιλέξω αρχείο
if (!empty($post_new_image)) {
$post_image=$_FILES['post_new_image']['name'];
$post_image_temp=$_FILES['post_new_image']['tmp_name'];
move_uploaded_file($post_image_temp,"../images/$post_image");
}
//Το ίδιο με το παραπάνω κανει για τα αρχεια pdf
if (!empty($post_new_file)) {
$post_file=$_FILES['post_new_file']['name'];
$post_file_temp=$_FILES['post_new_file']['tmp_name'];
move_uploaded_file($post_file_temp,"../pdf/$post_file");
}
$query="UPDATE posts SET post_cat_title='{$post_cat_title}', post_title='{$post_title}', post_keimeno='{$post_keimeno}', post_publisher='{$post_publisher}',post_image='{$post_image}', post_file='{$post_file}', "
. "post_check='unchecked' "
. "WHERE post_id='{$the_post_id}' ";
$create_post_query= mysqli_query($connect, $query);
confirmQuery($create_post_query);
header("Location:edit.php?source=$the_post_id");
exit();
}
?>
<div class="row">
<div class="col-lg-12">
<div class="panel panel-default">
<div class="panel-body">
<div class="col-md-6">
<!-- -->
<form action="edit.php?source=<?php echo $the_post_id ?>" method="post" enctype="multipart/form-data">
<div class="form-group" >
<label>ΤΙΤΛΟΣ ΑΡΘΡΟΥ</label>
<input class="form-control" name="post_title" type="text" value="<?php echo $post_title; ?>">
</div>
<div class="form-group">
<label for="post_image">Επιλογή Καινούργιας Φωτογραφίας</label>
<input type="file" name="post_new_image" >
<label style="margin-left: 75%;">Προηγουμενη Φωτογραφία</label>
<img src="../images/<?php echo $post_image; ?>" alt="" id="photo_edit">
</div>
<div class="form-group" style="border: solid #000 3px;">
<label for="post_file">Επιλογή Καινούργιου PDF Αρχείου</label>
<input type="file" name="post_new_file" >
<label>Προηγουμενο Αρχείο PDF: <?php echo $post_file; ?></label>
</div>
<div>
<?php //var_dump($the_post_id); var_dump($row); var_dump($post_title); ?>
</div>
<label>ΕΚΔΟΤΗΣ</label>
<div class="form-group has-success">
<input class="form-control" name="post_publisher" type="text" value="<?php echo $post_publisher ?>" placeholder="Εκδότης">
</div>
<!--<div class="form-group has-warning">
<input class="form-control" placeholder="Warning">
</div>
<div class="form-group has-error">
<input class="form-control" placeholder="Error">
</div>-->
<div class="form-group" >
<label>Επιλογή Κατηγορίας</label>
<select class="form-control" name="post_cat_title" id="forma">
<!--<option>Option 1</option>
<option>Option 2</option>
<option>Option 3</option>
<option>Option 4</option>-->
<?php
//Επιλέγει απο τις κατηγορίες ποια είναι στην βάση
global $connect;
$query="SELECT * FROM categories";
$select_categories= mysqli_query($connect, $query);
$count= mysqli_num_rows($select_categories);
confirmQuery($select_categories);
while($row= mysqli_fetch_assoc($select_categories)) {
$cat_id=$row['cat_id'];
$cat_title=$row['cat_title'];
if($post_cat_title==$cat_title){
$select='selected';
}else{$select=null;
}
echo "<option value='$cat_title' $select >$cat_title</option>";
}
?>
</select>
</div>
<div class="form-group" id="keimeno">
<label>ΚΕΙΜΕΝΟ</label>
<!--Παρακάτω στο textearea η PHP λειτουργία χρησιμποιείται για να δουλέψε και να φωρτώσε στο CKEDITOR λόγω κωδικοποίησης -->
<textarea class="form-control" name="post_keimeno" cols="30" rows="20"><?php echo htmlspecialchars($post_keimeno); ?></textarea>
</div>
<button type="submit" name="update" class="btn btn-primary">Ανανέωση</button>
</form>
</div>
<div class="col-md-6" >
</div>
</div>
</div>
</div><!-- /.col-->
</div><!-- /.row -->
</div><!--/.main-->
<script src="js/jquery-1.11.1.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<script src="js/bootstrap-datepicker.js"></script>
<script src="../admin/js/plugins/ckeditor/config.js"></script>
</body>
</html>
<?php ob_end_flush(); ?>
system
April 7, 2017, 8:09pm
12
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.