Re: [PHP-DB] Wow, this is weird

Mon, 27 Aug 2012 22:41:32 -0700 

On Mon, Aug 27, 2012 at 8:03 PM, David McGlone <[email protected]> wrote:
> I got it. All I needed to do was change $_POST[image] to $image in my query
> like so:
> mysql_query ("INSERT INTO inventory(image, year, make, model, milage, price)
>  VALUES('$image', '$_POST[year]', '$_POST[make]',
>  '$_POST[model]', '$_POST[milage]', '$_POST[price]')");
>   }
>
> I'm sortof stumped as to why though. I'm still pondering it and probably will
> all night. I'll probably wake up at 3am and the light bulb will go off in my
> head.. LOL

I would check to see if you have somewhere set $image. I don't see it
in your code, but I'm sometimes pretty blind.

If you actually dump out $_POST from your form input, you will see
there is no 'image' entry -- that is because it is type file in your
form. When you dump $_FILES, of course, you see the image there.

Here's output from a trial I just made, with the following code:

<?php

echo '<h2>$_POST = </h2><pre>'.PHP_EOL;
var_dump($_POST);
echo '</pre>'.PHP_EOL;

echo '<h2>$_FILES = </h2><pre>'.PHP_EOL;
var_dump($_FILES);
echo '</pre>'.PHP_EOL;


?>
<form enctype="multipart/form-data" action="" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
Image: <input name="image" type="file" /><br />
Year: <input type="text" name="year" size="40"><br />
<input type="submit" name="Submit" value="Insert"><br />
</form>

Outputs:

$_POST =

array(3) {
  ["MAX_FILE_SIZE"]=>
  string(6) "100000"
  ["year"]=>
  string(4) "2008"
  ["Submit"]=>
  string(6) "Insert"
}

$_FILES =

array(1) {
  ["image"]=>
  array(5) {
    ["name"]=>
    string(5) "1.png"
    ["type"]=>
    string(9) "image/png"
    ["tmp_name"]=>
    string(26) "/private/var/tmp/phpeVMSM5"
    ["error"]=>
    int(0)
    ["size"]=>
    int(37543)
  }
}


You also don't need to use basename($_FILES['image']['name']) -- the
only thing stored there is the basename already.


Here, in your original pastebin, at line 36:

mysql_query ("INSERT INTO inventory(image, year, make, model, milage, price)
VALUES('$_POST[image]', '$_POST[year]', '$_POST[make]',
'$_POST[model]', '$_POST[milage]', '$_POST[price]')");

should be:

mysql_query ("INSERT INTO inventory(image, year, make, model, milage, price)
VALUES('{$_FILES['image']['name']}', '$_POST[year]', '$_POST[make]',
'$_POST[model]', '$_POST[milage]', '$_POST[price]')");

(I'm hoping what you are showing us is purely for learning sake, and
that you will also be learning to untaint your input.)

(Also, minor minor nit: it's spelled "mileage" :) )

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to