I am so frustrated

dougg

I am trying to upload a file and a description into a sql database.
If I leave off the description, the file uploads fine.
I add the description to the form and it does nothing.
I know I am missing something simple, but I am at wits end.
Here is the code. PLEASE someone help me before I destroy a perfectly good monitor.
I left off the first part that has usernames and passwords on purpose.
All I am concerned with is the form uploading the description part. If I remove the webaddress and $_post[web] it uploads the file just fine.

$conn = mysql_connect($host, $user, $pass)
OR DIE (mysql_error());
@mysql_select_db ($db, $conn) OR DIE (mysql_error());

#--------------------------------------------------#
#ON SUBMIT WITH A FILE CHOSEN
#--------------------------------------------------#
if ($_FILES)
{
#ALLOWED FILE TYPES
$image_types = Array (
"image/bmp",
"image/jpeg",
"image/pjpeg",
"image/gif",
"image/x-png",
"application/octet-stream");

#IF THE FILE UPLOADS SET USERFILE AND BUILD VARIABLES
if (is_uploaded_file ($_FILES['userfile']['tmp_name']))
{
$userfile = addslashes (fread
(fopen($_FILES["userfile"]["tmp_name"], "r"),
filesize($_FILES["userfile"]["tmp_name"])));
$file_name = $_FILES["userfile"]["name"];
$file_size = $_FILES["userfile"]["size"];
$file_type = $_FILES["userfile"]["type"];
#IF THE FILE UPLOADED IS IN THE ALLOWED FILE TYPES ARRAY UPLOAD IT
if (in_array (strtolower ($file_type), $image_types))
{
#$pic_order=$_GET["pic_order"];
$sql = "INSERT INTO ".$table." "
. "(image_type, image, image_size, image_name, image_date, webaddress) ";
$sql.= "VALUES (";
$sql.= "'{$file_type}', '{$userfile}', '{$file_size}', '{$file_name}', NOW()), '$_POST[web]'";
@mysql_query ($sql, $conn);
Header("Location:".$_SERVER["PHP_SELF"]);
exit();
}
}
}

#--------------------------------------------------#
#FUNCTIONS
#--------------------------------------------------#

#RETURNS FILESIZE WITH APPROPRIATE NOTATION
function get_filesize ($dsize)
{
if (strlen($dsize) <= 9 && strlen($dsize) >= 7)
{
$dsize = number_format($dsize / 1048576,1);
return "$dsize MB";
}
elseif (strlen($dsize) >= 10)
{
$dsize = number_format($dsize / 1073741824,1);
return "$dsize GB";
}
else
{
$dsize = number_format($dsize / 1024,1);
return "$dsize KB";
}
}
?>
<html>
<head>
<title>Uploading Images</title>
</head>
<body>
<form method="post" enctype="multipart/form-data">
  Select Image File: 
  <input type="file" name="userfile" size="40">
  URL: 
  <input type="text" name="web" size="30">
  <input name="submit" type="submit" value="submit">
</form>

<?php
#--------------------------------------------------#
#DISPLAY IMAGES AND INFORMATION
#--------------------------------------------------#
$result = mysql_query ($sql, $conn);
$i=0;
$str='';
if (mysql_num_rows($result)>0)
{
while ($row = mysql_fetch_array($result, MYSQL_ASSOC))
{
#THIS VARIABLE IS AN ARRAY THAT HOLDS THE SIZE PROPERTIES OF THE IMAGE... USED TO GET THE DIMENSIONS
$size = getimagesize("http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']."?act=view&iid=".$row["image_id"]);

$i++;
$str .= $i.". ";
$str .= "<a href=\"uploadpictures.php?act=view&iid=".$row["image_id"]."\">";
$str .= "<img border=\"0\" height=\"90\" width=\"100\" src=\"uploadpictures.php?act=view&iid=".$row["image_id"]."\"></a> ";
$str .= "[Name: ".$row["image_name"]."] ";
$str .= "[WxH: ".$size[0]."x".$size[1]." ] ";
$str .= "[Date: ".$row["image_date"]."] ";
$str .= "[Size: ". get_filesize($row["image_size"])."] ";
$str .= "[Order Number: ".$row["order"]." ] ";
$str .= "[<a href=\"uploadpictures.php?act=rem&iid=".$row["image_id"]."\">Remove</a>]<br>";
}
print $str;
}
?>
</body>
</html>

TobyRT

First thought - try $_POST['web'] - looks like you missed the '
Error check your sql query - it looks very complicated with lots of concatenation - you've used "or die(mysql_error())' at the top, why not with your second query?

Might also be worth just simplifying your query and losing the concatenation. You also haven't defined '$table' anywhere as far as I can see, and I don't think SQL likes $_POST values directly in its queries. Assign the value to a variable.

$table = 'my_table';
$webaddress = $_POST['webaddress'];

$sql = "INSERT INTO '$table' (image_type, image, image_size, image_name, image_date, webaddress) VALUES ('$file_type', '$userfile', '$file_size', '$file_name', NOW(), '$webaddress');
mysql_query($sql) or die (mysql_error());

You also don't seem to be checking to see if any variables are actually passed - what are the mandatory fields? A little more error checking will help you get around some of these problems.

rincewind456

You should never pass unclean user data directly into your database, the very minimum would be to use [man]mysql_real_escape_string/man on all user supplied data.

dougg

In looking at your response, I figured out what I did.
in the string, I had

now())
and the ) should have been at the end.
I will publish all of the code when I test it.

note: The reason I have it broken down is because I am using the same code on different pages and domains. So for simplicity, I wrote it all out. It's a little longer, but easier for me to keep track of.

Thank you so much for the help.