$_POST and backslash problem..I think

php_beginner_83

Hi all

I'm trying to create my own online photo album. Right now I'm working on the upload page that allows me to add records to my database. I have a form where I selected the photo and I use the value from this text box in the form to add to the database. It is stored as the 'Path', the location of the photo so I can later retrieve this and display the photo online. When I select a photo the text box will be populated with a value like..
C:\htdocs\images\photo1.jpg

However, when I click the submit button to add my values to the database only 'photo1.jpg' is added to the database. I'm guessing this has something to do with the backslashes. Is that right? Can anyone offer any ideas or solution about how to solve this?

Thank you.

Code for my form is ...

<div id="image">
   <h3>Add New Image</h3></br>
   <form action="uploadPictures.php" method="post">
   Image Description:<br/>
   <textarea cols="50" rows="4" name="imageDescription">
   </textarea><br/>
   Path:<br/>
   <input type="file" name="path"/><br/>
   Select Album:<br/>
   <?php
      $sql = "SELECT ID, Title FROM albums";
      $result = mysql_query($sql) or die(mysql_error());
      echo '<select name="albumMenu">';
      while($row = mysql_fetch_assoc($result))
      {
         printf('<option value="%s">%s</option>', htmlspecialchars($row['ID']), htmlspecialchars($row['Title']));
      }
      echo '</select>';
   ?>
   <br/><br/>
   <input type="submit" value="Add New Image"/>
   </form>
</div>

and the uploadpicture.php...

// ************** CODE FOR IMAGES TABLE ******************//

// get last ID in 'pictures' table
$result = mysql_query("SELECT * FROM pictures ORDER BY ID desc limit 1") or die('order images error');
$row = mysql_fetch_array($result);
$newID = $row['ID'] + 1;


// insert new image into 'pictues' table
$insert = "INSERT INTO pictures (ID, Description, Path) VALUES ($newID, '{$_POST['imageDescription']}', '{$_POST['path']}')";

mysql_query($insert) or die(mysql_error());

// insert record into 'pics_in_albums' table
$insert2 = "INSERT INTO pics_in_albums (PicID, AlbumID) " .
      "VALUES ($newID, '{$_POST['albumMenu']}')";

mysql_query($insert2) or die('insert into pics_in_album errors');

//***************** END CODE FOR IMAGES TABLE ****************//

itaym02

The path is the path on YOUR computer. When you upload the image from this path, to the server, which is usually a different computer, there is no meaning to full path. Only the file name.

It is also a security breach if your browser would have transfered full paths to the server.

When the file is uploaded it is being stored in a temp directory, defined in the php.in usually.
In your code that handles the form data you should move the file to the location you want it to be, and then store the path (which you know, as you moved it in the code) and the file name.

php_beginner_83

Yes well right now, my testing server is MY computer so in order for it to work I need the whole file path.

itaym02

no - the file is transfered, even on your computer, to a temp directory. You can have the name of this temp directory from the global $_FILES. Please read on "php file uploads" to get more info on this subject.

johanafm

Actually, wether you run the browser and server on the same computer or the browser on one computer and the server on another makes no difference. Communication between client and server is handled in the exact same way.

Uploaded files land in the directory specified by upload_tmp_dir in php.ini. Usually, you can expect this directory to be emptied every now and again since stuff is not supposed to be stored there permanently. Hence, you will need to move the file from this place to a place of your choice. It's your server, so that's not a problem. Moreover, unless you keep one folder per user, or randomly create folders on the fly, you won't need to store the path in the db anyway. That can be done in the php script if you always use the same folder.

But, before we get to that part, there are other things to deal with. Your form needs the enctype attribute with something like

<form enctype="multipart/form-data" ...>

Then, you don't use $POST for file uploads, but $FILES

// see if there is a file and make sure no error occured
if (isset($_FILES['path']) && $_FILES['path']['error'] == 0) {
	// possibly you want to check if the upload actually was an image and otherwise reject it
	// do this here

/*	the tmp_name element holds the filename used by the server
	make sure the file has actually been uploaded and also move it.
	This example uses the original filename (used on the client's side), but there is 
	a risk of this filename allready being in use on the server side.
	If overwriting of existing files is not acceptable, additional checking is needed */
move_uploaded_file($_FILES['path']['tmp_name'],
			'/some/place/of/your/choice/'.$_FILES['path']['name']);

// Now you can choose to insert the whole path and file, which is:
'/some/place/of/your/choice/'.$_FILES['path']['name']
}