0

Hi Guys,
I got a problem with updating images in mysql database wih php form.
It succesfully inserted the images into the database, but it can't do any updates/changse on the existing image record.

Thanks

<? 

session_start(); 
include("database.php");
include("login.php");


$pro_id = $_POST['pro_id'];
$pro_name = $_POST['pro_name'];
$pro_cat = $_POST['pro_cat'];
$pro_desc = $_POST['pro_desc'];
$pro_price = $_POST['pro_price'];


echo "<a href=\"main.php\">Main Menu</a><br>"; 
echo "<a href=\"logout.php\">Log Out</a><br>"; 

?>
<form action='edit.php' method='POST' enctype='multipart/form-data'>
<TABLE>
<TR>
   <?$sql = mysql_query("select * from category");?>
	   <TD>Product Category:</TD>   
	   <TD> 
			<select name='pro_cat'>
			<option value="">Select Category</option>;
			<?
				while($row=mysql_fetch_array($sql))
				{
					echo "<option value='$row[cat_id]'>$row[cat_name]</option>";
					echo $cat_name;
				}
			?>
			</select>
	</TD>
	
   <TD><INPUT TYPE='submit' name='submit' value='View'></TD> 
</TR>
</TABLE>
</form>
<?




if (isset($_POST['edit'])) 
{
	
		$name = $_FILES['myfile']['name'];
		$tmp_name = $_FILES['myfile']['tmp_name'];

if($name)
	{	
		echo "it in here";	
		$location = "avatars/$name";
		move_uploaded_file($tmp_name, $location);
		$sql = "UPDATE product SET pro_name ='$pro_name', pro_cat ='$pro_cat', pro_desc ='$pro_desc', pro_price ='$pro_price', imagelocation ='$location'  WHERE pro_id ='$pro_id'";
		$result = mysql_query($sql);
		echo "<br>Product has been Edited.<br><br><br>";
		die(); 
	}


}               

$sql = mysql_query("SELECT * FROM product where user_id = '$_SESSION[user_id]'and pro_cat = '$pro_cat' ORDER  by pro_id ASC")or die(mysql_error());



while($row = mysql_fetch_array($sql))
{ 
$location = $row[imagelocation];
	?>
			<form action='edit.php' method='post'>
			<table border='3'>
				<tr>
				<td>
				<table>
					bla....bla..bla

					bla...bla...bla..
							
							
				<TR>
				<TD>Image:</TD>
				<TD><input name='myfile' type='file'></TD>
				</TR><br>		
												
				</table>
				

			<input type='hidden' name='pro_id' maxlength='60' value = '<?php echo $row['pro_id']; ?>'>
			<tr><td colspan='2' align='right'>
			<input type='submit' name='edit' value='Edit Product'>
			</td></tr>
			</table>
			</form><br><br><br>
	<?
}
?>

i'm assure the problem would be in here

if (isset($_POST['edit'])) 
{
	
		$name = $_FILES['myfile']['name'];
		$tmp_name = $_FILES['myfile']['tmp_name'];

if($name)
	{	
		echo "it in here";	
		$location = "avatars/$name";
		move_uploaded_file($tmp_name, $location);
		$sql = "UPDATE product SET pro_name ='$pro_name', pro_cat ='$pro_cat', pro_desc ='$pro_desc', pro_price ='$pro_price', imagelocation ='$location'  WHERE pro_id ='$pro_id'";
		$result = mysql_query($sql);
		echo "<br>Product has been Edited.<br><br><br>";
		die(); 
	}


}

Edited by offsense: n/a

2
Contributors
2
Replies
3
Views
7 Years
Discussion Span
Last Post by offsense
0

First of all, I recommend filtering all data being sent through the SQL query to prevent 1) breaking the query, and, 2) SQL injections.

Use this to escape any dynamic data going in the query:

mysql_real_escape_string()

http://se2.php.net/manual/en/function.mysql-real-escape-string.php

If there is a single quote in any of the fields (like $pro_name, $pro_cat, etc..) it will break the query and leave it open for SQL injections if someone realizes this. Can you give this a try and see if it helps?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.