0

dear friends,
I have created Php form to store data in my mysql database. But i am facing problem in updating file data to store in database. Please check my code below

 $edate=$_POST['edate'];
    //$edate=date("d-m-y h:i:s a",time());
    $ldate=$_POST['ldate'];
    //$ldate=date("d-m-y h:i:s a");
    $cdetail=$_POST['cdetail'];
    $tenNo=$_POST['tenNo'];
    $tdetail=$_POST['tdetail'];

    $name = ($_FILES['uploaded_file']['name']);
    $mime = ($_FILES['uploaded_file']['type']);
    $data = (file_get_contents($_FILES  ['uploaded_file']['tmp_name']));
    $size = intval($_FILES['uploaded_file']['size']);

$sql1="INSERT INTO tentb(edate,ldate,cdetail,tenNo,tdetail,size,data,name,mime) VALUES('$edate','$ldate','$cdetail','$tenNo','$tdetail','$size','$data','$name','$mime')";

      $result1=$conn1->query($sql1);
    if($result1){
    echo "<script>
    alert('Data has saved')
    </script>";
    header("Refresh:2; url=tenderadd.php");}
    else{
        $msg='Error'. $conn1->connect_error;
        header("refresh:2; url=tenderadd.php");
    }
    }

uploaded_file is upload file tag name.

4
Contributors
10
Replies
68
Views
10 Months
Discussion Span
Last Post by diafol
Featured Replies
  • 1
    diafol 3,669   9 Months Ago

    This code is unsafe as you have not sanitized the data. The best way to run the insert is to create a prepared statement (mysqli or PDO). Perhaps my tutorial: https://www.daniweb.com/programming/web-development/tutorials/499320/common-issues-with-mysql-and-php may be of use? Read More

  • 1
    diafol 3,669   9 Months Ago

    The max file size should go to the file input tag. Check for errors, e.g. if($_FILES['userfile']['error']) echo "Error: " . $_FILES['userfile']['error']; Read More

0

I strongly back up what diafol has said. Right now you're vulnerable to injection attacks. Many folks think that because they can't see POST data that it can't be tampered with, but it's rather simple to not only view it but alter it as well. Look into using filter_var

0

Ok i changed my code please, check

<!DOCTYPE html>
<?php

//include(headeradmin.php);
date_default_timezone_set("Asia/Karachi");
include('conn1.php');
session_start();
 $epr='';
 $msg='';

    if(isset($_GET['epr'] ))
        $epr=$_GET['epr'];
//***************** Save Record***************************
if($epr=='save' && $_FILES['userfile']['size'] > 0){
            $fileName = $_FILES['userfile']['name'];
            $tmpName  = $_FILES['userfile']['tmp_name'];
            $fileSize = $_FILES['userfile']['size'];
            $fileType = $_FILES['userfile']['type'];

     $edate=$conn1->real_escape_string($_POST['edate']);
     $ldate=$conn1->real_escape_string($_POST['ldate']);
     $cdetail=$conn1->real_escape_string($_POST['cdetail']);
    $tenNo=$conn1->real_escape_string($_POST['tenNo']);
    $tdetail=$conn1->real_escape_string($_POST['tdetail']);

$fp      = fopen($tmpName, 'r');
$content = fread($fp, filesize($tmpName));
$content = addslashes($content);
fclose($fp);

        $sql1="INSERT INTO tentb(edate,ldate,cdetail,tenNo,tdetail,'size',data','name','mime') VALUES('$edate','$ldate','$cdetail','$tenNo','$tdetail','$fileName', '$fileSize', '$fileType', '$content')";

        $result1=$conn1->query($sql1);
    if($result1){
    echo "<script>
    alert('Data has saved')
    </script>";
    header("Refresh:2; url=tenderadd.php");}
    else{
        $msg='Error'. $conn1->connect_error;
        header("refresh:2; url=tenderadd.php");
    }
    }
    ?>

here is my form

<form  method="POST" action='tenderadd.php?epr=save'>
 <h1> New Tender</h1>
        <table align='center'>
                    <tr>
                     <td> </td>
                   <td><input type="hidden" name="sr" /></td>
                    </tr>
                    <tr>
                     <td> Current Date </td>
                   <td><input  type="text" value="<?php echo date("d-m-Y"); ?>" readonly="readonly" style='background-color:Black; color:Lime;'   /></td>
                    </tr>

                     <input type="hidden" name="edate"  value='<?php echo date('Y-m-d')?>' readonly="readonly"/></td>

                     <tr>
                     <td> Last Date</td>
                     <td><input id='date' type="text" name="ldate" readonly="readonly" /></td>
                     </tr>

                      <tr>
                      <td> Client Detail</td>
                      <td><input type="text" name="cdetail" size="70" maxlength="200" /></td>
                      </tr>

                      <tr>
                      <td> Tender No.</td>
                      <td><input type="text" name="tenNo" size="70" maxlength="200" /></td>
                      </tr>

                      <tr>
                      <td>Tender Detail</td>
                      <td><input type="text" name="tdetail" size="70" maxlength="200" /></td>
                      </tr>

                      <tr>
                      <td>Tender Upload</td>
                      <td><input type="file" name="userfile" /></td>
                      </tr>

                      <tr>
                      <td> </td>
                      <td><input type="submit" value="submit" /></td>
                      </tr>

        </table>
 </form>

I got
Notice: Undefined index: userfile in C:\wamp\www\SprintWeb\tenderadd.php on line 14
Error,please guide me.

0

In order to send files you need the form attribute enctype set to:

<form  method="POST" action='tenderadd.php?epr=save' enctype='multipart/form-data'>

This was mentioned in my tutorial if you read it.

0

Dear Diafol Boss,
I put

 enctype='multipart/form-data'

But same error.
Please, check my code and tell me where cn i use
$_FILES['userfile']['size'] > 0
in my code, code is bellow

$epr='';
 $msg='';

    if(isset($_GET['epr'] ))
        $epr=$_GET['epr'];
//***************** Save Record***************************
if($epr=='save' ){

            $fileName = $_FILES['userfile']['name'];
            $tmpName  = $_FILES['userfile']['tmp_name'];
            $fileSize = $_FILES['userfile']['size'];
            $fileType = $_FILES['userfile']['type'];

    $edate=$conn1->real_escape_string($_POST['edate']);
    $ldate=$conn1->real_escape_string($_POST['ldate']);
    $cdetail=$conn1->real_escape_string($_POST['cdetail']);
    $tenNo=$conn1->real_escape_string($_POST['tenNo']);
    $tdetail=$conn1->real_escape_string($_POST['tdetail']);

$fp      = fopen($tmpName, 'r');
$content = fread($fp, filesize($tmpName));
$content = addslashes($content);
fclose($fp);

        $sql1="INSERT INTO tentb(edate,ldate,cdetail,tenNo,tdetail,'size',data','name','mime') VALUES('$edate','$ldate','$cdetail','$tenNo','$tdetail','$fileName', '$fileSize', '$fileType', '$content')";

        $result1=$conn1->query($sql1);
    if($result1){
    echo "<script>
    alert('Data has saved')
    </script>";
    header("Refresh:2; url=tenderadd.php");}
    else{
        $msg='Error'. $conn1->connect_error;
        header("refresh:2; url=tenderadd.php");
    }
    }

and form HTML Code is here

<form  method="POST" action='tenderadd.php?epr=save' enctype='multipart/form-data'>
 <h1> New Tender</h1>
        <table align='center'>
                    <tr>
                     <td> </td>
                   <td><input type="hidden" name="sr" /></td>
                    </tr>
                    <tr>
                     <td> Current Date </td>
                   <td><input  type="text" value="<?php echo date("d-m-Y"); ?>" readonly="readonly" style='background-color:Black; color:Lime;'   /></td>
                    </tr>

                     <input type="hidden" name="edate"  value='<?php echo date('Y-m-d')?>' readonly="readonly"/></td>

                     <tr>
                     <td> Last Date</td>
                     <td><input id='date' type="text" name="ldate" readonly="readonly" /></td>
                     </tr>

                      <tr>
                      <td> Client Detail</td>
                      <td><input type="text" name="cdetail" size="70" maxlength="200" /></td>
                      </tr>

                      <tr>
                      <td> Tender No.</td>
                      <td><input type="text" name="tenNo" size="70" maxlength="200" /></td>
                      </tr>

                      <tr>
                      <td>Tender Detail</td>
                      <td><input type="text" name="tdetail" size="70" maxlength="200" /></td>
                      </tr>

                      <tr>
                      <td>Tender Upload</td>
                      <input type="hidden" name="MAX_FILE_SIZE" value="2000000">
                      <td><input type="file" name="userfile" /></td>
                      </tr>

                      <tr>
                      <td> </td>
                      <td><input type="submit" value="submit" /></td>
                      </tr>

        </table>
 </form>
1

The max file size should go to the file input tag. Check for errors, e.g.

if($_FILES['userfile']['error']) echo "Error: " . $_FILES['userfile']['error'];
0

Ok I soved Problem with upload file
One more How can download File From Own my Database Mysql?

0

I tried this code But does not download File

 while ($row = $result->fetch_assoc()) {

                    $filename=$row['name'];

                echo "<tr>";
                echo "<td>".$i."</td>";
                echo "<td>".$row ['cdetail']. "</td>";
                echo "<td>".$row ['tenNo']. "</td>";
                echo "<td>".$row ['tdetail']. "</td>";
                echo "<td>".$row['ldate']."</td>";
                echo "<td> <a href=adminfrm.php?file=".$filename."target='_blank'>Download</a></td>";

Please, guide me

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.