Passing variables into a mysql database, help needed please

I’m having trouble getting the text from the form into the database…the image file is placed in their no troubles and uploads to the right directory, but for some reason the variables in photo_title, photo_price and photo_caption aren’t going into the database, any help would be kindly appreciated.



$size = 39; // the thumbnail height

$filedir = '../gallery/large/'; // the directory for the original image
$thumbdir = '../gallery/thumb/'; // the directory for the thumbnail image
$prefix = 'small_'; // the prefix to be added to the original name

$maxfile = '2000000';
$mode = '0666';

$userfile_name = $_FILES['image']['name'];
$userfile_tmp = $_FILES['image']['tmp_name'];
$userfile_size = $_FILES['image']['size'];
$userfile_type = $_FILES['image']['type'];

if (isset($_FILES['image']['name'])) 
	$prod_img = $filedir.$userfile_name;

	$prod_img_thumb = $thumbdir.$prefix.$userfile_name;
	move_uploaded_file($userfile_tmp, $prod_img);
	chmod ($prod_img, octdec($mode));
	$sizes = getimagesize($prod_img);

	$aspect_ratio = $sizes[1]/$sizes[0]; 

	if ($sizes[1] <= $size)
		$new_width = $sizes[0];
		$new_height = $sizes[1];
		$new_height = $size;
		$new_width = abs($new_height/$aspect_ratio);

		or die('Problem In Creating image');
		or die('Problem In opening Source Image');
		or die('Problem In resizing');
		or die('Problem In resizing');
		or die('Problem In saving');

/*# setup SQL statement
	$sql = " INSERT INTO tbl_photos ";
	$sql = $sql . " (image) VALUES "; 
	$sql = $sql . " ('$userfile_name') ";*/
# setup SQL statement
	$sql = " INSERT INTO tbl_photos ";
	$sql = $sql . " (photo_title, image, photo_price, photo_caption) VALUES "; 
	$sql = $sql . " ('$photo_title', '$userfile_name', '$photo_price', '$photo_caption') ";

# execute SQL Statement
 	$result = mysql_db_query($db,"$sql",$cid);

echo '	

<a href="'.$prod_img.'">
	<img src="'.$prod_img_thumb.'" width="'.$new_width.'" height="'.$new_height.'">


echo '
<form method="POST" action="'.$_SERVER['PHP_SELF'].'" enctype="multipart/form-data">
  <td valign="top">Photo Title: </td>
  <td><input type="text" name="photo_title"></td>
  <td valign="top">Photo Image: </td>
  <td><input type="file" name="image"></td>
  <td valign="top">Price: </td>
  <td><input type="text" name="photo_price"></td>
  <td valign="top">Photo Caption: </td>
  <td><textarea name="photo_caption" cols="80" rows="16"></textarea></td>

 <td valign="top">&nbsp;</td>
  <td><input type="Submit" name="Submit" value="Submit Image">
      <input name="Reset" type="Reset"  value="Reset information"></td>



try with

$sql = $sql . " (’$_POST[photo_title]’, ‘$_POST[userfile_name]’, ‘$_POST[$photo_price]’, ‘$_POST[photo_caption]’) ";

how about register_globals param?

Alexandr is correct, but his example can be a security risk as well, you are directly adding user input into the database. Big security risk, you should do some checks on it first. You can also do the following which will still need some checks to make sure all is good with the user input.

It looks as though the code was written to have global variables on which is a security risk.

Any time you pass data from a form you should always use and have to use $_POST[’’]. Which it looks like your php config is requiring just the script was setup for it, but don’t worry easy fix. Simply follow the following .

So lets say you have:

and you submit this then in your php you should need :
$f_name = $_POST[‘f_name’];

So for your stuff will need something like for each item that is submitted via the form.
$photo_caption = $_POST[‘photo_caption’];
You can add these in right after the check if the submit button has been clicked.

Same goes for submit buttons and all information passed from the a form. If you are passing it from the URL you will need $_GET[’’]

The reason the others are going into the database ok is because they are not being passed from the form.

Sponsor our Newsletter | Privacy Policy | Terms of Service