Auto submit is not posting data to database

I am trying to post a file into a Blob. I have created a HTML form that automatically posts when A file is selected:

<form id="target" method="post" name="frmImage" class="frmImageUpload" action="./post.php">  
  <div id="pic1">
    <input type="file" name="userfile" id="userfile" class="userfile"/>
  </div>
</form>

<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script type="text/javascript">
  $('#pic1').click(function(){ 
    $('#userfile').trigger('click'); 
  });
</script>

<script type="text/javascript">
  $('#userfile').change(function() {
    $('#target').submit();
  });
</script>

When I select a file the script is navigating me to post.php. But it is not posting anything to the database.

Here is my post.php:

<?php
    include_once '../../../../includes/connect.php';
    include_once '../../../../includes/functions.php';

    sec_session_start();

    $correct = true;

    if(isset($_POST['userfile']) && $_FILES['userfile']['size'] > 0) {
      $fileName = $_FILES['userfile']['name'];
      $tmpName  = $_FILES['userfile']['tmp_name'];
      $fileSize = $_FILES['userfile']['size'];
      $fileType = $_FILES['userfile']['type'];
      $_SESSION['user_id'];

      $fp = fopen($tmpName, 'rb');
      $content = fread($fp, filesize($tmpName));
      $content = addslashes($content);
      fclose($fp);

        if(!get_magic_quotes_gpc())
        {
          $fileName = addslashes($fileName);
        }

        $query = "INSERT INTO temp (user_id, content) VALUES (". $_SESSION['user_id'] .", '$content')";
        mysql_query($query) or die(mysql_error()); 
        $msg = "<br>File <b>$fileName</b> uploaded<br>";

    }
    else
    {
        $msg = "<br>File <b>$fileName</b> not uploaded<br>";
    }
?>

Does someone know what is wrong with my script?

Edit: the error message received are the following:

Notice: Undefined index: userfile in (...) on line 12

and

Notice: Undefined variable: fileName in in (...) on line 37

Asked By: John
||

Answer #1:

You form must include enctype='multipart/form-data' attribute. This attribute is required to upload files.

It'll look like:

<form id="target" method="post" enctype='multipart/form-data' name="frmImage" class="frmImageUpload" action="./post.php">  
  <div id="pic1">
    <input type="file" name="userfile" id="userfile" class="userfile"/>
  </div>
</form>

I recommend you using move_uploaded_file. See more.

Answered By: lcssanches

Answer #2:

According to your comment, you are getting undefined index notice due to multipart/form-data,

You need to use enctype="multipart/form-data" in your <form> as:

<form id="target" method="post" name="frmImage" class="frmImageUpload" action="./post.php" enctype="multipart/form-data">  

Second, you need to define $fileName as $fileName = ''; at top level declaration, otherwise you will get another undefined variable notice

You need to declare it before this line:

if(isset($_POST['userfile']) && $_FILES['userfile']['size'] > 0) {

as:

$fileName = '';
if(isset($_POST['userfile']) && $_FILES['userfile']['size'] > 0) {

Third, mysql_* is deprecated extension and closed in PHP7, i suggest you to use mysqli_* or PDO.

Fourth, you code is wide open for SQL injection, preventing for SQL injection, you can use PDO.

Fifth, and dont know what is it? $_SESSION['user_id'];

Some useful links:

How can I prevent SQL injection in PHP?

Are PDO prepared statements sufficient to prevent SQL injection?

Answered By: devpro
The answers/resolutions are collected from stackoverflow, are licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0 .



# More Articles