Ello peeps, basically I have an admin section of a website and want to allow them to upload files to attach to news/posts etc. The file uploads fine but I want to get the URL it has uploaded to into the MySQL database so that when it displays the posts with attachments they are already linked directly.
I'm fairly poor when it comes to knowing what is and isn't secure at this time so if this isn't very secure and there is a way to do what I need to which is then feel free to tell me
For now I am using W3 Schools code while I learn more about the upload functionality and have this code -
then for the save to the database, this -
The error I get is You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'http://www.inserturlhere.co.uk/uploads/7d0w14a9wcpu904w.jpg', reply='', display' at line 1. I have of course changed the URL text when posting this and the database does have this table and field name in it.
I'm fairly poor when it comes to knowing what is and isn't secure at this time so if this isn't very secure and there is a way to do what I need to which is then feel free to tell me
For now I am using W3 Schools code while I learn more about the upload functionality and have this code -
PHP:
$allowedExts = array("jpg", "jpeg", "gif", "png", "pdf");
$extension = end(explode(".", $_FILES["file"]["name"]));
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "application/pdf")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/png")
|| ($_FILES["file"]["type"] == "image/pjpeg"))
&& ($_FILES["file"]["size"] < 1000000)
&& in_array($extension, $allowedExts))
{
if ($_FILES["file"]["error"] > 0)
{
echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
}
else
{
echo "Upload: " . $_FILES["file"]["name"] . "<br />";
echo "Type: " . $_FILES["file"]["type"] . "<br />";
echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";
if (file_exists("uploads/" . $_FILES["file"]["name"]))
{
echo $_FILES["file"]["name"] . " already exists. ";
}
else
{
move_uploaded_file($_FILES["file"]["tmp_name"],
"uploads/" . $_FILES["file"]["name"]);
echo "Stored in: " . "uploads/" . $_FILES["file"]["name"];
$attachment = "http://www.inserturlhere.co.uk/uploads/" . $_FILES["file"]["name"];
echo $attachment;
}
}
}
else
{
echo "Invalid file";
}then for the save to the database, this -
PHP:
$save_feedback = mysql_query("UPDATE feedback SET name='$name', email='$email', rating='$rating', comments='$comments', attachment='$attachment', reply='$reply', display='$display' WHERE id='$id'") or die(mysql_error());The error I get is You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'http://www.inserturlhere.co.uk/uploads/7d0w14a9wcpu904w.jpg', reply='', display' at line 1. I have of course changed the URL text when posting this
and the database does have this table and field name in it.
