Is this a parsing problem? because you are missing a closing curly bracket where the php portion ends. So it should been

$out .= "<img src=\"".$url['gal_url']."\">";
}
}

That was definitely a problem, but now I fixed that, and it uploads - it just doesn't add it to the database :/

To see where the query is failing do:

$result=mysql_query($query) or die(mysql_error());

Might be a single quote in your gallery name? Always wrap incoming post data using mysql_real_escape_string [uk.php.net].

$_POST = array_map('mysql_real_escape_string',$_POST);

dc

can you make sure your are using the same values from the form?

instead of
$query="INSERT INTO gallery(gal_id, gal_url, gal_name) VALUES ('', '$path', '$galname')";

should been

$query="INSERT INTO gallery(gal_id, gal_url, gal_name) VALUES ('', '$path', '$gal_name')";
assuming register globals are on. Also in terms of security you should do some filtering on the posted data as mentioned.

Thanks, it's working now - except that when it uploads to the database, it doesn't put anything in the name-column.

My PHP now looks like this (HTML is still the same);
session_start();
//if($_GET['c']==1) unset($_SESSION['state']);

if(!isset($_SESSION['state'])) $_SESSION['state'] = 0;
elseif(isset($_FILES))
{
$valid="yes";
// Check uploaded file
if($_FILES['file']['type']!="image/jpeg")
{
$outerror .= "Wrong type.<br />";
$valid="no";
}
if($_FILES['file']['size'] > 50000)
{
$outerror .= "Too big.<br />";
$valid="no";
}
if(file_exists("img/".$_FILES['file']['name']))
{
$outerror .= "File's there already.<br/>";
$valid="no";
}

if($valid=="yes")
{
move_uploaded_file($_FILES['file']['tmp_name'], "img/".$_FILES['file']['name']);
$outerror .= "Well done.";
// add to database
$path = "img/" . $_FILES['file']['name'];

include("inc/db_connect.inc");
$query="INSERT INTO gallery(gal_id, gal_img, gal_name) VALUES ('', '$path', '$gal_name')";
$result=mysql_query($query) or die(mysql_error());
$last_id=mysql_insert_id();

$img_query="SELECT * FROM gallery WHERE gal_id='$last_id'";
$img_result=mysql_query($img_query);
$img_data=mysql_fetch_assoc($img_result);
$out .= "<img src=\"".$url['gal_url']."\">";

}
}

try after this
$path = "img/" . $_FILES['file']['name'];

to load the $gal_name like
$gal_name = mysql_real_escape_string($_POST['gal_name']);

It now says;

"Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'root'@'localhost' (using password: NO) in /usr/home/server/public_html/thingy.php on line 32

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /usr/home/server/public_html/thingy.php on line 32"

-line 32 being "$gal_name = mysql_real_escape_string($_POST['gal_name']);"

[edited by: dreamcatcher at 7:31 am (utc) on May 17, 2009]
[edit reason] Removed specifics [/edit]

Your connection information is incorrect. The script cannot connect to the database.

dc

It could connect and put things into the database before I put the mysql_real_escape_string()-line in there. I didn't change anything about the connection information; it's in another file entirely, so that doesn't make sense.

Ok can you move that line

$gal_name = mysql_real_escape_string($_POST['gal_name']);

after the db connect, I presume after this line

include("inc/db_connect.inc");

Hello,

The mysql_real_escape_string() function should be placed in the query. Try this:

[fixed]
$gal_name = $_POST['gal_name'];
$query="INSERT INTO gallery (gal_id, gal_img, gal_name) VALUES ('', '$path', '" . mysql_real_escape_string($gal_name) . "')";
[/fixed]

I tried what you guys suggested, but it still doesn't put a name in the database :/

This part looks a little off to me:

if(!isset($_SESSION['state'])) $_SESSION['state'] = 0;
elseif(isset($_FILES))

What happens if you try this instead:

if(!isset($_SESSION['state']))
{
$_SESSION['state'] = 0;
}
else
{
Rest of stuff
}

Still doesn't work better than before :/

Is it working though? And what happens with the script? How was it working before and how would you like it to work now?

It's kinda working, yea. It's not working better or worse than before - it's still uploading the images to the right folder, and putting things into the database, it just doesn't add whatever was put into the field Name. The script is working, except for that tiny little detail.

It could connect and put things into the database before I put the mysql_real_escape_string()-line in there. I didn't change anything about the connection information; it's in another file entirely, so that doesn't make sense.

mysql_real_escape_string assumes a database connection is in place. You must have placed the code before the connection.

Try looking at your post array when you process to see whats coming in:

echo '<pre>';
print_r($_POST);
echo '</pre>';

Do you see the gal_name array key? Also, is your database field the correct field type to accept text?

dc

Where do you define $gal_name? As enigma pointed out, it should be defined after your connection include because as dreamcatcher stated the mysql_real_escape_string() function assumes a database connection is in place.

max4, thanks - that was actually what was missing for this to work. Thanks, everybody! (:

You're quite welcome geeklike. I'm glad that it is working now, and I'm happy that I could help.

Good luck,
Mohamed