Welcome to WebmasterWorld Guest from 54.167.83.224

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

mysql insert not working

     
1:57 am on Jan 4, 2013 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 24, 2004
posts: 127
votes: 0


I've been debugging the bajeezus out of this for at least two hours and I can't for the life of me figure out why it won't insert into mysql so I turn it over to you fine folks. The variables are passing but not saving. Any ideas?

HTML

<form enctype="multipart/form-data" action="inc/news_add.php" method="POST">

<div>
<label for="news_title">News Title:</label><br />
<input type="text" name="news_title" />
</div>

<div>
<label for="news_body">News Body:</label><br />
<textarea name="news_body"></textarea>
</div>

<div>
<label for="news_image">Upload Image</label><br />
<input name="news_image" type="file" />
</div>

<div>
<input type="submit" name="submit" value="Add News" />
</div>

</form>


PHP

//
// add news
//

// grab vars
$news_title = $_POST['news_title'];
$news_body = $_POST['news_body'];
$news_image = $_FILES['news_image']['name'];


// if file has been changed, resize file before save
if (isset($_FILES['news_image']['name'])){

# resize file
$im = ImageCreateFromJpeg($_FILES['news_image']['tmp_name']);

$ox = imagesx($im);
$oy = imagesy($im);

$height = 600;
$width = 600;

# check if portrait
if($ox < $oy) {
$ny = $height;
$nx = floor($ox * ($ny / $oy));

# check if landscape
} else {
$nx = $width;
$ny = floor($oy * ($nx / $ox));
}

$nm = imagecreatetruecolor($nx, $ny);
imagecopyresampled($nm, $im, 0, 0, 0, 0, $nx, $ny, $ox, $oy);

$folder = '/public_html/uploads/news_photos/';
imagejpeg($nm, $folder.$news_image, 90);
}


// save data to mysql

# if file field wasn't updated
if (!isset($_FILES['news_image']['name'])) {
mysql_query("INSERT INTO news (news_title, news_added, news_body VALUES ('$news_title', NOW(), '$news_body')");

# if everything was updated
} else {
mysql_query("INSERT INTO news (news_title, news_body, news_added, news_image VALUES ('$news_title', '$news_body', NOW(), '$news_image')");
}

4:42 am on Jan 4, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 7, 2003
posts:4783
votes: 0


There are quite a bit of security issues in the code
- sql injection (obviously as you do not escape nor use calls that don't need it)
- file tree walking ( what if $news_image were to contain ../../index.php ? - and that's a mild one)
- overwriting files
- ...

The trick to debug SQL statements is to type them in an interactive mysql session. It would tell you you have a syntax error :-) -- or failing that to check the results / errors returned to php.

tip: add a ")" before the VALUES ...
6:23 am on Jan 4, 2013 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 24, 2004
posts: 127
votes: 0


LOL I can't believe I missed that. Thanks for poking me with a blunt stick, I obviously needed it ;)

As for the glaring security holes, I realize that my code straight up sucks. I'm typically a front end designer and this will only be used internally, so in the future I'll either do some more reading up on SQL, or leave this stuff to the actual back end developers in the office and stick to the UI work I was hired for.

Cheers and thanks again!
7:01 am on Jan 4, 2013 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:4842
votes: 1


>reading up

mysql_real_escape_string [php.net] in the short term will prevent SQL injections for your statements but you'll want to verify the input is 'good'... which in this case would be well before the query for all the reasons swa66 listed.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members