Welcome to WebmasterWorld Guest from 54.160.131.144

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

mysql insert not working

     

generic

1:57 am on Jan 4, 2013 (gmt 0)

10+ Year Member



I've been debugging the bajeezus out of this for at least two hours and I can't for the life of me figure out why it won't insert into mysql so I turn it over to you fine folks. The variables are passing but not saving. Any ideas?

HTML

<form enctype="multipart/form-data" action="inc/news_add.php" method="POST">

<div>
<label for="news_title">News Title:</label><br />
<input type="text" name="news_title" />
</div>

<div>
<label for="news_body">News Body:</label><br />
<textarea name="news_body"></textarea>
</div>

<div>
<label for="news_image">Upload Image</label><br />
<input name="news_image" type="file" />
</div>

<div>
<input type="submit" name="submit" value="Add News" />
</div>

</form>


PHP

//
// add news
//

// grab vars
$news_title = $_POST['news_title'];
$news_body = $_POST['news_body'];
$news_image = $_FILES['news_image']['name'];


// if file has been changed, resize file before save
if (isset($_FILES['news_image']['name'])){

# resize file
$im = ImageCreateFromJpeg($_FILES['news_image']['tmp_name']);

$ox = imagesx($im);
$oy = imagesy($im);

$height = 600;
$width = 600;

# check if portrait
if($ox < $oy) {
$ny = $height;
$nx = floor($ox * ($ny / $oy));

# check if landscape
} else {
$nx = $width;
$ny = floor($oy * ($nx / $ox));
}

$nm = imagecreatetruecolor($nx, $ny);
imagecopyresampled($nm, $im, 0, 0, 0, 0, $nx, $ny, $ox, $oy);

$folder = '/public_html/uploads/news_photos/';
imagejpeg($nm, $folder.$news_image, 90);
}


// save data to mysql

# if file field wasn't updated
if (!isset($_FILES['news_image']['name'])) {
mysql_query("INSERT INTO news (news_title, news_added, news_body VALUES ('$news_title', NOW(), '$news_body')");

# if everything was updated
} else {
mysql_query("INSERT INTO news (news_title, news_body, news_added, news_image VALUES ('$news_title', '$news_body', NOW(), '$news_image')");
}

swa66

4:42 am on Jan 4, 2013 (gmt 0)

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



There are quite a bit of security issues in the code
- sql injection (obviously as you do not escape nor use calls that don't need it)
- file tree walking ( what if $news_image were to contain ../../index.php ? - and that's a mild one)
- overwriting files
- ...

The trick to debug SQL statements is to type them in an interactive mysql session. It would tell you you have a syntax error :-) -- or failing that to check the results / errors returned to php.

tip: add a ")" before the VALUES ...

generic

6:23 am on Jan 4, 2013 (gmt 0)

10+ Year Member



LOL I can't believe I missed that. Thanks for poking me with a blunt stick, I obviously needed it ;)

As for the glaring security holes, I realize that my code straight up sucks. I'm typically a front end designer and this will only be used internally, so in the future I'll either do some more reading up on SQL, or leave this stuff to the actual back end developers in the office and stick to the UI work I was hired for.

Cheers and thanks again!

brotherhood of LAN

7:01 am on Jan 4, 2013 (gmt 0)

WebmasterWorld Administrator brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



>reading up

mysql_real_escape_string [php.net] in the short term will prevent SQL injections for your statements but you'll want to verify the input is 'good'... which in this case would be well before the query for all the reasons swa66 listed.