On Tuesday, August 28, 2012 12:41:19 AM you wrote:
> On Mon, Aug 27, 2012 at 8:03 PM, David McGlone <david@xxxxxxxxxxxxx> wrote:
> > I got it. All I needed to do was change $_POST[image] to $image in my
> > query
> > like so:
> > mysql_query ("INSERT INTO inventory(image, year, make, model, milage,
> > price)>
> > VALUES('$image', '$_POST[year]', '$_POST[make]',
> > '$_POST[model]', '$_POST[milage]', '$_POST[price]')");
> >
> > }
> >
> > I'm sortof stumped as to why though. I'm still pondering it and probably
> > will all night. I'll probably wake up at 3am and the light bulb will go
> > off in my head.. LOL
>
> I would check to see if you have somewhere set $image. I don't see it
> in your code, but I'm sometimes pretty blind.
I forgot to paste that code. But yes I had to assign the value of
$_FILES[image][name] to a variable $image = $_FILES[image][name]
Appearently PHP looks at $_FILES as an array, which if that's true, makes
sense to me.
>
> If you actually dump out $_POST from your form input, you will see
> there is no 'image' entry -- that is because it is type file in your
> form. When you dump $_FILES, of course, you see the image there.
The type in the form is necessary in order to be able to browse the computer
for files.
>
> Here's output from a trial I just made, with the following code:
>
> <?php
>
> echo '<h2>$_POST = </h2><pre>'.PHP_EOL;
> var_dump($_POST);
> echo '</pre>'.PHP_EOL;
>
> echo '<h2>$_FILES = </h2><pre>'.PHP_EOL;
> var_dump($_FILES);
> echo '</pre>'.PHP_EOL;
>
>
> ?>
> <form enctype="multipart/form-data" action="" method="POST">
> <input type="hidden" name="MAX_FILE_SIZE" value="100000" />
> Image: <input name="image" type="file" /><br />
> Year: <input type="text" name="year" size="40"><br />
> <input type="submit" name="Submit" value="Insert"><br />
> </form>
>
> Outputs:
>
> $_POST =
>
> array(3) {
> ["MAX_FILE_SIZE"]=>
> string(6) "100000"
> ["year"]=>
> string(4) "2008"
> ["Submit"]=>
> string(6) "Insert"
> }
>
> $_FILES =
>
> array(1) {
> ["image"]=>
> array(5) {
> ["name"]=>
> string(5) "1.png"
> ["type"]=>
> string(9) "image/png"
> ["tmp_name"]=>
> string(26) "/private/var/tmp/phpeVMSM5"
> ["error"]=>
> int(0)
> ["size"]=>
> int(37543)
> }
> }
>
>
> You also don't need to use basename($_FILES['image']['name']) -- the
> only thing stored there is the basename already.
>
>
> Here, in your original pastebin, at line 36:
>
> mysql_query ("INSERT INTO inventory(image, year, make, model, milage, price)
> VALUES('$_POST[image]', '$_POST[year]', '$_POST[make]',
> '$_POST[model]', '$_POST[milage]', '$_POST[price]')");
>
> should be:
>
> mysql_query ("INSERT INTO inventory(image, year, make, model, milage, price)
> VALUES('{$_FILES['image']['name']}', '$_POST[year]', '$_POST[make]',
> '$_POST[model]', '$_POST[milage]', '$_POST[price]')");
This method was tried, and didn't work, it was inserting "Array[name]" into
the db. This method was also what made me realize that $_FILES['image']
['name'] is being interpreted as an array. So what I did was assigned the
value to a variable.
>
> (I'm hoping what you are showing us is purely for learning sake, and
> that you will also be learning to untaint your input.)
Yeah, it is. I plan on learning every aspect of this one step at a time, from
building the form, to making it functional, inserting in a db, checking user
input for unwanted stuff, valid images with getimagesize() and wherever else
this exercise takes me.
The end result, I want to have a form that uses anything and everything that
is needed to make it safe and functional.
>
> (Also, minor minor nit: it's spelled "mileage" :) )
Yup. I had mispelled it when I made the sql table and I was just too lazy to
fix it. Although I realize I should fix it because if I have to keep typing it
wrong, eventually it might become a habit. LOL
