Re: Wow, this is weird

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tuesday, August 28, 2012 12:41:19 AM you wrote:
> On Mon, Aug 27, 2012 at 8:03 PM, David McGlone <david@xxxxxxxxxxxxx> wrote:
> > I got it. All I needed to do was change $_POST[image] to $image in my
> > query
> > like so:
> > mysql_query ("INSERT INTO inventory(image, year, make, model, milage,
> > price)> 
> >  VALUES('$image', '$_POST[year]', '$_POST[make]',
> >  '$_POST[model]', '$_POST[milage]', '$_POST[price]')");
> >  
> >   }
> > 
> > I'm sortof stumped as to why though. I'm still pondering it and probably
> > will all night. I'll probably wake up at 3am and the light bulb will go
> > off in my head.. LOL
> 
> I would check to see if you have somewhere set $image. I don't see it
> in your code, but I'm sometimes pretty blind.

I forgot to paste that code. But yes I had to assign the value of 
$_FILES[image][name] to a variable $image = $_FILES[image][name]

Appearently PHP looks at $_FILES as an array, which if that's true, makes 
sense to me.
> 
> If you actually dump out $_POST from your form input, you will see
> there is no 'image' entry -- that is because it is type file in your
> form. When you dump $_FILES, of course, you see the image there.

The type in the form is necessary in order to be able to browse the computer 
for files.
 
> 
> Here's output from a trial I just made, with the following code:
> 
> <?php
> 
> echo '<h2>$_POST = </h2><pre>'.PHP_EOL;
> var_dump($_POST);
> echo '</pre>'.PHP_EOL;
> 
> echo '<h2>$_FILES = </h2><pre>'.PHP_EOL;
> var_dump($_FILES);
> echo '</pre>'.PHP_EOL;
> 
> 
> ?>
> <form enctype="multipart/form-data" action="" method="POST">
> <input type="hidden" name="MAX_FILE_SIZE" value="100000" />
> Image: <input name="image" type="file" /><br />
> Year: <input type="text" name="year" size="40"><br />
> <input type="submit" name="Submit" value="Insert"><br />
> </form>
> 
> Outputs:
> 
> $_POST =
> 
> array(3) {
>   ["MAX_FILE_SIZE"]=>
>   string(6) "100000"
>   ["year"]=>
>   string(4) "2008"
>   ["Submit"]=>
>   string(6) "Insert"
> }
> 
> $_FILES =
> 
> array(1) {
>   ["image"]=>
>   array(5) {
>     ["name"]=>
>     string(5) "1.png"
>     ["type"]=>
>     string(9) "image/png"
>     ["tmp_name"]=>
>     string(26) "/private/var/tmp/phpeVMSM5"
>     ["error"]=>
>     int(0)
>     ["size"]=>
>     int(37543)
>   }
> }
> 
> 
> You also don't need to use basename($_FILES['image']['name']) -- the
> only thing stored there is the basename already.
> 
> 
> Here, in your original pastebin, at line 36:
> 
> mysql_query ("INSERT INTO inventory(image, year, make, model, milage, price)
> VALUES('$_POST[image]', '$_POST[year]', '$_POST[make]',
> '$_POST[model]', '$_POST[milage]', '$_POST[price]')");
> 
> should be:
> 
> mysql_query ("INSERT INTO inventory(image, year, make, model, milage, price)
> VALUES('{$_FILES['image']['name']}', '$_POST[year]', '$_POST[make]',
> '$_POST[model]', '$_POST[milage]', '$_POST[price]')");

This method was tried, and didn't work, it was inserting "Array[name]" into 
the db. This method was also what made me realize that $_FILES['image']
['name'] is being interpreted as an array. So what I did was assigned the 
value to a variable.
> 
> (I'm hoping what you are showing us is purely for learning sake, and
> that you will also be learning to untaint your input.)

Yeah, it is. I plan on learning every aspect of this one step at a time, from 
building the form, to making it functional, inserting in a db, checking user 
input for unwanted stuff, valid images with getimagesize() and wherever else 
this exercise takes me.

The end result, I want to have a form that uses anything and everything that 
is needed to make it safe and functional.
> 
> (Also, minor minor nit: it's spelled "mileage" :) )

Yup. I had mispelled it when I made the sql table and I was just too lazy to 
fix it. Although I realize I should fix it because if I have to keep typing it 
wrong, eventually it might become a habit. LOL

[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux