'PHP Query Fail - "q fail"
<?php
if(isset($_POST['upload']) && $_FILES['userfile']['size'] > 0)
{
$dbhost = 'localhost';
$dbuser = 'zuk1_boo';
$dbpass = 'lols';
$dbname = 'zuk1_boo';
$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');
$name = $_POST['name'];
$iq = $_POST['iq'];
$nuname = str_replace(" ", "-", $name);
$nuname = $nuname.".gif";
$path = "img/$nuname";
move_uploaded_file($_FILES['userfile']['tmp_name'],$path);
$query = "INSERT INTO celebs (celeb,path1,iqq) VALUES ('$name','$path','$iq')";
mysql_query($query) or die('q fail');
mysql_close($conn);
echo "<br>File $fileName uploaded<br>";
}
?>
<form method="post" enctype="multipart/form-data">
<table width="350" border="0" cellpadding="1" cellspacing="1" class="box">
<tr>
<tr><td><input name="name" type="text" value="name"></td></tr>
<tr><td><input name="iq" type="text" value="iq"></td></tr>
<td width="246">
<input type="hidden" name="MAX_FILE_SIZE" value="2000000">
<input name="userfile" type="file" id="userfile">
</td>
<td width="80"><input name="upload" type="submit" class="box" id="upload" value=" Upload "></td>
</tr>
</table>
</form>
Bear in mind there is an ID row with auto increment but even if I add that to the query it still won't work.
No matter what I do with this query it just WILL not work, I've triple checked the sql details and they are fine, even though it appears to be connecting fine anyway. I've played with the field names in the query and they should be fine but it just won't work!
Solution 1:[1]
mysql_query($query) or die('q fail');
Replace this with
mysql_query($query) or die(mysql_error());
And tell us what you get.
Solution 2:[2]
Well, now that you've solved the actual problem, I think it's good to point out that you have massive gaping SQL injection holes.
The ideal way to fix would be switching to using the PDO or MySQLi functions and use parameterized queries, but the quickest fix would be to change these lines:
$name = $_POST['name'];
$iq = $_POST['iq'];
to
$name = mysql_real_escape_string($_POST['name']);
$iq = mysql_real_escape_string($_POST['iq']);
The code you have now would be extremely unsafe to make public.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Ólafur Waage |
| Solution 2 | Chad Birch |