PHP upload filename to mysql

Question

This code transfers the file to the specified folder and db table but when I launch/open/run the page on the browser,it automatically sends something to the db table and the filename field is empty.I haven't even clicked/uploaded anything yet. I don't know if i explained it properly.The problem is when i opened the page,i checked the db table rows and an empty row was made.the id increments btw, and the filename field is empty.(not uploading anything yet.) What's wrong with the code?

<?php
if(isset($_FILES['filename'])){
    $errors= array();
    $file_name = $_FILES['filename']['name'];
    $file_size =$_FILES['filename']['size'];
    $file_tmp =$_FILES['filename']['tmp_name'];
    $file_type=$_FILES['filename']['type'];   
    $file_ext=strtolower(end(explode('.',$_FILES['filename']['name'])));

    $expensions= array("jpeg","jpg","png");         
    if(in_array($file_ext,$expensions)=== false){
        $errors[]="extension not allowed, please choose a JPEG or PNG file.";
    }
    if($file_size > 2097152){
    $errors[]='File size must be excately 2 MB';
    }               
    if(empty($errors)==true){
        move_uploaded_file($file_tmp,"uploads/".$file_name);
        echo "Success";
    }else{
        print_r($errors);
    }
  }

 ?>

<?php


$servername = "localhost";
$username = "root";
$password = "";
$dbname = "admin";

$filename = false;
if(isset($_FILES['filename'])){
$filename = $_FILES['filename']['name'];
}

// Create connection
mysql_connect($servername, $username, $password) or die ('MySQL Not found // Could Not Connect.');

mysql_select_db("admin") or die(mysql_error()) ;

mysql_query("INSERT INTO upload_test (fileName)
VALUES ('$filename')") ;

?>

my form:

<form name="form" method="POST" enctype="multipart/form-data" >
<input name="filename" type="file" id="filename" />
<input name="submit" type="submit" id="submit"/>
</form>

Yes, your query will always run, regardless of whether there's an upload. 1) why don't you put that in the first `if` block 2) you are **majorly** vulnerable for SQL injection, fix that 3) do not use the `mysql_` functions for new code, they're _**deprecated**_ — Wrikken, Nov 27 '14 at 15:56
**WARNING**: This is terrifyingly insecure because those parameters are not [properly escaped](http://bobby-tables.com/php). You should **NEVER** be putting `$_POST` data directly into the query: it creates a gigantic [SQL injection bug](http://bobby-tables.com/). `mysql_query` is an obsolete interface and should not be used, it's being removed from PHP. A modern replacement like [PDO is not hard to learn](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/). A guide like [PHP The Right Way](http://www.phptherightway.com/) explains best practices. — tadman, Nov 27 '14 at 17:11
thanks for your suggestions guys. i'll try those. still a noob though. — kim, Nov 28 '14 at 14:44

score 0 · Accepted Answer · answered Nov 27 '14 at 16:00

That is because you are always executing the INSERT statement. You only want insert a record once you have uploaded.

if(isset($_FILES['filename'])){
    $errors = array();
    $file_name = $_FILES['filename']['name'];
    $file_size =$_FILES['filename']['size'];
    $file_tmp =$_FILES['filename']['tmp_name'];
    $file_type=$_FILES['filename']['type'];   
    $file_ext=strtolower(end(explode('.',$_FILES['filename']['name'])));

    $expensions= array("jpeg","jpg","png");         
    if(in_array($file_ext,$expensions)=== false){
        $errors[]="extension not allowed, please choose a JPEG or PNG file.";
    }
    if($file_size > 2097152){
     $errors[]='File size must be excately 2 MB';
    }          

    // if there are no errors...     
    if (empty($errors)==true) {

        // upload the file...
        move_uploaded_file($file_tmp,"uploads/".$file_name);

        $servername = "localhost";
        $username = "root";
        $password = "";
        $dbname = "admin";

        // and create a new record in the database
        mysql_connect($servername, $username, $password) or die ('MySQL Not found // Could Not Connect.');
        mysql_select_db("admin") or die(mysql_error()) ;
        mysql_query("INSERT INTO upload_test (fileName) VALUES ('$file_name')") ;

        echo "Success";
    }else{
        print_r($errors);
    }
}

On a side-note, a shorter way to get the extension of file is to use pathinfo()

$file_ext = pathinfo($_FILES['filename']['name'], PATHINFO_EXTENSION);

How about if it has multiple text fields? let's say i add 5 textfields. — kim, Nov 29 '14 at 10:41
Look at this [example](http://www.html-form-guide.com/php-form/php-form-processing.html). There are many other "PHP form processing" tutorials online also. — Lynn Adrianna, Nov 29 '14 at 15:58

PHP upload filename to mysql

1 Answers1