使用PHP表单将图像上传到mysql

Question

I have this form to upload pictures to my mysql database:

<h4>Add Photo</h4>

<form enctype="multipart/form-data" method="post">
    <?php
    require_once 'config.php';
    $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);

    if (isset($_POST['upload'])){
        $caption   = $_POST['caption'];
        $albumID   = $_POST['album'];
        $file      = $_FILES ['file']['name'];
        $file_type = $_FILES ['file']['type'];
        $file_size = $_FILES ['file']['size'];
        $file_tmp  = $_FILES ['file']['tmp_name'];
        $random_name = rand();

        if (empty($file)){
            echo "Please enter a file <br>";
        } else {
            move_uploaded_file($file_tmp, 'uploads/'.$random_name.'.jpg');
            mysqli_query(
                $mysqli,
                "INSERT INTO photos (caption, image_url, date_taken, imageID) "
                . "VALUES('"
                . addslashes($caption) . "', '"
                . $random_name . ".jpeg', NOW(), ?)"
            );
            echo "Photo successfully uploaded!<br>";
        }
    }
    ?>

    Caption: <br>
    <input type="text" name="caption">
    <br><br>

    Select Album: <br>
    <select name="album">
    <?php
    $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
    $result = $mysqli->query("SELECT * FROM albums");
    while ($row = $result->fetch_assoc()) {
        $albumID = $row['albumID'];
        $title   = $row['title'];
        echo "<option value='$albumID'>$title</option>";
    }
    ?>
    </select>
    <br><br>

    Select Photo: <br>
    <input type="file" name="file">
    <br><br>

    <input type="submit" name="upload" value="Upload">
</form>

I can successfully upload pictures to the 'uploads' folder on my sever, however nothing is added to the 'photos' table on my database. The schema for my photos folder is: caption, image_url, date_taken, imageID

is there something I am doing wrong with the structure? mysqli code? any help will be very much appreciated! Thank you in advance!

Answer 1

As Fred -ii- mentioned, the problem is that you're using a "?" as the value for the column imageID, but you're not using prepared statements. You're not checking for errors, but if you did you'd get something like:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?)' at line xx

Also, you're using addslashes to get user data into the query, which is unsafe (you should use mysqli_real_escape_string instead ).

A good solution to both problems would be to use prepared statements. You'd do something like this instead:

    move_uploaded_file($file_tmp, 'uploads/'.$random_name.'.jpg');
    $ret = mysqli_prepare($mysqli, "INSERT INTO photos (caption, image_url, date_taken)
    VALUES(?, ?, NOW())");
    $filename = $random_name + ".jpeg";
    mysqli_stmt_bind_param($ret, "ss", $caption, $filename);
    mysqli_stmt_execute($ret);
    echo "Photo successfully uploaded!<br>";

Update : As the id is autogenerated, I removed the column from the query entirely.