it gives me an error whenever i try to store the video into the database..i have here a code that can store video into a folder and only save id_no and video_name from database,i want all 5 fields to be stored into my database...can anyone help me with my codes please
<?php session_start();?>
<?php
include("session/DBConnection.php");
include("session/session.php");
$error = "";
?>
<?php
$user = $_SESSION['log']['username'];
$query = mysql_query("SELECT * FROM members WHERE username = '$user'") or die (mysql_error());
$display = mysql_fetch_array($query);
if(isset($_POST['upload'])){
$mem_id = $display['member_id'];
$stat = "just uploaded a video.";
$date = date("m/d/Y");
$qry = "INSERT INTO updates SET member_id='$mem_id', status='$stat', date='$date'";
$result = mysql_query($qry);
if($result){
echo "<meta http-equiv=\"refresh\" content=\"0;URL=video.php\">";
}
}
?>
<?php
if(isset($_POST['video']) && $_FILES['userfile']['size'] > 0)
{
$tmpName = $_FILES['userfile']['tmp_name'];
$fp = fopen($tmpName, 'r');
$content = fread($fp, filesize($tmpName));
$content = addslashes($content);
fclose($fp);
if(!get_magic_quotes_gpc())
{
$fileName = addslashes($fileName);
}
else{
move_uploaded_file($_FILES["userfile"]["tmp_name"],"video_uplaod/" . $_FILES["userfile"]["name"]);
$user = $_SESSION['log']['username'];
$today = strtotime(date("Y-m-d H:i:s"));
$location="video_upload/" . $_FILES["userfile"]["name"];
$video_name=$_POST['video_name'];
$sql = "INSERT INTO tbl_video SET username='$user', video='$location', video_name='$image_name', date_created='$today'";
echo "File $fileName uploaded";
}
header("video.php");
?>
Your INSERT statement is wrong,
INSERT INTO updates (member_id, status, date) VALUES('$mem_id','$stat','$date')
should be the right statement, as commented by Mike.
However, you have 3 big problems in your code:
1) You're using deprecated functions.
Seriously, stop using mysql_ functions, they're deprecated, they are no longer supported any more by PHP, and they may go away anytime, and when that happens your code will break, and you'll be in a hell of trouble. Use mysqli or PDO instead.
2) Your code is vulnerable to SQL Injection.
You're not sanitizing user input, addslashes
is not good enough to prevent SQL injection into your query, if you use mysqli or PDO you'll be able to use prepared statements, so that your code will no longer vulnerable to SQL Injection (it doesn't mean that you shouldn't sanitize user input anyway).
3) Your code may be vulnerable to a file upload attack.
You really trust your users, do you?
uploads/
video_uploads/
folder. EDIT
INSERT INTO updates SET member_id = ".$mem_id
is correct syntax, here's proof for those who doesn't believe it:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.