I am trying to create a login system where users can upload file in the existing database. First require the user to login then upload file. Here is my database:
Now I want to update cv (blob). So I have created the following page.
<!-- Form -->
<h1>Pease Login to Upload CV</h1>
<form method="POST" enctype="multipart/form-data">
Username:
<input type="text" name="username"><br>
Password:
<input type="password" name="password"><br><br>
<input type="submit" value="Submit" name="submit" /> <br>
</form>
Above is the initial form. Then I used the following script:
<!-- Script -->
<?php
if (isset($_POST['submit'])) {
// make connection
$conn = mysqli_connect('localhost','root','','users');
// if fails show error
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
echo "Error Connecting to DB";
}
$usrName = ($_POST['username']);
$paswrd = ($_POST['password']);
if($usrName!='' && $paswrd!=''){
$sql ="SELECT username, password FROM credentials WHERE username = '$usrName'";
$result = mysqli_query($conn, $sql);
$row = mysqli_fetch_row($result);
$dbUsname = $row[0];
$dbPassword = $row[1];
if ($usrName == $dbUsname && $paswrd == $dbPassword) {
echo "Hello ".$usrName." upload your CV now <br>";
echo
"<form method='POST' enctype='multipart/form-data'>
<input type = 'file' value= 'upload' name = 'file'>
<input type='submit' value='Upload' name='upload' /> <br>
</form>";
if(isset($_POST['upload'])){
$cv = mysqli_real_escape_string($conn, $_POST['file']);
mysql_query("UPDATE credentials SET cv=$cv WHERE username=$usrName");
if (!mysqli_query($conn,$UpdateQuery)) {
die('Error: ' . mysqli_error($conn));
}
}
}
else{
echo "<h1>Incorrect Username and/or password!</h1>";
}
}else{
echo "Please make sure username and password is not empty";
}
}
?>
I have tested out the script for the most part. The problem occurs when I try to update the cv file. On the code below.
The Script executes but I can not see any file uploaded in my database. Can someone please point out where am I making the error.
Firstly, we're dealing with "files" and not a "text" input.
So this part $_POST['file']
of your code, needs to be changed to $_FILES['file']
However this part of your code
mysql_query("UPDATE credentials SET cv=$cv WHERE username=$usrName");
that's failing you for 2 reasons.
You're mixing APIs and you need to quote string values and would technically need to read as: (see the line of code just below my sidenote).
Sidenote: mysqli_query
should not be included (just below) if you're to use the conditional statement that you're using if (!mysqli_query($conn,$UpdateQuery))
.
mysqli_query($conn, "UPDATE credentials SET cv='$cv' WHERE username='$usrName'");
You need to use the same one from connection to query.
Yet seeing this though,
if (!mysqli_query($conn,$UpdateQuery)) {
die('Error: ' . mysqli_error($conn));
}
You probably forgot to add the $UpdateQuery
variable to your query, which should read as
$UpdateQuery = "UPDATE credentials SET cv=`$cv` WHERE username='$usrName'";
Error reporting would have thrown you an undefined variable UpdateQuery notice.
Sidenote: Make sure that the file size is allowed. If it is too large, then you will need to increase its values.
Consult the following post on Stack:
Rewrite:
$cv = mysqli_real_escape_string($conn, $_FILES['file']);
$UpdateQuery = "UPDATE credentials SET cv='$cv' WHERE username='$usrName'";
// or using '".XXX."' syntax. In rare cares, that makes a difference.
// $UpdateQuery = "UPDATE credentials SET cv='".$cv."' WHERE username='".$usrName."'";
if (!mysqli_query($conn,$UpdateQuery)) {
die('Error: ' . mysqli_error($conn));
}
else{
echo "Success!";
}
You're also open to an SQL injection. It's best to use a prepared statement.
Reference on BLOB and TEXT Types:
Passwords
I also noticed that you may be storing passwords in plain text. This is not recommended.
Use one of the following:
crypt()
bcrypt()
scrypt()
password_hash()
function. Other links:
When you post your upload form the update query will not run because it's hidden inside if(isset($_POST['submit']))
. You need to move if(isset($_POST['upload']))
outside of submit for it to work.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.