Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    New to the CF scene
    Join Date
    Nov 2017
    Posts
    7
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Update an image on PHP/MYSQL

    Hello all;

    I try to edit an image in my data base but I have a error message : Notice: Undefined index: id

    Code:
    $id = $_POST['id'];
    I am capable to add an image but I would like to know how to update an image ???

    Code:
    <?php
     
    // Connexion à la base de donnée
     
    include('config_bd.php');
     
     
     
    // Vérifications des inputs
     
    if(isset($_POST['upload'])){
        move_uploaded_file($_FILES["image"]["tmp_name"],"https://www.codingforums.com/images/" .basename($_FILES['image']['name']));
     
        $nom = htmlspecialchars($_POST['nom']);
        $image = htmlspecialchars($_FILES['image']['name']);
     
     
     
        if(empty($nom) || empty($image)){
     
            if(empty($nom)) {
                echo "<font color='red'>Le champ nom est vide.</font><br/>";
            }
     
            if(empty($image)) {
                echo "<font color='red'>Le champ image est vide.</font><br/>";
            }
     
        }else{
            $update = mysqli_query($mysqli, "UPDATE clubs SET nom='$nom',image='$image'WHERE id='$id'");
     
     
            echo "<font color='green'>L'entrée a été enregistré!.";
            echo "<br/><a href='view.php'>Consulter</a>";
     
               }
     
        }
     
     
    $id = $_GET['id'];
     
    $select = mysqli_query($mysqli, "SELECT * FROM clubs WHERE id='$id' ");
     
    while($res = mysqli_fetch_array($select)){
     
        echo "<div id='img_div'>";
        echo "<p>" .$res['nom']."</p>";
        echo "<img src='images/" .$res['image']."'>";
        echo "</div>";
    }
     
    ?>
     
    <!DOCTYPE html>
    <html lang="fr">
     
        <head>
            <meta charset="utf-8">
            <title>Titre de la page</title>
            <link rel="stylesheet" href="style1.css">
            <script src="script.js"></script>
        </head>
     
        <body>
            <form method="post" action="edit.php" enctype="multipart/form-data">
                    <input type="text" name="nom" >
     
                    <input type="file" name="image"><br /><br />
     
                    <input type="submit" name="upload" value="Upload Image">
                    <input type="hidden" name="id" value=<?php echo $_POST['id'];?>>
     
     
                </form>
     
        </body>
     
    </html>
    Thank you a lot for a potential answer.
    Last edited by nekor; Jan 22nd, 2018 at 02:50 PM.

  2. #2
    Regular Coder Vege's Avatar
    Join Date
    Jan 2008
    Posts
    988
    Thanks
    22
    Thanked 134 Times in 133 Posts
    htmlspecialchars is only used when you output someting. Never on input validation.
    You need to rewrite your mysqli to use prepared statement. It will remove errors and make the code more secure.
    It's usually bad practice to mix GET and POST data in same request.
    You don't initialize $id before you use it in the SQL query.
    There needs to be empty space before keyword WHERE in said SQL query.
    You don't move_upload_file over http. Change it to absolute file path.

  3. Users who have thanked Vege for this post:

    nekor (Jan 22nd, 2018)

  4. #3
    New to the CF scene
    Join Date
    Nov 2017
    Posts
    7
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Thank for your answer.
    I changed my code ; that's ok now.

    <?php

    include_once("config_bd.php");

    if(isset($_POST['update']))
    {

    $pk_club = mysqli_real_escape_string($mysqli, $_POST['pk_club']);
    $nom_club = mysqli_real_escape_string($mysqli, $_POST['nom_club']);
    $image = mysqli_real_escape_string($mysqli, $_FILES['image']['name']);
    move_uploaded_file($_FILES["image"]["tmp_name"],"images/" .basename($_FILES['image']['name']));

    if(empty($nom_club) || empty($image)) {

    if(empty($nom_club)) {
    echo "<font color='red'>Le nom est vide.</font><br/>";
    }

    if(empty($typeSport_club)) {
    echo "<font color='red'>L'image est vide.</font><br/>";
    }
    } else {

    $result = mysqli_query($mysqli, "UPDATE clubs SET nom_club='$nom_club',image='$image' WHERE pk_club=$pk_club");


    header("Location: vue_club.php");
    }
    }



    $pk_club = $_GET['pk_club'];


    $result = mysqli_query($mysqli, "SELECT * FROM clubs WHERE pk_club=$pk_club");

    while($res = mysqli_fetch_array($result))
    {
    $nom_club = $res['nom_club'];
    $image = $res['image'];
    }
    ?>
    <html>
    <head>

    </head>
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
    <body>

    <form name="form1" method="post" action="edit_club.php" enctype="multipart/form-data">
    <table border="0">
    <tr>
    <td>Nom:</td>
    <td><input type="text" name="nom_club" value="<?php echo $nom_club;?>"></td>
    </tr>

    <tr>
    <td>Upload:</td>
    <td><input type="file" name="image" value="<?php echo $image;?>"></td>

    </tr>


    <td><input type="submit" name="update" class="bouton_bleu" value="Update"></td>
    <td><input type="hidden" name="pk_club" value=<?php echo $_GET['pk_club'];?>></td>
    </tr>
    </table>
    </form>
    </div>
    </body>
    </html>

  5. #4
    Regular Coder Vege's Avatar
    Join Date
    Jan 2008
    Posts
    988
    Thanks
    22
    Thanked 134 Times in 133 Posts
    using mysqli_real_escape_string without enclosing '' leaves you vulnerable to attacks that don't contain harmful characters. Passing
    Code:
    1 or 1=1
    with pk_club would be valid SQL.
    Always do something like WHERE pk_club='$pk_club' even if the value is int.
    Or don't even try and use prepared statements!

    header will not stop the code execution. Add exit; after the header location change.

  6. #5
    Senior Coder durangod's Avatar
    Join Date
    Nov 2010
    Location
    East Texas USA
    Posts
    2,096
    Thanks
    354
    Thanked 57 Times in 55 Posts
    Vege +1

    Nekor the single quotes even as an integer value simply means 'as is' , it is a way to let PHP know that 'value' is what you want regardless of the value data type, double quotes are different, there are times that you want to use double quotes. But i have always used single quotes around my integer values.

    Also i might suggest that instead of typing mysqli_real_escape_string a zillion times. Why not just make a quick function file and code a security function inside that include file. That way if things change or if you need to add extra security all you have to do is change one function instead of having to change a zillion code lines.

    simple example: (there are lots of other code you can add to this)

    PHP Code:
    include('security.php'); 
    then inside security.php file

    since mysqli requires the connection be used with the function you will need to:
    pass the connection value to the function (i am not 100% sure this works with mysqli)
    or
    include the file that has the connection process
    or
    use a connection var that is assigned globally
    or
    write a new connection snippet in the function itself

    PHP Code:

    <?php 

    function cleandata($value)
    {

      
    $connection =  "whatever your connection is";

      return 
    mysqli_real_escape_string($connection$value);

      
    mysqli_close($connection);


     }
    //close function cleandata
    and then inside your process file all you have to do is this for each one.

    PHP Code:
    $pk_club cleandata($_POST['pk_club']); 


    I also see that you have html mixed with your php. Thats fine, but just remember that if you have a file that ONLY has php inside it, you do not need to use the closing php tag.
    Last edited by durangod; Jan 23rd, 2018 at 09:47 AM.
    If a php file only has php code within it you do not need to use the closing php tag
    A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
    durangod is short for durango dave

  7. #6
    Regular Coder Vege's Avatar
    Join Date
    Jan 2008
    Posts
    988
    Thanks
    22
    Thanked 134 Times in 133 Posts
    Or just drop all the cleaning functions and use PDO and prepared statemnts.
    PHP Code:
    class MyPDO extends \PDO
    {
        public function 
    __construct($host,$db,$charset$username NULL$password NULL$options = array())
        {
            
    $default_options = array(
                \
    PDO::ATTR_DEFAULT_FETCH_MODE => \PDO::FETCH_ASSOC,
                \
    PDO::ATTR_EMULATE_PREPARES => false,
                \
    PDO::ATTR_ERRMODE => \PDO::ERRMODE_EXCEPTION,
            );
            
    $options array_replace($default_options$options);
            
    $dsn "mysql:host=$host;dbname=$db;charset=$charset";
            
    parent::__construct($dsn$username$password$options);
        }
        public function 
    run($sql$args NULL)
        {
            if (!
    $args)
            {
                 return 
    $this->query($sql);
            }
            
    $stmt $this->prepare($sql);
            
    $stmt->execute($args);
            return 
    $stmt;
        }

    }
    $dbf = new MyPDO('localhost','dbname','utf8''username''password');
    //now every sql call uses prepared statements with easy syntax:
    $res $dbf->run("SELECT abc from def where def.id=?",[$id]);
    while(
    $r $res->fetch()) {



  8. #7
    New to the CF scene
    Join Date
    Feb 2018
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    <?php include("../includes/config.php");?>
    <?php
    $Fname=$_POST["Fname"];
    $Lname=$_POST["Lname"];
    $image=$_POST["profileimg"];
    $briefintro=$_POST["briefintro"];
    $qualification=$_POST["qualification"];

    $con=mysql_connect($dbserver,$dbusername,$dbpassword);
    if (!$con) { die('Could not connect: ' . mysql_error()); }
    mysql_select_db($dbname, $con);
    $query=("UPDATE accounts SET firstname='".$Fname."' , lastname='".$Lname."' , profileimg='".$image."' , briefintro='".$briefintro."', qualification='".$qualification."' WHERE id=".$_SESSION['id']);
    $result = mysql_query($query);
    header("Location: update-profile.php?status=3");
    mysql_close($con);
    ?>

  9. #8
    Regular Coder Vege's Avatar
    Join Date
    Jan 2008
    Posts
    988
    Thanks
    22
    Thanked 134 Times in 133 Posts
    Quote Originally Posted by pardeep View Post
    <?php include("../includes/config.php");?>
    <?php
    $Fname=$_POST["Fname"];
    $Lname=$_POST["Lname"];
    $image=$_POST["profileimg"];
    $briefintro=$_POST["briefintro"];
    $qualification=$_POST["qualification"];

    $con=mysql_connect($dbserver,$dbusername,$dbpassword);
    if (!$con) { die('Could not connect: ' . mysql_error()); }
    mysql_select_db($dbname, $con);
    $query=("UPDATE accounts SET firstname='".$Fname."' , lastname='".$Lname."' , profileimg='".$image."' , briefintro='".$briefintro."', qualification='".$qualification."' WHERE id=".$_SESSION['id']);
    $result = mysql_query($query);
    header("Location: update-profile.php?status=3");
    mysql_close($con);
    ?>
    Wrong topic?


 

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •