Storing into the database - Issue

Question

I am currently working on an image upload script however I am running into a slight issue when trying to store details of the image into the database. The upload form grabs the image, checks its details and gets the extension of the image. This works fine however it won't store the image path into the database.

This is the part of the code in question:

        $file_path = 'images/profile/' . substr(md5(time()), 0, 10) . '.' . $file_extn;
        echo $file_path;

        try {
            $con = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD );
            $con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
            $sql = "UPDATE user SET img=$file_path WHERE userID = $username";
            $stmt = $con->prepare( $sql );
            $stmt->bindValue( "file_path", $this->file_path, PDO::PARAM_STR );
            $stmt->execute();

            if ( $stmt->rowCount() > 0 ) {
            echo ('Complete');
            }
            else {
            echo ('Error');
            }
            }catch( PDOException $e ) {
            return $e->getMessage();
        }
 }

Now the reason I have "echo $file_path;" there was to make sure the values were passing correctly, which they are.

It currently echo's this out if an image is uploaded: images/profile/f1b4edb293.jpg

So everything is working fine, it just failes at the point of actually storing.

Now to further test I even remove the string and path details from the file_path variable and just added a dummy value in there e.g:

    $test = "test";
    $file_path = $test;

And sure enough, it worked and inserted test into the database.

So that leads me to believe there is an issue with the format of this:

        $file_path = 'images/profile/' . substr(md5(time()), 0, 10) . '.' . $file_extn;

Any ideas on what part of that is stopping it from saving to the database?

Answer 1

do you not need to have file path like '$newfile' i.e.

 $sql = "UPDATE user SET img='$file_path' WHERE userID = '$username'";

It's worth a try ?

Answer 2

use this code

$sql = "UPDATE user SET img=:file_path WHERE userID = :username";
$stmt = $con->prepare( $sql );
$stmt->bindValue( ":file_path", $file_path, PDO::PARAM_STR );
$stmt->bindValue( ":username", $username, PDO::PARAM_STR );
$stmt->execute();

Answer 3

You are injecting PHP strings into your SQL code, thus generating unquoted SQL strings (and opening your script to SQL injection):

$file_path = 'images/profile/' . substr(md5(time()), 0, 10) . '.' . $file_extn;
$sql = "UPDATE user SET img=$file_path WHERE userID = $username";

If you var_dump($sql), you'll see that you are generating invalid SQL. (I wonder why no exception is being thrown.)

However, we see this later:

$stmt->bindValue( "file_path", $this->file_path, PDO::PARAM_STR );

So I guess you are aware of prepared statements but you confusing the place-holder syntax (either :file_path or ?) with PHP's string interpolation ($file_path). Again, you should be getting an exception because you're binding a non-existent parameter :-?

Additionally, you have both $file_path and $this->file_path. One of them is probably a typo.

You need to replace this:

$sql = "UPDATE user SET img=$file_path WHERE userID = $username";
$stmt = $con->prepare( $sql );
$stmt->bindValue( "file_path", $this->file_path, PDO::PARAM_STR );

... with this:

$sql = "UPDATE user SET img=:file_path WHERE userID = :username";
$stmt = $con->prepare( $sql );
$stmt->bindValue("file_path", $file_path, PDO::PARAM_STR );
$stmt->bindValue("username", $username, PDO::PARAM_STR );