By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
434,677 Members | 1,070 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 434,677 IT Pros & Developers. It's quick & easy.

mysql and php with form

P: n/a
Hello PHP,

I am having a problem. I know the area of the problem, but not how to
solve it.
It has to do with a php page with a form on it, and I am trying to
perform an insert query into
my mysql database.

I know that when I "submit" (post) the form, everything goes blank,
and the insert query is not run.
Basically here is my story. Initially I had a page with all in-line
code, that uses includes for connection to the db, and a error
processing page. I also have another include page that has some
functions in it, one of which is for resizing images. That function,
cleverly named resizeImage returns a down-sized height and width,
which get loaded into the database table, along with info on the image
itself (name, location,etc).

this page has php code which reads a directory, finds jpeg images,
does a resizeImage for each image (in a for loop), and then performs
the insert query for each image. I would run the whole thing just by
loading the page (no form tags on this page). Everything works fine,
I call the resizeImage function from the fileloader.php page, the
function is in a page called size_image.php (I use a require for
this).

I decided that I would like to add some flexibility to this page and
create a form where I could enter a parameter (an integer), and click
a button, which would then run this same insert query, and the
resizeImage function, and then tell me if I inserted the records.

I am using a if(isset($_REQUEST['update'])) type construct to respond
to the button click (named 'update').
and use the POST action and $_SERVER[PHP_SELF] as the form.

When I click the button, most of the page runs, and then all goes
blank in the browser, and the records are not inserted into the
database. I am guessing that something in the post blitzes my
variables, etc, so the query never runs, etc.

Below is some of the code in the page - I have an input box for the
parameter, and a button to run the function. I would appreciate any
suggestions.

Thanks,

eholz1

Code below:
<?php

@require_once '/usr/local/php/include/size_image.php';

include '/usr/local/php/include/db.inc';
include '/usr/local/php/include/error.inc';
global $dbconnect, $query;

$p = $_REQUEST["p"];

if(isset($_POST['update']))
{
performLoad($p);
//echo "value for post is: $p";
} else {
echo 'Post not set';
}

$serverName = $_SERVER["SERVER_NAME"];

if ($serverName != 'beaulinux')
{
//connection files for mysql
@include 'c:/php/includes/db.inc';
@include 'c:/php/includes/error.inc';
@require_once 'c:/php/includes/size_image.php';
}else{
@include '/usr/local/php/include/db.inc';
@include '/usr/local/php/include/error.inc';
}

$dbconnect = db_connect('portfolios') or trigger_error("Error
Connecting to Database: " . mysql_error(), E_USER_ERROR);

function performLoad($p)
{

$filecount = 0;
$filelist[0] = '';
$idx = 0;
$query = 0;

$path = 'testimage';

$dir_handle = @opendir($path) or die("Unable to open directory
$path");
/*** Load an array with the list of files in the dir ***/
while ($file = readdir($dir_handle))
{
//$filetyp =getFileType($file); no good for all images???OR $filetyp
== 'gif'
$filetyp = strtolower(substr($file, -3));
if ($filetyp == 'jpg' )
{
$filecount++;
//***$handle = fopen($path . "/" . $file,'r');
$filelist[$idx] = $path . "/" . $file; //add file to array
//echo $filelist[$idx];
$idx++;
//***$file_content = fread($handle,filesize($path . "/" . $file));
//***fclose($handle);

}
}
closedir($dir_handle);

// now read the array, and load the files into the database....

for ($i=0; $i < $filecount; ++$i)
{
list($width, $height, $type, $attr) = getimagesize($filelist[$i]);
if ($type == 2) $filetype = 'image/jpeg';
$n_width = resizeImage($width,$height);
$name = explode('/',$filelist[$i]);
$filesize = filesize($filelist[$i]);
//echo $name[1] . ' '. $n_width[0] . ' height: ' .
$n_width[1].'<br>';
$insertSQL = "INSERT INTO images3
(name,folder,type,filesize,orig_width,orig_height, resize_width,resize_height,p)
VALUES(\"" .
$name[1]."\", \"" .$path. "\", \"" .$filetype . "\", \"" .
$filesize . "\", \"" .
$width. "\", \"" .$height. "\", \"" .$n_width[0]. "\", \"" .
$n_width[1]. "\", \"" . "$p" . "\")";

/*** remember to comment or un-coment this line!! ***/
//$query = @mysql_query($insertSQL) or trigger_error("Error
performing query: " . mysql_error(),E_USER_ERROR);
//table is loaded with the files using a resized width by bad
height
}

} //end func place holder
?>

Mar 8 '07 #1
Share this Question
Share on Google+
5 Replies


P: n/a
Rik
/*** remember to comment or un-coment this line!! ***/

If uncommenting you insert query doesn't work, and the page goes blank,
please remove all @'s. Errors are usefull when something doesn't work.

Furthermore you only echo something on errors, so having a blank page is
just what this code does after a succesfull run.
--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions: http://tinyurl.com/anel
Mar 8 '07 #2

P: n/a
On 8 Mar, 17:31, "eholz1" <ewh...@gmail.comwrote:
Hello PHP,

I am having a problem. I know the area of the problem, but not how to
solve it.
It has to do with a php page with a form on it, and I am trying to
perform an insert query into
my mysql database.

I know that when I "submit" (post) the form, everything goes blank,
and the insert query is not run.
Basically here is my story. Initially I had a page with all in-line
code, that uses includes for connection to the db, and a error
processing page. I also have another include page that has some
functions in it, one of which is for resizing images. That function,
cleverly named resizeImage returns a down-sized height and width,
which get loaded into the database table, along with info on the image
itself (name, location,etc).

this page has php code which reads a directory, finds jpeg images,
does a resizeImage for each image (in a for loop), and then performs
the insert query for each image. I would run the whole thing just by
loading the page (no form tags on this page). Everything works fine,
I call the resizeImage function from the fileloader.php page, the
function is in a page called size_image.php (I use a require for
this).

I decided that I would like to add some flexibility to this page and
create a form where I could enter a parameter (an integer), and click
a button, which would then run this same insert query, and the
resizeImage function, and then tell me if I inserted the records.

I am using a if(isset($_REQUEST['update'])) type construct to respond
to the button click (named 'update').
and use the POST action and $_SERVER[PHP_SELF] as the form.

When I click the button, most of the page runs, and then all goes
blank in the browser, and the records are not inserted into the
database. I am guessing that something in the post blitzes my
variables, etc, so the query never runs, etc.

Below is some of the code in the page - I have an input box for the
parameter, and a button to run the function. I would appreciate any
suggestions.

Thanks,

also try not to get hacked:
make life easy on yourself, escape all values that go into the
database, to avoid SQL injection.

EVERY VALUE SHOULD HAVE CORRECT TYPE
$name[1] -string
$filesize -int?
$height -int?
$p -string

EVERY STRING (or even int) NEEDS TO BE ESCAPED USING
mysql_real_escape() or better mysql_real_escape_string(
$insertSQL = sprintf(
"INSERT INTO `images3` " .
"(`name`, `folder`, `type`, `filesize`, `orig_width`, " .
"`orig_height`, `resize_width`, `resize_height`, `p`)" .
"VALUES( '%s', '%s', '%s', '%d', '%d', '%d' , '%d', '%d', '%s')",
mysql_real_escape_string($name[1]),
mysql_real_escape_string($path),
mysql_real_escape_string($filetype),
mysql_real_escape_string($filesize),
mysql_real_escape_string($width),
mysql_real_escape_string($height),
mysql_real_escape_string($n_width[0]),
mysql_real_escape_string($n_width[1]),
mysql_real_escape_string($p)
);

this gets boring, so why not have your vars in an array and use
array_walk to escape the values

Also you should enforce bounds checking on all your vars, before entry
into the database, is your database only allowing 32 chars for a
$name[1], then use
$name[1] = substr($name[1],0,32);
etc...
stay neat and tidy and you will be able to see clearly.

Mar 9 '07 #3

P: n/a
Rik
shimmyshack <ma********@gmail.comwrote:
also try not to get hacked:
make life easy on yourself, escape all values that go into the
database, to avoid SQL injection.

EVERY VALUE SHOULD HAVE CORRECT TYPE
$name[1] -string
$filesize -int?
$height -int?
$p -string

EVERY STRING (or even int) NEEDS TO BE ESCAPED USING
mysql_real_escape() or better mysql_real_escape_string(
$insertSQL = sprintf(
"INSERT INTO `images3` " .
"(`name`, `folder`, `type`, `filesize`, `orig_width`, " .
"`orig_height`, `resize_width`, `resize_height`, `p`)" .
"VALUES( '%s', '%s', '%s', '%d', '%d', '%d' , '%d', '%d', '%s')",
mysql_real_escape_string($name[1]),
mysql_real_escape_string($path),
mysql_real_escape_string($filetype),
mysql_real_escape_string($filesize),
mysql_real_escape_string($width),
mysql_real_escape_string($height),
mysql_real_escape_string($n_width[0]),
mysql_real_escape_string($n_width[1]),
mysql_real_escape_string($p)
);

this gets boring, so why not have your vars in an array and use
array_walk to escape the values
Indeed, something I like to do when the variables are set up, really keeps
it managable.

Also an option with MDB2 prepared statment.

$db = new MDB2();
$db->connect('mysqli://user:pass@host/database');
$db->loadModule('Exended', null, false);
$inserts = array();
$stmt = $db->prepare(
'INSERT INTO `table` (`field`,`foo`,`bar`) VALUES (:field,:foo,:bar)',
array('text','text','integer'),
MDB2_PREPARE_MANIP);
foreach($something as $item){
//some code
$inserts[] = compact($bar,$foo,$field);
}
$db->extended->executeMultiple($stmt,$inserts);

--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions: http://tinyurl.com/anel
Mar 9 '07 #4

P: n/a
In article <11*********************@t69g2000cwt.googlegroups. com>,
ma********@gmail.com says...
$name[1] = substr($name[1],0,32);
etc...
Wouldnt that truncate data without warning?
Surely not a good idea?
Mar 12 '07 #5

P: n/a
On Mar 9, 8:39 am, "shimmyshack" <matt.fa...@gmail.comwrote:
On 8 Mar, 17:31, "eholz1" <ewh...@gmail.comwrote:
Hello PHP,
I am having a problem. I know the area of the problem, but not how to
solve it.
It has to do with a php page with a form on it, and I am trying to
perform an insert query into
my mysql database.
I know that when I "submit" (post) the form, everything goes blank,
and the insert query is not run.
Basically here is my story. Initially I had a page with all in-line
code, that uses includes for connection to the db, and a error
processing page. I also have another include page that has some
functions in it, one of which is for resizing images. That function,
cleverly named resizeImage returns a down-sized height and width,
which get loaded into the database table, along with info on the image
itself (name, location,etc).
this page has php code which reads a directory, finds jpeg images,
does a resizeImage for each image (in a for loop), and then performs
the insert query for each image. I would run the whole thing just by
loading the page (no form tags on this page). Everything works fine,
I call the resizeImage function from the fileloader.php page, the
function is in a page called size_image.php (I use a require for
this).
I decided that I would like to add some flexibility to this page and
create a form where I could enter a parameter (an integer), and click
a button, which would then run this same insert query, and the
resizeImage function, and then tell me if I inserted the records.
I am using a if(isset($_REQUEST['update'])) type construct to respond
to the button click (named 'update').
and use the POST action and $_SERVER[PHP_SELF] as the form.
When I click the button, most of the page runs, and then all goes
blank in the browser, and the records are not inserted into the
database. I am guessing that something in the post blitzes my
variables, etc, so the query never runs, etc.
Below is some of the code in the page - I have an input box for the
parameter, and a button to run the function. I would appreciate any
suggestions.
Thanks,

also try not to get hacked:
make life easy on yourself, escape all values that go into the
database, to avoid SQL injection.

EVERY VALUE SHOULD HAVE CORRECT TYPE
$name[1] -string
$filesize -int?
$height -int?
$p -string

EVERY STRING (or even int) NEEDS TO BE ESCAPED USING
mysql_real_escape() or better mysql_real_escape_string(

$insertSQL = sprintf(
"INSERT INTO `images3` " .
"(`name`, `folder`, `type`, `filesize`, `orig_width`, " .
"`orig_height`, `resize_width`, `resize_height`, `p`)" .
"VALUES( '%s', '%s', '%s', '%d', '%d', '%d' , '%d', '%d', '%s')",
mysql_real_escape_string($name[1]),
mysql_real_escape_string($path),
mysql_real_escape_string($filetype),
mysql_real_escape_string($filesize),
mysql_real_escape_string($width),
mysql_real_escape_string($height),
mysql_real_escape_string($n_width[0]),
mysql_real_escape_string($n_width[1]),
mysql_real_escape_string($p)
);

this gets boring, so why not have your vars in an array and use
array_walk to escape the values

Also you should enforce bounds checking on all your vars, before entry
into the database, is your database only allowing 32 chars for a
$name[1], then use
$name[1] = substr($name[1],0,32);
etc...

stay neat and tidy and you will be able to see clearly.
Thanks for the tip - as always, there is much more for me to learn and
use!

eholz1

Mar 12 '07 #6

This discussion thread is closed

Replies have been disabled for this discussion.