Total newbie here, please bear with me.
Building a very small personal app that uploads some images and info. I can't figure out why the following PHP/MySQL doesn't add the last insert in the query ($file_data) to my DB's longblob field.
All the other fields in the query insert fine, meaning I tested them one at a time, adding to the query, until I got to the last and then the insert fails. I am able to echo $file_data before the insert and see that the data is there, I've also found that hardcoding a string value for $file_data (i.e $file_data="this will insert") inserts fine... which is frustrating.
So my guesses are there's an error in the reading of the file ($fp fread etc) or that my longblob is setup wrong. File sizes are <16kb, so I'm sure it's not a php.ini issue either.
Any ideas? Thanks.
$boxtype=$_POST['type'];
$title=$_POST['title'];
if(isset($_POST['submit']) && $_FILES['imgfile']['size'] > 0)
{
$filename = $_FILES['imgfile']['name'];
$tmpName = $_FILES['imgfile']['tmp_name'];
$file_size = $_FILES['imgfile']['size'];
$mime_type = $_FILES['imgfile']['type'];
$fp = fopen($tmpName, 'r');
$file_data = fread($fp, filesize($tmpName));
fclose($fp);
$query = "INSERT INTO table
(boxtype,title,filename,mime_type,file_size,file_data)
VALUES
('$boxtype','$title','$filename','$mime_type','$file_size','$file_data')
";
$db = db_connect();
$result = $db->query($query) or die('Error, query failed');
if ($result)
{
echo "<br>Success<br>";
}
}
else die("No Content");
MySQL Table:
CREATE TABLE `port` (
`id` int(2) unsigned zerofill NOT NULL AUTO_INCREMENT,
`boxtype` tinytext COLLATE latin1_general_ci NOT NULL,
`title` varchar(40) CHARACTER SET latin1 NOT NULL,
`filename` varchar(255) COLLATE latin1_general_ci NOT NULL,
`mime_type` varchar(255) COLLATE latin1_general_ci NOT NULL,
`file_size` int(11) NOT NULL,
`file_data` longblob NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=7 DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci;
Because its a binary, it probably contains values which means its probably throwing a wobble
Try using addslashes on the file_data variable, so it can save it.
The examples I came across while using Google showed that the data was escape either using addslashes or mysql_real_escape_string. Therefor my guess is that this is a crucial part since the $file_data string may contain various characters.
You'll have to use the mysqli_ functions to create a prepared statement. Here is an example
$sql = 'INSERT INTO Table(boxtype,title,filename,mime_type,file_size,file_data)
VALUES (?,?,?,?,?,?)';
$stmt = mysqli_prepare($link, $sql);
mysqli_stmt_bind_param($stmt, "ssssib", $boxtype,$title,$filename,$mime_type,$file_size,$file_data);
mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
This will also prevent against SQL Injection attacks which it appears your code may be vulnerable to. Alternatively, you can use the PDO libraries to create prepared statements.
With PDO, you can do the following.
$sql = 'INSERT INTO Table(boxtype,title,filename,mime_type,file_size,file_data)
VALUES (:boxtype,:title,:filename,:mime_type,:file_size,:file_data)';
$statement = $con->prepare($sql);
$statement->bindParam(':boxtype',$boxtype,PARAM_STR);
$statement->bindParam(':title',$title,PARAM_STR);
$statement->bindParam(':filename',$filename,PARAM_STR);
$statement->bindParam(':mime_type',$mime_type,PARAM_STR);
$statement->bindParam(':file_size',$file_size,PARAM_INT);
$statement->bindParam(':file_data',$file_data,PARAM_LOB);
$statement->execute();
If on windows use fopen($tmpName, 'rb'); and use mysql_escape_string($file_data) .