0

I want to GET an ID from the url e.g.: www.example.com/upload.php?sc=1

and input the ID into my database. I have attached my code, however the ID does not get inserted in the database. Kindly help me in order to get the ID also stored in the database.

Thanks

<?php require_once '../database.php'; ?>
<?php $eventid = $_GET['event']; ?>
<?php $sc = $_GET['sc']; ?>
</head>

<body>
<?php 
    $result = mysql_query("SELECT * FROM category");
    while($row = mysql_fetch_array($result)){
        echo "<a href=?event=" . $row['id'] .">" . $row['category'] . "</a>&nbsp;";
    }
?><br>
<?php 
    $result = $db->query("SELECT * FROM sub_category WHERE category_id LIKE '" . $eventid . "';");
    $event = $result->fetch();
?>
<?php
    echo "<a href=?event=" . $row['id'] .">" . $row['category'] . "</a>&nbsp;";
?>
<?php
    echo "<a href=?sc=" . $event['id'] .">" . $event['sub_category'] . "</a>&nbsp;";
?>
<form method="POST" action="upload1.php" enctype="multipart/form-data" id="subForm">
<b>Upload your file here</b>
<br/>
<span>Name:*</span>&nbsp;<input name="name" type="text" class="required"><br/>
Description:* <input name="description" type="text" class="required"><br/><br/>
Thumbnail Size: 400px X 400px | Featured Image Size: 2100px X 525px<br><br>
Browse:*<input name="userfile" type="file" class="required">&nbsp;<br>
<br/> 
<input type="submit" value="Upload" style="width: 150px">
</form>
<?php
    $name = $_POST['name'];
    $description = $_POST['description'];
    $sc = $_GET['sc']; 
    $kj=$sc;
    if(empty($name)) {
         echo("<br>All the above details must filled in! We dont want monkeys on the page!");
    } 
    else {
        $target="images/";
        $target.=$_FILES['userfile']['name'];
        move_uploaded_file($_FILES['userfile']['tmp_name'],$target);
        move_uploaded_file($_FILES['userfile']['tmp_name'],$target);
        mysql_query("INSERT INTO upload(upload, name, description, sub_category_id) VALUES ('".$target."', '$_POST[name]', '$_POST[description]', '".$sc."')") or die( mysql_error());
        echo "<br>File Successfully Uploaded!";
    }
?>
Improve this question

3 Answers 3

Reset to default
1 
mysql_query("INSERT INTO upload(upload, name, description, sub_category_id) VALUES ('".$target."', '$_POST[name]', '$_POST[description]', '".$sc."')") or die( mysql_error());

This line probably killing. Try this instead:

mysql_query("INSERT INTO upload(upload, name, description, sub_category_id) VALUES ('" . $target . "', '$name', '$description', '" . $sc . "')") or die(mysql_error());

You have set 

$name = $_POST['name'];
$description = $_POST['description'];
$sc = $_GET['sc'];
$kj = $sc;

just before! and in your query you have used 

$_POST[name];

which is 1. incorrect because of missing ' and ' before and after the name, and 2. you have a variable $name for it declared just before.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Sure, but I don't change his whole code, I just answer his question (SQL injections)
And im quite sure, he doesn't know what prepared statements are, for example.
else{ $target="images/"; $target.=$_FILES['userfile']['name']; move_uploaded_file($_FILES['userfile']['tmp_name'],$target); $q = $db->prepare("INSERT INTO upload (upload, name, description, sub_category_id) VALUES (:target, :name, :description, :sub_category_id"); $q->bindParam('target',$target); $q->bindParam('name',$_POST['name']); $q->bindParam('description',$_POST['description']); $q->bindParam('sub_category_id',$sc); $q->execute(); echo "<br>File Successfully Uploaded!"; } ?>
0

Try this,

<?php 
$sc = $_GET['sc'];
$result = $db->query("INSERT INTO your_db_table SET field = ".$sc."");
?>
Improve this answer

2 Comments

I tried this, however, the ID is copied in a new row, i want to add it in the same row as name, description, etc
Then try UPDATE query.
0

instead of this 

mysql_query("INSERT INTO upload(upload, name, description, sub_category_id) VALUES ('".$target."', '$_POST[name]', '$_POST[description]', '".$sc."')") or die( mysql_error());

Use this, And also your Query is not secure from SQL INJECTION. Use mysql_real_escape_string

 mysql_query("INSERT INTO upload(upload, name, description, sub_category_id) VALUES
 ('".$target."', '".mysql_real_escape_string($name)."',
 '".mysql_real_escape_string($description)."', '".mysql_real_escape_string($sc)."')") 
 or die( mysql_error());
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.