1

I wrote a multiple form, but it doesn't work. Code inspector tells me something is wrong with move_uploaded_file function. Can anyone tell me what the problem is?

My HTML code:

<div class="setting post">
    <form action="add-banner.php" method="post" enctype="multipart/form-data">
    <input type="text" name="banner-title" placeholder="enter new banner title"><br>
    <select name="banner-cat">
           <?php
           $get_cats = mysqli_query($db,'select * from cats');
           while($row = mysqli_fetch_assoc($get_cats)){
           ?>
           <option value="<?php echo $row['id']?>"><?php echo $row['cat_name'] ?></option>
           <?php
           }
           ?>
           </select>
           <br>
           <input type="file" name="banner">
           <br>
     <input type="submit" name="upload" value="add new banner">
     </form>
    </div>

and this is my php code:

<?php
require_once 'db.php';
global $db;
$banner_title = $_POST['banner-title'];
$banner_cat = $_POST['banner-cat'];
$banner = $_FILES['banner']['name'];
$banner_tmp = $_FILES['banner']['tmp_name'];
$upload_file = move_uploaded_file($banner_tmp,'../../images/$banner');
$insert_banner = mysqli_query($db,"insert into banner(banner_title,banner_cat,banner_link) values ('$banner_title','$banner_cat','$banner')");
if($insert_banner && $upload_file){
    $message = 'New banner Succesfully added';
    echo "<script>
    alert('".$message."');
    window.location.href='post.php';
    exit;
    </script>";

    }else{$message = 'Something goes Wrong';
    echo "<script>
    alert('".$message."');
    window.location.href='post.php';
    exit;
    </script>"; 
    }
?>
Improve this question
1
  • This code has got a lot of vulnerabilities: unsanitized inputs being used to create a query and do filesystem operations. This is a russian roulette with an automatic gun. Google up SQL injection, and look around on how to sanitize your inputs, or your site is in danger. Commented Sep 3, 2016 at 12:56

1 Answer 1

Reset to default
1 
<?php
 require_once 'db.php';
 global $db;
 $banner_title = $_POST['banner-title'];
 $banner_cat = $_POST['banner-cat'];
 $banner = basename($_FILES['banner']['name']);
 $banner_tmp = $_FILES['banner']['tmp_name'];
 $upload_file = move_uploaded_file($banner_tmp,'/images/$banner');
 $insert_banner = mysqli_query($db,"insert into banner(banner_title,banner_cat,banner_link) values ('$banner_title','$banner_cat','$banner')");
 if($insert_banner && $upload_file){
$message = 'New banner Succesfully added';
echo "<script>
alert('".$message."');
window.location.href='post.php';
exit;
</script>";

}else{$message = 'Something goes Wrong';
echo "<script>
alert('".$message."');
window.location.href='post.php';
exit;
</script>"; 
}
?>

// Don't use back folder for uploaded file, if use back folder, use full url for folder.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.