Can someone help me to handle this error? I don’t know what method or way to get rid of this error. Im new to php and starting to learn it. Can someone give me ideas?
here is the error :
here is my php code.
<?php
include_once('connection.php');
$newsid = $_GET['news_id'];
if(isset($_POST['esubmit'])){
/* create a prepared statement */
if ($stmt = mysqli_prepare($con, "SELECT * FROM news WHERE news_id = ? LIMIT 1")) {
/* bind parameters */
mysqli_stmt_bind_param($stmt, "s", $newsid);
/* execute query */
mysqli_stmt_execute($stmt);
/* get the result set */
$result = mysqli_stmt_get_result($stmt);
/* fetch row from the result set */
$row = mysqli_fetch_array($result);
}
}
if(isset($_POST['update'])){
if(isset($_FILES['image'])){
$file=$_FILES['image']['tmp_name'];
/* Below is the line 30 causing the error*/
$image = addslashes(file_get_contents($_FILES['image']['tmp_name']));
$image_name= addslashes($_FILES['image']['name']);
move_uploaded_file($_FILES["image"]["tmp_name"],"img/" . $_FILES["image"]["name"]);
$newsimage="img/" . $_FILES["image"]["name"];
$title = $_POST['titles'];
$date = $_POST['dates'];
$content = $_POST['contents'];
$sql ="UPDATE news SET news_title ='$title', news_date ='$date', news_content = '$content', news_image ='$newsimage' WHERE news_id = '$newsid'";
mysqli_query($con, $sql);
echo "oh it worked ";
}
else{
$title = $_POST['titles'];
$date = $_POST['dates'];
$content = $_POST['contents'];
$sql ="UPDATE news SET news_title ='$title', news_date ='$date', news_content = '$content' WHERE news_id = '$newsid'";
mysqli_query($con, $sql);
echo "oh it worked again ";
}
}
?>
<!DOCTYPE HTML>
<html>
<head>
</head>
<body>
<?php
if(isset($_POST['esubmit'])){
?>
<form method="post" action ="edit2.php?news_id=<?php echo $row['news_id']; ?>" enctype="multipart/form-data">
Title<input type ="text" name ="titles" value="<?php echo $row['news_title']; ?>"/><br>
Date<input type ="text" name="dates" value="<?php echo $row['news_date']; ?>" /><br>
Content<textarea name="contents"><?php echo $row['news_content']; ?></textarea>
<input class="form-control" id="image" name="image" type="file" accept="image/*" onchange='AlertFilesize();'/>
<img id="blah" src="<?php echo $row['news_image']; ?>" alt="your image" style="width:200px; height:140px;"/>
<input type="submit" name="update" value="Update" />
</form>
<?php
}
?>
<script src="js/jquery-1.12.4.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<script type="text/javascript">
function readURL(input) {
if (input.files && input.files[0]) {
var reader = new FileReader();
reader.onload = function (e) {
$('#blah').attr('src', e.target.result);
}
reader.readAsDataURL(input.files[0]);
}
}
$("#image").change(function(){
readURL(this);
});
</script>
</body>
</html>
Advertisement
Answer
Why are you adding slahes to your (temporary) filename?
your line 30:
$image= addslashes(file_get_contents($_FILES['image']['tmp_name']));
So to remove the error warning:
if(!empty($_FILES['image']['tmp_name'])
&& file_exists($_FILES['image']['tmp_name'])) {
$image= addslashes(file_get_contents($_FILES['image']['tmp_name']));
}
There is a LOT of other things you can / should do with this code but I can’t go over it in too much detail with you, but basically you should check that
$_FILES['image']['error'] == 0to ensure that code only runs if the file has been successfully uploaded.Replace
if(isset($_FILES['image'])){
With an error check:
if($_FILES['image']['error'] == 0){
Which will mean that only an OK uploaded file will then run the IF statement contents
Stop adding slashes, it’s not needed.
Use prepared statements for your SQL queries.
Move_uploaded_fileshould in a perfect world be given an absolute path rather than a relative path.Do you realise that you’re
file_get_contentsis getting the data in a file, not a referece but the actual binary file data. This looks like it’s not what you need to be doing at this stage. Your$imagevalue isn’t clearly used in the code you provide and as rightly pointed out by apokryfos, you’re actually adding slashes to the retrieved filedata of the image. This is going to simply make your$imagea garbled mess.