Blake Cothran Blake Cothran - 3 months ago 6
PHP Question

sql statement is not working with image upload

So I am doing an image upload form and the image uploads just fine but after the image loads the sql statement is not working. I was wondering how I can fix this also this is my first time trying prepared statements so idk if my syntax is right or what.

<?php

// Check for errors
if($_FILES['file_upload']['error'] > 0){
die('An error ocurred when uploading.');
}

if(!getimagesize($_FILES['file_upload']['tmp_name'])){
die('Please ensure you are uploading an image.');
}

// Check filetype
if($_FILES['file_upload']['type'] != 'image/png'){
die('Unsupported filetype uploaded.');
}

// Check filesize
if($_FILES['file_upload']['size'] > 500000){
die('File uploaded exceeds maximum upload size.');
}

//Rename File
$temp = explode(".", $_FILES["file"]["name"]);
$filename = round(microtime(true)) . '.' . "png";

// Upload file
if(!move_uploaded_file($_FILES['file_upload']['tmp_name'], '../images/' . $filename)){
die('Error uploading file - check destination is writeable.');
}

// die('File uploaded successfully.');

session_start();

require_once('connection.php');

$sql = $conn->prepare("INSERT INTO items (poster, item_name, item_desc, item_type, item_price, link) VALUES (?, ?, ?, ?, ?, ?)");
$sql->bind_param($poster, $item_name, $item_desc, $item_type, $item_price, $link);

$item_type = $_POST['item_type'];
$item_name = $_POST['item_name'];
$item_desc = $_POST['item_desc'];
$item_price = $_POST['item_price'];
$poster = $_SESSION['username'];
$link = $filename;

$poster = filter_var($item_type, FILTER_SANITIZE_STRING);
$item_name = filter_var($item_type, FILTER_SANITIZE_STRING);
$item_desc = filter_var($item_type, FILTER_SANITIZE_STRING);
$item_type = filter_var($item_type, FILTER_SANITIZE_STRING);
$item_price = filter_var($item_type, FILTER_SANITIZE_STRING);
$link = filter_var($item_type, FILTER_SANITIZE_STRING);

$sql->execute();

?>

Answer

You missed to define the data types in bind_param. Something like below:

$sql->bind_param('ssssds',$poster, $item_name, $item_desc, $item_type, $item_price, $link);
Comments