How to upload multiple image in one record database SQL?

SpacePhoenix · July 29, 2015, 5:51pm

Once you’ve migrated to either mysqli or PDO you need to use prepared statements to eliminate the risk of sql injection attacks, right now you’re code is wide open to sql injection attacks

Habib_Azka_rama · July 29, 2015, 11:52pm

Hii,
i get some problem again.
The input data is filled up now, but how to update the data value and changed the images based column “image1, image2, image3, image4” ?
form images input like this :

<tr>
	<td>Images </td><td>*)Dikosongkan jika tidak diganti<br/> <input type='file' style='padding:5px;width:250px;background:#f0f0f0;' name='file1' id='f1' placeholder='image1'/><br /> <input type='file' style='padding:5px;width:250px;background:#f0f0f0;' name='file2' id='f2' placeholder='image2' /><br />
		<input type='file' style='padding:5px;width:250px;background:#f0f0f0;' name='file3' id='f3' placeholder='image3'/><br />
		<input type='file' style='padding:5px;width:250px;background:#f0f0f0;' name='file4' id='f4' placeholder='image4'/></td></tr>

if using foreach($_FILES as $aFile){} the images can’t change in a right column, like input ‘image2’ will change a content in column ‘images2’ and unlink the image that saved before
my code update :

mysql_query("UPDATE smamakudus SET nss='$_POST[nss]', npsn='$_POST[npsn]', nama_sekolah='$_POST[nama_sekolah]', jenis_sekolah='$_POST[jenis_sekolah]', akreditasi='$_POST[akreditasi]', alamat='$_POST[alamat]',tlp='$_POST[tlp]',web='$_POST[web]',jmlguru='$_POST[jmlguru]',jmlsiswa='$_POST[jmlsiswa]',kecamatan='$_POST[kecamatan]', image1='$aMyUploads[0]', image2='$aMyUploads[1]', image3='$aMyUploads[2]', image4='$aMyUploads[3]' ,lat='$_POST[lat]',lon='$_POST[lon]' where id='$_POST[id]'");
unlink("foto/$_POST[nama_gambar]");

How can i do to solve this?

felgall · July 30, 2015, 8:27am

Habib_Azka_rama:

mysql_query("UPDATE smamakudus SET nss='$_POST[nss]', npsn='$_POST[npsn]', nama_sekolah='$_POST[nama_sekolah]', jenis_sekolah='$_POST[jenis_sekolah]', akreditasi='$_POST[akreditasi]', alamat='$_POST[alamat]',tlp='$_POST[tlp]',web='$_POST[web]',jmlguru='$_POST[jmlguru]',jmlsiswa='$_POST[jmlsiswa]',kecamatan='$_POST[kecamatan]', image1='$aMyUploads[0]', image2='$aMyUploads[1]', image3='$aMyUploads[2]', image4='$aMyUploads[3]' ,lat='$_POST[lat]',lon='$_POST[lon]' where id='$_POST[id]'");
unlink("foto/$_POST[nama_gambar]");

All those $_POST calls inside of the update can be used to apply any data at all into your statement - you don;t know what that UPDATE will do because you don’t know what someone will tell it to do - simplest would be to delete your database, slightly more complicated would be to overflow your server space with junk. Of course if someone other than a script kiddie used that obvious attack vector then you might be held responsible for the virus that wipes out the internet.

system · October 29, 2015, 3:28pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.