-2

Here is my issue: I am trying to upload a photo and resume of users for my job searching website. I am able to upload both the files into the directory but not able to store the file names into the data base. Please help me! I am sure it can be fixed. Help me out please!! This is my php code..

<?php
  
    if(isset($_POST['pro'])) {
        $fname = $_POST['fname'];
        $lname = $_POST['lname'];
        $email    =  $_POST['email2'];
        $mobno = $_POST['mob'];
        $dob = $_POST['dob']; 
        $gender = $_POST['gender'];
        $nation = $_POST['nation'];
        $state = $_POST['state'];
        $quali = $_POST['quali'];
        $role = $_POST['role'];
        $clg = $_POST['clg'];
        $exp = $_POST['exp'];
        $field1 = $_POST['field1'];  
        $field2 = $_POST['field2'];  
        $field3 = $_POST['field3'];  
        $field4 = $_POST['field4'];  
        $pic = basename($_FILES['userpic']['name']);
        $filename = basename($_FILES['userfile']['name']);
        $folder_name="uploads";
        if (!file_exists($folder_name))/* Check folder exists or not */
        {
            @mkdir($folder_name, 0777);/* Create folder by using mkdir function */
            echo "Folder Created";/* Success Message */
        }

        $destination = 'uploads/' . $pic;
        $destination1 = 'uploads/' . $filename;
        $extension = pathinfo($pic, PATHINFO_EXTENSION);
        $extension1 = pathinfo($filename, PATHINFO_EXTENSION);

        $file1 = $_FILES['userpic']['tmp_name'];
        $size1 = $_FILES['userpic']['size'];
        $file = $_FILES['userfile']['tmp_name'];
        $size = $_FILES['userfile']['size'];



        if (!in_array($extension1, ['zip', 'pdf', 'docx']) &&  !in_array($extension, ['jpg', 'png'])) {
            echo "You file extension must be .zip,.png or .docx for resume and .jpg or .png for photo";
        } elseif ($_FILES['userfile']['size'] > 1000000 && $_FILES['userpic']['size'] > 1000000) { // file shouldn't be larger than 1Megabyte
            echo "File too large!";
        } else {
            // move the uploaded (temporary) file to the specified destination
            if (move_uploaded_file($file, $destination1) && move_uploaded_file($file1, $destination)) {
                mysqli_query($con, "INSERT INTO `profile` (`pro_id`,`first_name`,`last_name`,`email`,`mobno`,`date_of_birth`,`gender`,`nation`,`state`,`qualification`,`role`,`institution`,`year_of_exp`,`field1`,`field2`,`field3`,`field4`,`pic`,`file`) VALUES ('','$fname','$lname','$email','$mobno','$dob','$gender','$nation','$state','$quali','$role','$clg','$exp','$field1','$field2','$field3','$field4','$pic',$filename')");     

                echo "<center>Profile completed successfully!!</center>"; 
            }
        }
    }

?>

Database table

Professor Abronsius
  • 30,177
  • 5
  • 29
  • 43
Aiswarya Ganesh
  • 1
  • 2

1 Answers1

-2

Try using {} around the variable like '{$variable}' See example below:

mysqli_query($con, "INSERT INTO profile ('pro_id') VALUES('{$the_value}');

Seems like you're missing a ' on $filename in your query too.

mr k
  • 175
  • 11
  • 1
    Please avoid making useless suggestions. Curly braces are no required and adding them doesn't help. – Your Common Sense Jul 31 '20 at 08:46
  • **Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Jul 31 '20 at 10:16