UPDATE: I checked the POST variables, nothing wrong there.
Here is my form code...
<?php
if($_POST['submit']){
$error_message = "";
$display_message = "";
$error = NULL;
$id = mysqli_prep($_POST['id']);
$image = $_FILES['thumbnail'];
if($image['error'] != 0){
if($image['error'] == 4){ // no file selected
$menu_name = mysqli_prep($_POST['title']);
$group = mysqli_prep($_POST['group']);
$link = mysqli_prep($_POST['link']);
$sql = "UPDATE admin_categories SET
`menu_name` = $menu_name,
`group` = $group,
`link` = $link
WHERE id = $id";
$stmt = mysqli_stmt_init($connect);
mysqli_stmt_prepare($stmt, $sql);
mysqli_stmt_bind_param($stmt, 'sssi', $menu_name, $group, $link, $id);
if(mysqli_stmt_execute($stmt)){
// Success!
$display_message = "<h6 class=\"displaymessage\">Admin category updated successfully!</h6>\n";
}else{
// Failed!
$display_message = "<h6 class=\"displaymessage\">Admin category update failed.</h6>\n";
$display_message = "<h6 class=\"displaymessage\">".mysqli_error($connect)."</h6>\n";
}
mysqli_stmt_close($stmt);
} else {
$error = "File could not be uploaded. Please try again.\n";
// Not correct form enctype?
}
}
if(!$error){
if(!@is_uploaded_file($image['tmp_name'])){
$error = 'The process cannot continue. Please contact administration.';
// Malicious user?
}
}
if(!$error){
$allowedMime = array('image/png');
if(!in_array($image['type'], $allowedMime)){
$error = 'You can upload only PNG images. Please try again.';
// Unaccepted file type
}
}
if(!$error){
$allowedExtensions = array('png');
$fileExtension = array_pop(explode('.', $image['name']));
if(!in_array($fileExtension, $allowedExtensions)){
$error = 'You can upload only PNG files. Please try again.';
// Unaccepted file extension
}
}
if(!$error){
$uploadDirectory = ADMIN.'_images/dir/';
$uploadName = $image['name'];
// uploadDirectory must be set as absolute path or as relative path to upload.php
// check if image already exists, if it does, delete it
if(file_exists($uploadDirectory.$uploadName)) unlink($uploadDirectory.$uploadName);
if(!@move_uploaded_file($image['tmp_name'], $uploadDirectory.$uploadName)){
$error = 'There was a problem storing the file. Please contact webmaster.';
// Permission denied to write into folder or hardware issues?
}
}
if(!$error){
$menu_name = mysqli_prep($_POST['title']);
$group = mysqli_prep($_POST['group']);
$link = mysqli_prep($_POST['link']);
$imagen = mysqli_prep($_FILES['thumbnail']['name']);
$sql = "UPDATE admin_categories SET
`menu_name` = $menu_name,
`group` = $group,
`link` = $link,
`image` = $imagen
WHERE id = $id";
$stmt = mysqli_stmt_init($connect);
mysqli_stmt_prepare($stmt, $sql);
mysqli_stmt_bind_param($stmt, 'ssssi', $menu_name, $group, $link, $imagen, $id);
if(mysqli_stmt_execute($stmt)){
// Success!
$display_message = "<h6 class=\"displaymessage\">Admin category updated successfully!</h6>\n";
}else{
// Failed!
$display_message = "<h6 class=\"displaymessage\">Admin category update failed.</h6>\n";
$display_message = "<h6 class=\"displaymessage\">".mysqli_error($connect)."</h6>\n";
}
mysqli_stmt_close($stmt);
}
if($error) $error_message .= $error."\n";
}
?>
...and my mysqli_prep function code...
function mysqli_prep($value){
global $connect;
$magic_quotes_active = get_magic_quotes_gpc();
$new_enough_php = function_exists("mysqli_real_escape_string");
if($value == "")
if($new_enough_php){ // PHP v4.3.0 or higher
// undo any magic quote effects so mysqli_real_escape_string can do the work
if($magic_quotes_active){
$value = stripslashes($value);
}
$value = mysqli_real_escape_string($connect, $value);
} else { // before PHP 4.3.0
// if magic quotes aren't already on then add slahses manually
if(!$magic_quotes_active){
$value = addslashes($value);
}
// if magic quotes are active, then the slashes already exist
}
return $value;
}
UPDATE2: Well I don't know how I missed that screw up (sql query did not have any ?'s), working good now.
