views:

341

answers:

2
// Getting the id of the restaurant to which we are uploading the pictures
$restaurant_id = intval($_GET['restaurant-id']);

if(isset($_POST['submit']))
{
    $tmp_files = $_FILES['rest_pics']['tmp_name'];
    $target_files = $_FILES['rest_pics']['name'];
    $tmp_target = array_combine($tmp_files, $target_files);
    $upload_dir = $rest_pics_path;
foreach($tmp_target as $tmp_file => $target_file)
    {
        if(move_uploaded_file($tmp_file, $upload_dir."/".$target_file))
        {
            $sql = sprintf("
            INSERT INTO rest_pics
            (branch_id, pic_name)
            VALUES ('%s', '%s')"
            , mysql_real_escape_string($restaurant_id)
            , mysql_real_escape_string(basename($target_file)));
            $result = mysql_query($sql) or die(mysql_error());
        }

I get the next error:

Cannot add or update a child row: a foreign key constraint fails (rest_v2.rest_pics, CONSTRAINT rest_pics_ibfk_1 FOREIGN KEY (branch_id) REFERENCES rest_branches (branch_id) ON DELETE CASCADE ON UPDATE CASCADE

However, this error totally disappears and everything goes well when I put directly the restaurant id (14 for example) instead of $restaurant_id variable in the sql query.

The URL am getting the id from is: http://localhost/rest_v2/public_html/admin/add-delete-pics.php?restaurant-id=2

Any help please?

+3  A: 

The problem is that your query is putting $restaurant_id in as a string. You have it quoted. You want to replace it with this:

 $sql = sprintf("
            INSERT INTO rest_pics
            (branch_id, pic_name)
            VALUES (%s, '%s')" //<-- I removed the quotes around the first %s
            , mysql_real_escape_string($restaurant_id)
            , mysql_real_escape_string(basename($target_file)));

Also, you might want to look into using PDO instead of the out dated mysql_* functions. They're cleaner, safer, faster, and more modern. Here's your same query using PDO:

$statement = $db->prepare('INSERT INTO rest_pics (branch_id, pic_name) VALUES (?, ?)');
$statement->execute(array($restaurant_id, $target_file));

Notice that I didn't have to deal with worrying about quotes because PDO correctly determines the datatype for queries going in and results coming out. Also, this is safe by default - no manual escaping. In other words, this wouldn't have happened if you used PDO.

ryeguy
and replace %s with %i, don't you think?
Jaroslav Moravec
I removed the quotes but I still get the same errorThanks for your reply :)
@Jaroslav: It wouldn't matter. The query itself is a string.
ryeguy
@myaccount: Try dumping `$restaurant_id` right before you put it in the query then. There is something else going on; it's probably not the value you think it is.
ryeguy
+1 PDO suggestion and example.
webbiedave
I dumped it and it is as expected int(14).This error is driving me crazy!! :D
A: 

Sorry guys, I figured it out. The error was in the form, I used:

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" ...

instead of:

<form action="" ...

That made the page load without its GET parameters, so branch_id was missing and that's why this sily error occured.

Thanks a lot for your answers :)