Because $_POST["uploadFile"] doesn't contain anything. Form fields of type "file" are submitted through the global $_FILES. Look at the first half of your code where you upload the image. Depending on what you want to save, it's either $_FILES["uploadFile"]["name"] or the $target_dir in combination with that. Use a browser capable of showing POST/GET data or echo it yourself to get more insight:
For variables
Code:
<?php echo $_POST["uploadFile"]["name"]; ?>
For arrays/objects
Code:
<?php var_dump($_POST["uploadFile"]); ?>
Search
You're both going into the right direction, but don't repeat yourself (DRY principle). Having to deal with an unknown amount of data input screams for iteration. While $_POST already is an array you can iterate over, you should put all the search related variables into their own array. Otherwise you get ALL $_POST data and have to filter out unnecessary stuff. To accomplish that, go into your form code and change the related input names, e.g.
Code:
<input type="Text" name="title">
becomes
Code:
<input type="Text" name="game[title]">
That means, all your game search related POST data is now gathered in the $_POST["game"] array and you can iterate over that:
Code:
if (empty($_POST)) {
//No form data found, moving on
}
else {
//Reset counter
$i = 0;
//Column whitelist
$columns = array('title', 'console', 'genre', 'publisher', 'releaseYear', 'rarity');
//Basic SQL
$sql = "SELECT * FROM Games";
//Loop over the $_POST["game"] array
foreach($_POST["game"] as $key => $value)
{
//Check if key value is a proper column name
if(in_array($key, $columns))
{
//Only add condition if it's not empty
if(!empty($value))
{
//If at first loop, use WHERE, otherwise AND
if($i == 0) { $sql .= " WHERE "; }
else { $sql .= " AND "; }
////Build rest of the SQL and the placeholders array
$sql .= "$key LIKE ?";
$param[] = "%{$value}%";
//Increase counter
$i++;
}
}
else { exit("Error! $key is not in whitelist"); }
}
//Prepare the query
$sth = $dbh->prepare($sql);
//Execute the query with the placeholders populated by the data from the array
$sth->execute($param);
// Fetch the results //
$rowset = $sth->fetchAll(PDO::FETCH_ASSOC);
// Show the results //
echo json_encode($rowset);
}
Two things:
Column Whitelist
We use the $_POST["game"]["title"] key value (title) as column name in the query. Although the user can't directly change that value through your page, it's easy to send any kind of $_POST data manually. PDO unfortunately doesn't have any method to automatically sanitize column names, unlike it does for the input data through placeholders. The easiest way to be safe is to compare it against a whitelist and only proceed if it matches.
Regular placeholders
We use regular ones here
Code:
SELECT * FROM Games WHERE title LIKE ? AND console LIKE ? AND genre LIKE ?
$param = array('dudu', 'dada', 'didi');
instead of named ones
Code:
SELECT * FROM Games WHERE title LIKE :title AND console LIKE :console AND genre LIKE :genre
$param = array(':title' => 'dudu', ':console' => 'dada', 'genre' => 'didi');
We don't need named ones because we're iterating over key/value pairs. So the key value (e.g. title) used for the column name in the query statement is already tied to the corresponding value (e.g. super mario).