Question Details

No question body available.

Tags

php mysqli mysqlimport

Answers (1)

March 4, 2026 Score: 3 Rep: 199,944 Quality: Medium Completeness: 80%

But I can't find any details on how the HTML form is actually used to upload the file to where mysqliquery can import it.

You first need to know where mysqliquery can import it. Create a test CSV file there and verify mysqliquery can import it.

Next verify how you are handling the file upload:

$uploaded = $FILES["fileupload"]["name"];

POST method uploads explains:

$FILES['userfile']['name']
The original name of the file on the client machine.

Caution: Never use the 'name' provided by the user, that is a (huge) security risk. (more info below)

Apart from dangerous, that 'name' is merely informative (client machine = the computer of the user posting the form, the uploader), you need an actual pathname on the same system where you load the infile from:

$FILES['userfile']['tmpname']
The temporary filename of the file in which the uploaded file was stored on the server.

The uploaded file is temporary, see isuploadedfile() for Example #1 isuploadedfile() example.

if (isuploadedfile($FILES['userfile']['tmpname'])) {
   echo "File ". $FILES['userfile']['name'] ." uploaded successfully.\n";
   echo "Displaying contents\n";
   readfile($FILES['userfile']['tmpname']);
} else {
   echo "Possible file upload attack: ";
   echo "filename '". $FILES['userfile']['tmpname'] . "'.";
}

This example listing shows both the usage of 'name' and 'tmpname'.

Instead of readfile() you would let MySQL read it via the 'LOAD DATA LOCAL INFILE' query.

In case you first need to move the uploaded file, see moveuploadedfile() and furthermore read about it in the PHP manual section Handling File Uploads.

Caution: Never use the 'name' provided by the user, that is a security risk.

To give an example, in your code:

mysqliquery($connect,"LOAD DATA LOCAL INFILE $uploaded INTO TABLE tablename FIELDS TERMINATED BY ',' IGNORE 1 LINES; ");

the $uploaded variable contains arbitrary string data, the user can inject into the SQL query, changing it completely. See the warning about SQL Injection on mysqli_query() that shows how to prevent such injections.