Untitled

<?php
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';

sec_session_start();
?>

<?php
if(isset($_POST['submit'])){
move_uploaded_file($_FILES['file']['tmp_name'],"pictures/".$_FILES['file']['name']);
$con = mysqli_connect("localhost","root","","secure_login");
$q = mysqli_query($con,"UPDATE users SET image = '".$_FILES['file']['name']."' WHERE username = '".$_SESSION['username']."'");
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Secure Login: Protected Page</title>
<link rel="stylesheet" href="css/me.css" />
<link href='http://fonts.googleapis.com/css?family=Open+Sans:400italic,400,300,700' rel='stylesheet' type='text/css'>
</head>
<body>
<div id="wrap">
<?php if (login_check($mysqli) == true) : ?>
<p id="meusername"><?php echo htmlentities($_SESSION['username']); ?>!</p>
<p>
This is an example protected page.  To access this page, users
must be logged in.  At some stage, we'll also check the role of
the user, so pages will be able to determine the type of user
authorised to access the page.

<form action="" method="post" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit" name="submit">
</form>
<?php
$con = mysqli_connect("localhost","root","","secure_login");
$q = mysqli_query($con,"SELECT * FROM members");
while($row = mysqli_fetch_assoc($q)){
echo $row['username'];
if ($row['image'] == ""){
echo "<img width='100' height='100' src='pictures/default.jpg' alt='Default Profile Pic'>";
} else {
echo "<img width='100' height='100' src='pictures/".$row['image']."' alt='Profile Pic'>";
}
echo "<br>";
}
?>

</p>
<p>Return to <a href="includes/logout">login page</a></p>
<?php else : ?>
<p>
<span class="error">You are not authorized to access this page.</span> Please <a href="index">login</a>.
</p>
<?php endif; ?>
</div>
</body>
</html>