26 replies to this topic

[Bubblychaz]

So I changed host today and now my image upload script isnt working.. can someone help please

form is:

Spoiler

<FORM ACTION="upload.pro.php" enctype="multipart/form-data" METHOD=POST>
<table width="366" border="0" cellspacing="0" cellpadding="0">
<tr>
<td colspan="2"><center>Upload An Image</center></td>
</tr>
<tr>
<td>Made By:</td>
<td><input type="text" name="madeby" value="<? echo $check["username"] ?>"></td>
</tr>
<tr>
<td>You are?:</td>
<td><input type="text" name="submitted" value="<? echo $check["username"] ?>"></td>
</tr>

<tr>
<td>Name of Graphic:</td>
<td><input type="text" name="name" value=""></td>
</tr>
<tr>
<td>Filed Under:</td>
<td><select name="filedunder">
<option value="avatars">Avatar</option>
<option value=backgrounds>Background</option>
<option value=banners>Banner</option>
<option value=blinkies>Blinkie</option>
<option value=buttons>Button</option>
<option value=gallerys>Gallery Layout</option>
<option value=glitters>Glitter</option>
<option value=guides>Guide Image</option>
<option value=guilds>Guild Layout</option>
<option value=misc> Miscellaneous</option>
<option value=nbhelp>NeoBoard Help</option>
<option value=petlookups>Pet Lookup</option>
<option value=petpages>PetPage Layout</option>
<option value=shields>Shield</option>
<option value=shops>Shop Layout</option>
<option value=tutorials>Tutorial Image</option>
<option value=userlookups>User Lookup</option>
</select></td>
</tr>
<tr>
<td>Upload Image:</td>
<td><input type="file" name="Image"></td>
</tr>

<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td colspan="2"><center><font size="-1"><i>
<input type="submit" name="Submit" value="Add">
</i></font></center></td>
</tr>
</table></FORM>

then the action page is

Spoiler

$name = $_POST['name'];
$madeby = $_POST['madeby'];
$submitted = $_POST['submitted'];
$filedunder = $_POST['filedunder'];
$filedunder2 = $filedunder.'img';
$Image = $HTTP_POST_FILES['Image'];
$directoryName = "$baseurl/images/$filedunder";

if (!file_exists($directoryName)) { mkdir($directoryName, 0777); }


$directoryName2 = "$baseurl/images/$filedunder";

if (!file_exists($directoryName2)) { mkdir($directoryName2, 0777); }




if (!eregi("$images/", $HTTP_POST_FILES['Image']['type']) )

{

die("


Please only use image files");


}



if ((!$name) OR (!$filedunder) OR (!$Image))

{


die("Please dont leave blank info");

}




else

{

mysql_query("INSERT INTO $filedunder2 (madeby,name,date,submitted) VALUES ('$madeby','$name','$timestamp','$submitted')");



$insert_id = mysql_insert_id();



$image = $insert_id . "img.png";



mysql_query("UPDATE $filedunder2 SET url = '$baseurl/images/$filedunder/$image' WHERE id = '$insert_id' ");





$file = $HTTP_POST_FILES['Image']['tmp_name'];


$dest = $_SERVER['DOCUMENT_ROOT'].'/images/'.$filedunder.'/'.$insert_id.'img.png';



copy($file, $dest);




die("oooohhhhh It Added!
<P>
<B>Take note of this url, as Your uploads page is currently down!!!</b><P>
<Textarea>www.spardel.com/images/$filedunder/$image</Textarea>
");


}

I dont know if it matters but, the form is on a subdomain and then upload directory is off the sub-domain

$baseurl = "http://www.spardel.com/";

Once I upload an image I get "Please only use image files"

Edited by Bubblychaz, 15 November 2012 - 07:43 PM.

[Pikachu2000]

$HTTP_POST_FILES is deprecated and should be updated to $_FILES. Make that change, then try again and see if it makes a difference. Also, ereg functions should be changed to preg functions. Those will stop working in a future version of php too.

[Bubblychaz]

Okay done that,

before changing the eregi the script would update the database but not upload the file...

After changing both files and preg, It will still give the error please only use image file

Spoiler

$name = $_POST['name'];
$madeby = $_POST['madeby'];
$submitted = $_POST['submitted'];
$filedunder = $_POST['filedunder'];
$filedunder2 = $filedunder.'img';
$Image = $_FILES['Image'];
$directoryName = "$baseurl/images/$filedunder";

if (!file_exists($directoryName)) { mkdir($directoryName, 0777); }
$directoryName2 = "$baseurl/images/$filedunder";
if (!file_exists($directoryName2)) { mkdir($directoryName2, 0777); }
if (!preg_match("$images/", $_FILES['Image']['type']) )
{ die(" Please only use image files"); }
if ((!$name) OR (!$filedunder) OR (!$Image))
{
die("Please dont leave blank info");}
else
{ mysql_query("INSERT INTO $filedunder2 (madeby,name,date,submitted) VALUES ('$madeby','$name','$timestamp','$submitted')");

$insert_id = mysql_insert_id();
$image = $insert_id . "img.png";
mysql_query("UPDATE $filedunder2 SET url = '$baseurl/images/$filedunder/$image' WHERE id = '$insert_id' ");
$file = $_FILES['Image']['tmp_name'];
$dest = $_SERVER['DOCUMENT_ROOT'].'/images/'.$filedunder.'/'.$insert_id.'img.png';
copy($file, $dest);
die("oooohhhhh It Added!
<P>
<B>Take note of this url, as Your uploads page is currently down!!!</b><P>
<Textarea>www.spardel.com/images/$filedunder/$image</Textarea>
");
}

I removed this completely
if (!preg_match("$images/", $_FILES['Image']['type']) )
{ die(" Please only use image files"); }

And it went through and said it added, though the image didnt upload, the script added the correct info to the database.

Edited by Bubblychaz, 17 November 2012 - 04:25 PM.

[Adam]

$images/ is not a valid PCRE, however you don't need to use a regex here. Just use:

if (strpos($_FILE['Image']['type'], 'images/') !== 0) {
    // ...
}

[Bubblychaz]

$images/ is not a valid PCRE, however you don't need to use a regex here. Just use:

if (strpos($_FILE['Image']['type'], 'images/') !== 0) {
// ...
}

Sorry this has confused me can you explain more please

Where am I putting this? What it replaces? And What does it do?

I am still learning

Edited by Bubblychaz, 19 November 2012 - 08:13 AM.

[Adam]

Take a look at the manual for strpos() - it checks the position of a string within another. In this case if the return value is not 0 (i.e. the string "images/" is not at position 0 within the file type,) run that code. Given we can do that, there's no need for the overhead of a regex just to check if a string starts with something.

PCRE stands for Perl-Compatible Regular Expression, and is syntactically different to POSIX regular expressions (used by the ereg functions). You can't just change the function name to convert to PCRE from POSIX.

Edited by Adam, 19 November 2012 - 08:33 AM.

[Bubblychaz]

Ok Thanks. So I would do something like:

if (!preg_match("$images/", $_FILES['Image']['type']) )
{ die(" Please only use image files"); }

replaced with
if (strpos($_FILE['Image']['type'], 'images/') !== 0) { die(" Please only use image files"); }

? Or Am I misunderstanding?

[AyKay47]

Ok Thanks. So I would do something like:

if (!preg_match("$images/", $_FILES['Image']['type']) )
{ die(" Please only use image files"); }

replaced with
if (strpos($_FILE['Image']['type'], 'images/') !== 0) { die(" Please only use image files"); }

? Or Am I misunderstanding?

You are correct.
However as a note, only use the die() function during development and not for production. Not very user friendly.

[Bubblychaz]

Well just tested it as

Spoiler

$name = $_POST['name'];
$madeby = $_POST['madeby'];
$submitted = $_POST['submitted'];
$filedunder = $_POST['filedunder'];
$filedunder2 = $filedunder.'img';
$Image = $_FILES['Image'];
$directoryName = "$baseurl/images/$filedunder";

if (!file_exists($directoryName)) { mkdir($directoryName, 0777); }
$directoryName2 = "$baseurl/images/$filedunder";
if (!file_exists($directoryName2)) { mkdir($directoryName2, 0777); }
if (strpos($_FILE['Image']['type'], 'images/') !== 0) { die(" Please only use image files"); }
if ((!$name) OR (!$filedunder) OR (!$Image))
{
die("Please dont leave blank info");}
else
{ mysql_query("INSERT INTO $filedunder2 (madeby,name,date,submitted) VALUES ('$madeby','$name','$timestamp','$submitted')");

$insert_id = mysql_insert_id();
$image = $insert_id . "img.png";
mysql_query("UPDATE $filedunder2 SET url = '$baseurl/images/$filedunder/$image' WHERE id = '$insert_id' ");
$file = $_FILES['Image']['tmp_name'];
$dest = $_SERVER['DOCUMENT_ROOT'].'/images/'.$filedunder.'/'.$insert_id.'img.png';
copy($file, $dest);
die("oooohhhhh It Added!
<P>
<B>Take note of this url, as Your uploads page is currently down!!!</b><P>
<Textarea>www.spardel.com/images/$filedunder/$image</Textarea>
");
}

And Im still getting the please only use image files error..


Also what would I use instead of Die?

[Adam]

Add:

print_r($_FILES); exit;

.. To the top of your script and post us the output, within [code][/code] tags (those spoiler tags you're using don't display in a fixed-width font.)

Although you should be aware your script has security issues with it. For a start, the file type can be spoofed so it's not reliable to verify the actual file type. Also you're blindly inserting values into the database without escaping them.

Edited by Adam, 19 November 2012 - 08:50 AM.

[Bubblychaz]

Array ( [Image] => Array ( [name] => zebra.JPG [type] => image/jpeg [tmp_name] => /var/tmp/phppBpmma [error] => 0 [size] => 59038 ) )

is printed now.


How do I escape the insert to the database?

How would I make it more secure?

Edited by Bubblychaz, 19 November 2012 - 08:55 AM.

[Adam]

Ah yeah, ha. It's not "image[s]/", just "image/". Missed that! As I said though, you're better off verifying the file extension is valid instead of the file type. Even if it's not actually an image that the user uploads, but it has an image extension, the server will still treat it like an image. Use this:

$extension = strtolower(pathinfo($Image['name'], PATHINFO_EXTENSION));
if (!in_array($extension, array('jpg', 'jpeg', 'gif', 'png'))) {
    // ...
}

That parses the file extension from the name, then checks if that extension is not in the array of allowed extensions.

As for the unescaped variables, you just need to run them through mysql_real_escape_string() before use in the query.

Edited by Adam, 19 November 2012 - 09:07 AM.

[Bubblychaz]

I now have in coding

print_r($_FILES); exit;
$name = $_POST['name'];
$madeby = $_POST['madeby'];
$submitted = $_POST['submitted'];
$filedunder = $_POST['filedunder'];
$filedunder2 = $filedunder.'img';
$Image = $_FILES['Image'];
$directoryName = "$baseurl/images/$filedunder";


$extension = strtolower(pathinfo($Image['name'], PATHINFO_EXTENSION));
if (!in_array($extension, array('jpg', 'jpeg', 'gif', 'png'))) {
    // ...
}

if (!file_exists($directoryName)) { mkdir($directoryName, 0777); }
$directoryName2 = "$baseurl/images/$filedunder";
if (!file_exists($directoryName2)) { mkdir($directoryName2, 0777); }
if (strpos($_FILE['Image']['type'], 'image/') !== 0) { die("  Please only use image files"); }
if ((!$name) OR (!$filedunder) OR (!$Image))
{		     
			  die("Please dont leave blank info");}
else
{		 mysql_query("INSERT INTO $filedunder2 (madeby,name,date,submitted) VALUES ('$madeby','$name','$timestamp','$submitted')");

			    $insert_id = mysql_insert_id();	  
	    $image = $insert_id . "img.png";
 mysql_query("UPDATE $filedunder2 SET url = '$baseurl/images/$filedunder/$image' WHERE id = '$insert_id' ");
$file = $_FILES['Image']['tmp_name'];
    $dest = $_SERVER['DOCUMENT_ROOT'].'/images/'.$filedunder.'/'.$insert_id.'img.png';
 copy($file, $dest);
 die("oooohhhhh It Added!
              <P>
              <B>Take note of this url, as Your uploads page is currently down!!!</b><P>
             <Textarea>www.spardel.com/images/$filedunder/$image</Textarea>    
              ");
}

and the print out is

Array ( [Image] => Array ( [name] => zebra.JPG [type] => image/jpeg [tmp_name] => /var/tmp/phpFbholc [error] => 0 [size] => 59038 ) )

[Adam]

You'll want to remove the print_r() line now, that was just for debugging purposes. Also change "// ..." to a die statement. Though as mentioned, once you get this working, you should replace the die statements with proper error handling.

Edited by Adam, 19 November 2012 - 09:15 AM.

[Bubblychaz]

Ok
its now, (I didnt know what to put)

$extension = strtolower(pathinfo($Image['name'], PATHINFO_EXTENSION));
if (!in_array($extension, array('jpg', 'jpeg', 'gif', 'png'))) {
 die("Statement here");
}

Run the script and got please only use image files

[Adam]

You need to correct the typo in "images/" I mentioned a couple of posts ago. You're type check if still checking for images/, not image/. 

[Bubblychaz]

I cant see any images with the checks, only in the file destination of $baseurl/images/

$name = $_POST['name'];
$madeby = $_POST['madeby'];
$submitted = $_POST['submitted'];
$filedunder = $_POST['filedunder'];
$filedunder2 = $filedunder.'img';
$Image = $_FILES['Image'];
$directoryName = "$baseurl/images/$filedunder";


$extension = strtolower(pathinfo($Image['name'], PATHINFO_EXTENSION));
if (!in_array($extension, array('jpg', 'jpeg', 'gif', 'png'))) {
 die("Statement here");
}

if (!file_exists($directoryName)) { mkdir($directoryName, 0777); }
$directoryName2 = "$baseurl/images/$filedunder";
if (!file_exists($directoryName2)) { mkdir($directoryName2, 0777); }

if (strpos($_FILE['Image']['type'], 'image/') !== 0) { die("  Please only use image files"); }

if ((!$name) OR (!$filedunder) OR (!$Image))
{		     
			  die("Please dont leave blank info");}
else
{		 mysql_query("INSERT INTO $filedunder2 (madeby,name,date,submitted) VALUES ('$madeby','$name','$timestamp','$submitted')");

			    $insert_id = mysql_insert_id();	  
	    $image = $insert_id . "img.png";
 mysql_query("UPDATE $filedunder2 SET url = '$baseurl/images/$filedunder/$image' WHERE id = '$insert_id' ");
$file = $_FILES['Image']['tmp_name'];
    $dest = $_SERVER['DOCUMENT_ROOT'].'/images/'.$filedunder.'/'.$insert_id.'img.png';
 copy($file, $dest);
 die("oooohhhhh It Added!
              <P>
              <B>Take note of this url, as Your uploads page is currently down!!!</b><P>
             <Textarea>www.spardel.com/images/$filedunder/$image</Textarea>    
              ");
}

[Adam]

My bad! The code I gave you is wrong, needs to be $_FILES, not $_FILE. Though, I'm surprised you didn't get a PHP notice about that?

[AyKay47]

Bubblychaz, I encourage you to study the code that you have been given so that you may find some of these errors yourself instead of asking as soon as you are thrown an error.

Make sure that you have error_reporting() set to -1 and display_errors() set to 1 or 'on'. That way PHP will let you know when and where something goes wrong so you can debug the code yourself.

[Bubblychaz]

My bad! The code I gave you is wrong, needs to be $_FILES, not $_FILE. Though, I'm surprised you didn't get a PHP notice about that?

That added, But. didnt upload the image to the server?


----

Edit:

I did some work on the script, the script is on a subdomain, I want it to upload the images to a folder in the main domain, So out of curiousity I made a folder in subdomain called images and that is where the images are now uploading too.

Edited by Bubblychaz, 20 November 2012 - 06:52 AM.