Jump to content


Photo

Image Upload Script Help


  • Please log in to reply
26 replies to this topic

#1 Bubblychaz

Bubblychaz

    Advanced Member

  • Members
  • PipPipPip
  • 38 posts

Posted 15 November 2012 - 07:43 PM

So I changed host today and now my image upload script isnt working.. can someone help please

form is:
Spoiler



then the action page is
Spoiler


I dont know if it matters but, the form is on a subdomain and then upload directory is off the sub-domain

$baseurl = "http://www.spardel.com/";

Once I upload an image I get "Please only use image files"

Edited by Bubblychaz, 15 November 2012 - 07:43 PM.


#2 Pikachu2000

Pikachu2000

    I hate everything.

  • Staff Alumni
  • 11,378 posts
  • LocationFuture Independent Republic of Texas
  • Age:106

Posted 15 November 2012 - 08:06 PM

$HTTP_POST_FILES is deprecated and should be updated to $_FILES. Make that change, then try again and see if it makes a difference. Also, ereg functions should be changed to preg functions. Those will stop working in a future version of php too.
"Java" is to "Javascript" about the same as "fun" is to "funeral".

Why $_SERVER['PHP_SELF'] is bad. || Why ORDER BY RAND() is bad || Every problem can be solved with rm -rf *

Random Quote: "

#3 Bubblychaz

Bubblychaz

    Advanced Member

  • Members
  • PipPipPip
  • 38 posts

Posted 17 November 2012 - 04:24 PM

Okay done that,

before changing the eregi the script would update the database but not upload the file...

After changing both files and preg, It will still give the error please only use image file

Spoiler


I removed this completely
if (!preg_match("$images/", $_FILES['Image']['type']) )
{ die(" Please only use image files"); }

And it went through and said it added, though the image didnt upload, the script added the correct info to the database.

Edited by Bubblychaz, 17 November 2012 - 04:25 PM.


#4 Adam

Adam

    Advanced Member

  • Gurus
  • 5,685 posts
  • LocationSheffield / UK

Posted 17 November 2012 - 09:31 PM

$images/ is not a valid PCRE, however you don't need to use a regex here. Just use:

if (strpos($_FILE['Image']['type'], 'images/') !== 0) {
    // ...
}


#5 Bubblychaz

Bubblychaz

    Advanced Member

  • Members
  • PipPipPip
  • 38 posts

Posted 19 November 2012 - 08:05 AM

$images/ is not a valid PCRE, however you don't need to use a regex here. Just use:

if (strpos($_FILE['Image']['type'], 'images/') !== 0) {
// ...
}


Sorry this has confused me can you explain more please

Where am I putting this? What it replaces? And What does it do?

I am still learning :)

Edited by Bubblychaz, 19 November 2012 - 08:13 AM.


#6 Adam

Adam

    Advanced Member

  • Gurus
  • 5,685 posts
  • LocationSheffield / UK

Posted 19 November 2012 - 08:30 AM

Take a look at the manual for strpos - it checks the position of a string within another. In this case if the return value is not 0 (i.e. the string "images/" is not at position 0 within the file type,) run that code. Given we can do that, there's no need for the overhead of a regex just to check if a string starts with something.

PCRE stands for Perl-Compatible Regular Expression, and is syntactically different to POSIX regular expressions (used by the ereg functions). You can't just change the function name to convert to PCRE from POSIX.

Edited by Adam, 19 November 2012 - 08:33 AM.


#7 Bubblychaz

Bubblychaz

    Advanced Member

  • Members
  • PipPipPip
  • 38 posts

Posted 19 November 2012 - 08:34 AM

Ok Thanks. So I would do something like:

if (!preg_match("$images/", $_FILES['Image']['type']) )
{ die(" Please only use image files"); }

replaced with
if (strpos($_FILE['Image']['type'], 'images/') !== 0) { die(" Please only use image files"); }

? Or Am I misunderstanding?

#8 AyKay47

AyKay47

    Sick!

  • Members
  • PipPipPip
  • 3,287 posts
  • LocationEast Coast, U.S.
  • Age:24

Posted 19 November 2012 - 08:41 AM

Ok Thanks. So I would do something like:

if (!preg_match("$images/", $_FILES['Image']['type']) )
{ die(" Please only use image files"); }

replaced with
if (strpos($_FILE['Image']['type'], 'images/') !== 0) { die(" Please only use image files"); }

? Or Am I misunderstanding?


You are correct.
However as a note, only use the die() function during development and not for production. Not very user friendly.
Hola!
I'm not going to hold your hand and write the code for you - ain't nobody got time for that!

#9 Bubblychaz

Bubblychaz

    Advanced Member

  • Members
  • PipPipPip
  • 38 posts

Posted 19 November 2012 - 08:43 AM

Well just tested it as

Spoiler


And Im still getting the please only use image files error..


Also what would I use instead of Die?

#10 Adam

Adam

    Advanced Member

  • Gurus
  • 5,685 posts
  • LocationSheffield / UK

Posted 19 November 2012 - 08:49 AM

Add:

print_r($_FILES); exit;

.. To the top of your script and post us the output, within [code][/code] tags (those spoiler tags you're using don't display in a fixed-width font.)

Although you should be aware your script has security issues with it. For a start, the file type can be spoofed so it's not reliable to verify the actual file type. Also you're blindly inserting values into the database without escaping them.

Edited by Adam, 19 November 2012 - 08:50 AM.


#11 Bubblychaz

Bubblychaz

    Advanced Member

  • Members
  • PipPipPip
  • 38 posts

Posted 19 November 2012 - 08:54 AM

Array ( [Image] => Array ( [name] => zebra.JPG [type] => image/jpeg [tmp_name] => /var/tmp/phppBpmma [error] => 0 [size] => 59038 ) )

is printed now.


How do I escape the insert to the database?

How would I make it more secure?

Edited by Bubblychaz, 19 November 2012 - 08:55 AM.


#12 Adam

Adam

    Advanced Member

  • Gurus
  • 5,685 posts
  • LocationSheffield / UK

Posted 19 November 2012 - 09:07 AM

Ah yeah, ha. It's not "image[s]/", just "image/". Missed that! As I said though, you're better off verifying the file extension is valid instead of the file type. Even if it's not actually an image that the user uploads, but it has an image extension, the server will still treat it like an image. Use this:

$extension = strtolower(pathinfo($Image['name'], PATHINFO_EXTENSION));
if (!in_array($extension, array('jpg', 'jpeg', 'gif', 'png'))) {
    // ...
}

That parses the file extension from the name, then checks if that extension is not in the array of allowed extensions.

As for the unescaped variables, you just need to run them through mysql_real_escape_string before use in the query.

Edited by Adam, 19 November 2012 - 09:07 AM.


#13 Bubblychaz

Bubblychaz

    Advanced Member

  • Members
  • PipPipPip
  • 38 posts

Posted 19 November 2012 - 09:12 AM

I now have in coding
print_r($_FILES); exit;
$name = $_POST['name'];
$madeby = $_POST['madeby'];
$submitted = $_POST['submitted'];
$filedunder = $_POST['filedunder'];
$filedunder2 = $filedunder.'img';
$Image = $_FILES['Image'];
$directoryName = "$baseurl/images/$filedunder";


$extension = strtolower(pathinfo($Image['name'], PATHINFO_EXTENSION));
if (!in_array($extension, array('jpg', 'jpeg', 'gif', 'png'))) {
    // ...
}

if (!file_exists($directoryName)) { mkdir($directoryName, 0777); }
$directoryName2 = "$baseurl/images/$filedunder";
if (!file_exists($directoryName2)) { mkdir($directoryName2, 0777); }
if (strpos($_FILE['Image']['type'], 'image/') !== 0) { die("  Please only use image files"); }
if ((!$name) OR (!$filedunder) OR (!$Image))
{		     
			  die("Please dont leave blank info");}
else
{		 mysql_query("INSERT INTO $filedunder2 (madeby,name,date,submitted) VALUES ('$madeby','$name','$timestamp','$submitted')");

			    $insert_id = mysql_insert_id();	  
	    $image = $insert_id . "img.png";
 mysql_query("UPDATE $filedunder2 SET url = '$baseurl/images/$filedunder/$image' WHERE id = '$insert_id' ");
$file = $_FILES['Image']['tmp_name'];
    $dest = $_SERVER['DOCUMENT_ROOT'].'/images/'.$filedunder.'/'.$insert_id.'img.png';
 copy($file, $dest);
 die("oooohhhhh It Added!
              <P>
              <B>Take note of this url, as Your uploads page is currently down!!!</b><P>
             <Textarea>www.spardel.com/images/$filedunder/$image</Textarea>    
              ");
}

and the print out is

Array ( [Image] => Array ( [name] => zebra.JPG [type] => image/jpeg [tmp_name] => /var/tmp/phpFbholc [error] => 0 [size] => 59038 ) )


#14 Adam

Adam

    Advanced Member

  • Gurus
  • 5,685 posts
  • LocationSheffield / UK

Posted 19 November 2012 - 09:14 AM

You'll want to remove the print_r() line now, that was just for debugging purposes. Also change "// ..." to a die statement. Though as mentioned, once you get this working, you should replace the die statements with proper error handling.

Edited by Adam, 19 November 2012 - 09:15 AM.


#15 Bubblychaz

Bubblychaz

    Advanced Member

  • Members
  • PipPipPip
  • 38 posts

Posted 19 November 2012 - 09:17 AM

Ok
its now, (I didnt know what to put)
$extension = strtolower(pathinfo($Image['name'], PATHINFO_EXTENSION));
if (!in_array($extension, array('jpg', 'jpeg', 'gif', 'png'))) {
 die("Statement here");
}

Run the script and got please only use image files

#16 Adam

Adam

    Advanced Member

  • Gurus
  • 5,685 posts
  • LocationSheffield / UK

Posted 19 November 2012 - 09:20 AM

You need to correct the typo in "images/" I mentioned a couple of posts ago. You're type check if still checking for images/, not image/. 

#17 Bubblychaz

Bubblychaz

    Advanced Member

  • Members
  • PipPipPip
  • 38 posts

Posted 19 November 2012 - 09:24 AM

I cant see any images with the checks, only in the file destination of $baseurl/images/


$name = $_POST['name'];
$madeby = $_POST['madeby'];
$submitted = $_POST['submitted'];
$filedunder = $_POST['filedunder'];
$filedunder2 = $filedunder.'img';
$Image = $_FILES['Image'];
$directoryName = "$baseurl/images/$filedunder";


$extension = strtolower(pathinfo($Image['name'], PATHINFO_EXTENSION));
if (!in_array($extension, array('jpg', 'jpeg', 'gif', 'png'))) {
 die("Statement here");
}

if (!file_exists($directoryName)) { mkdir($directoryName, 0777); }
$directoryName2 = "$baseurl/images/$filedunder";
if (!file_exists($directoryName2)) { mkdir($directoryName2, 0777); }

if (strpos($_FILE['Image']['type'], 'image/') !== 0) { die("  Please only use image files"); }

if ((!$name) OR (!$filedunder) OR (!$Image))
{		     
			  die("Please dont leave blank info");}
else
{		 mysql_query("INSERT INTO $filedunder2 (madeby,name,date,submitted) VALUES ('$madeby','$name','$timestamp','$submitted')");

			    $insert_id = mysql_insert_id();	  
	    $image = $insert_id . "img.png";
 mysql_query("UPDATE $filedunder2 SET url = '$baseurl/images/$filedunder/$image' WHERE id = '$insert_id' ");
$file = $_FILES['Image']['tmp_name'];
    $dest = $_SERVER['DOCUMENT_ROOT'].'/images/'.$filedunder.'/'.$insert_id.'img.png';
 copy($file, $dest);
 die("oooohhhhh It Added!
              <P>
              <B>Take note of this url, as Your uploads page is currently down!!!</b><P>
             <Textarea>www.spardel.com/images/$filedunder/$image</Textarea>    
              ");
}


#18 Adam

Adam

    Advanced Member

  • Gurus
  • 5,685 posts
  • LocationSheffield / UK

Posted 19 November 2012 - 12:30 PM

My bad! The code I gave you is wrong, needs to be $_FILES, not $_FILE. Though, I'm surprised you didn't get a PHP notice about that?

#19 AyKay47

AyKay47

    Sick!

  • Members
  • PipPipPip
  • 3,287 posts
  • LocationEast Coast, U.S.
  • Age:24

Posted 19 November 2012 - 02:28 PM

Bubblychaz, I encourage you to study the code that you have been given so that you may find some of these errors yourself instead of asking as soon as you are thrown an error.

Make sure that you have error_reporting() set to -1 and display_errors() set to 1 or 'on'. That way PHP will let you know when and where something goes wrong so you can debug the code yourself.
Hola!
I'm not going to hold your hand and write the code for you - ain't nobody got time for that!

#20 Bubblychaz

Bubblychaz

    Advanced Member

  • Members
  • PipPipPip
  • 38 posts

Posted 20 November 2012 - 06:42 AM

My bad! The code I gave you is wrong, needs to be $_FILES, not $_FILE. Though, I'm surprised you didn't get a PHP notice about that?


That added, But. didnt upload the image to the server?


----

Edit:

I did some work on the script, the script is on a subdomain, I want it to upload the images to a folder in the main domain, So out of curiousity I made a folder in subdomain called images and that is where the images are now uploading too.

Edited by Bubblychaz, 20 November 2012 - 06:52 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com