Jump to content

phppup

Members
  • Posts

    683
  • Joined

  • Last visited

Posts posted by phppup

  1. At this point I think I'd better just stick with the areas that have problems I can overcome.

    Perhaps later I'll research the "private" aspect.

    I guess my initial thinking wasn't totally off-base. If I've VALIDATED the file fully, and changed the name anyway, then any malicious efforts should be nullified. So even if a bad intent were initiated, it should be defused.

    But why not let a user name a directory?  Clearly locating the folder contents is not the issue?

    Placement? If I have a designated destination and RegEx naming requirements implemented, is there still a risk that I'm not seeing?

  2. From what I've learned, server validation (with PHP) is the safeguard. 

    Client-side (like JS) is prettier and more user friendly, but also unreliable since it can be easily altered or removed.

    Use both as applicable and practical.

     

    As for your actual issue, there are likely several approaches that could be useful.

    To me, the most obvious would be that you are using a variable $error.

    $error has several messages depending on the input you are validating. 

    It seems to be an exciting constant throughout your script. Do why not utilize it with something like

     

     

     

    Quote

    // assign variables

    $error = "";  //at TOP with other variables

     ////your validations

    if($error != "") {

    echo "Fix the ERROR that exists";

                 } else {

    ////process data

     

    Essentially, your trolling PHP that every error provides a message, so unless there are no messages, do not process.

    If $error is empty (the way it started without being diverted) then there are no messages, which means no errors, and it's then safe to proceed.

    You can use a similar technique with JavaScript.

  3. Am I looking for solutions when no problem exists?

    really thought I read something about a security risk in letting the directory that was home to images become visible.

    There was certainly a cautionary note to NOT let users name directories. I assumed that this (like the name of a file) was to prevent access (if a malicious file were uploaded).

    If none of this matters, why not allow a user to name a folder and retain image names?

    After all, access to the images will be readily available anyway, right?

    Am I not making an obvious connection here?

  4. I want to allow users to upload images and then create a gallery.

    I am already checking file extension and taking other measures to ensure that the file is in fact a real image.

    I am changing the image name, so that even if the file is malicious, it is not easily accessible.

    But I'm not sure of the best way to display the images afterward.

    If images are uploaded to the XYZ directory, is it wise to display them from that location?

    Is it insecure for an image to be viewed from /blah/blah/blah/XYZ/renamedimg.jpg ?  What is the safest way to approach this?

  5. I thought that after a fully sanitizing scrub of uploaded images, a simple display gallery would suffice.

    Then I was advised to change image names and rename directories for added security.

    Yet after all these precautions, it seems it's still insecure to exhibit user images?

    I recall a suggestion to have images SERVED (rather than using HTML <img> tag), but cannot find a method, starting point, or clear rationale for this.

    Guidance, advice, and insight to point me in the right direction, please.

  6. I've got a better idea, since you've stated:

    Quote

    I've already mentioned that this work is pretty darn simple.

    Why don't you give me a reasonable solution to my issue in the form titled "imagecreatefromjpeg failure"?

    That would make you a helpful contributor.

  7. I think you need to understand how websites are built.

    But it's late and I'm tired, and I still cannot figured out why only some of my images cause an error on upload.

    Nonetheless, we put files into folders. For the most part, there is a logical method so that WE can find them to edit, update, etc.

    My webpage is my grocery cart. It has ice cream and meats and fruits and vegetables.

    I TRY to bag my items so the stuff for the freezer, fridge, pantry, and fruit bowl are nicely organized.

    Sometimes the bags get too full, often I get confused, occasionally items spill into other bags. And maybe I get candy.

    As long as everything makes it home, I'm happy.

    And as long as my web link gets the user to the right page, I really don't care if the can of soup is in with the frozen food.

  8. How is that possible if the other two test files originate from the same folder? Clearly it (and the path) exists.

    How can I drill down for a deeper explanation?

     

    Also, I've realized that some images do not refresh unless browser history / cache is cleared.

    Research send to point to using no-cache headers or a flush directive. What is the best/suggested method?

  9. From my experience (which is much less extensive than Barand's) double quotes as single quotes are mostly, but NOT ALWAYS, a matter of personal preference.

    There are definitely guidelines for dealing with strings and certain other specifics, but GENERALLY, either one will accomplish a task (as long as you remain consistent in your usage).

    To dissect your example:

    $var = 'value';  //since value is a non-numerical text the quotes are required

    echo 'value';  //simply tells PHP that you want the text inside the quotes to be displayed

    echo '$var';  //indicates that you want the item in the quotes (which translates to a variable value, in this case) to be displayed.

    echo " 'var' ";  //would tell PHP to display the text value surrounded by the first set of quotes (the double quotes) and the $ will inform PHP to use the variable The expected result would be 'var' (although you may trigger an error bc you didn't handle the single quotes as special characters)

    Taken further, if you coded:

    echo "The variable 'var'    is a test";   //it would display the exact sentence WITH the awkward spacing.

    echo 'The variable "var"    is a test';  //would duplicate above

    BUT

    echo "The variable '$var' is a test";  //would INTEGRATE the text and the VARIABLE with the result of:

    The variable  'value'  is a test 

    echo "The variable ". $var . " is a test";  //would INTEGRATE the text and the VARIABLE with the result of:

    The variable  value  is a test 

    Best if you play around with the variations on your own.

    And then follow up with error checking and handling of special characters.

  10. I've cleaned up a few things, but this error message remains:

    Warning:....failed to open stream: No such file or directory in...

    I am simultaneously uploading three jpeg files from the same folder during my development / testing and this is the ONLY image that is being rejected.

    Reason? Explanation? Solution?

    Thanks.

  11. For 1 - okay. How can I force an error message just to see how it appears?

    For 2 - ok, but why does 

    echo $im; 

    Give me the string beginning with Resource? (I honestly wasn't expecting that result).

    How can I go deeper to determine WHY a (perfectly good) image failed?

  12. Quote


        $im = @imagecreatefromjpeg($file);

    if($im == "")  {

    echo "1";} else { echo "00"; }
       }

        //See if it failed
        if(!$im)  {
         echo "running";

     //Unaltered manipulation code from https://www.php.net/manual/en/function.imagecreatefromjpeg.php

        }

        ////return $im;

    //displays RESOURCE ID
    echo "<br> im is ". $im;
    echo "<br>";

    header('Content-Type: image/jpeg');

    //imagejpeg($img);

    imagejpeg($im, $file);


    echo "<img src='".$file."'> ;

     

    My messages that seem in conflict with the result are

    Quote

    1runningi

    im is Resource id #19

    Is there a way to validate WHY this result was given by the function?

  13. After working with the sample imagecreatefromjpeg provided in the PHP manual, I successfully got a result (after clearing my cache) from

    Quote

    imagecreatefromjpeg($im, $file);

    I've gotten a good education after navigating this function over the past week, and loaded it with ECHO messages to give me insight.

    Everything was going fine.

    And then, this ONE test image came along.

    Apparently, the image (which is as good aj peg as I can find) FAILS the if(!im) test.

    When I used echo $im;  

    i discovered that when images pass through the function, they receive a "Resource" name.

    Images that FAIL are NOT named.

    This image gets a Resource name, yet FAILS. Is there a problem with my logic? A problem with the image? What would cause this? How can I verify?

  14. There's LOTS of stuff online about arrays. And you aren't going to do better than Barand.

    If you've already got an established array, you might try using print_r() [there are online resources to explain it's functionality]. This will give you a visual representation that may help you understand the arrays design.

    Don't forget that arrays begin with zero (ie: my_array[1] is the SECOND item).

    The first item WITHIN my_array[1] would be found by using

    my_array[1][0]

    Finding the third item in an assortment within my_array[1][0] would be accomplished with 

    my_array[1][0][2]

    Etc, etc, etc.

    Or, if you hate arrays, why not use a variable for each question?

    $question1 = "who";

    $question2 = "when";

    $question2a = "when in morning";

    $question2b = "when at night";

    $question3.….. etc.

  15. At first glance I have two questions that come to mind.

    First, why are you using the query SELECT * (asterisk gives ALL values) if you want ONLY values for a specific user?

    Perhaps, SELECT item, next item, etc WHERE username = $username would be more defining. (You can research "php select where" for better understanding)

    Also, I don't see anywhere that you are specifying which user's information you want displayed.

    Maybe I missed something, but I hope this is helpful.

     

  16. You're correct  The explanation is confusing.

    But if you're trying to $_POST a specific time, you don't even need to bother with hiding it in HTML.

    Just create it as a variable in your PHP and insert it from there.

    There is A LOT of information of dates and time and their notations on the web.  (The PHP manual and W3 sites are popular.)

  17. I'm not the best resource on the block, but hopefully my experience can lead you in the right direction.

    From what I see, you're problem is in this line (which, btw, is doing exactly what you've designed it to do):

    Quote

    $query = "INSERT INTO list(images) VALUES ('$name')";

    You need to understand different concepts here.

    First, what the UPLOAD code is doing is to grab a bunch of images (after overcoming your first problem in the post), get their names, check their extension and eventually insert into the db.

    The catch is that it's grabbing the BUNCH and then going through this process FOR EACH; singularly.

    One by one, the BUNCH is being handled and reviewed and ultimately inserted into the db until the same process repeats for the next image in the bunch.

    Unless the image is rejected (ie: not a valid extension) it is written into the db on a new row. Then the loop goes back to the top for the next image.

     

    Second, your QUERY is inserting into a column called NAME.  (Do you want the images to sit on each other's laps??? Of course not) if you truly want 3 images in one row (I wouldn't recommend it) then, at the very least, you would need to add fields that they could placed into; presumably name2 and name3.

    Then it would be up to you to modify the code to either UPDATE the row during loop2 and loop3 OR create a loop that manages 3 cycles before a single INSERT into the db.

    My suggestion would be to expand on what you've got and add fields that will help you regroup the three images later on (ie: username) assuming that's the reason you want then all in one row.

    Another question would be whether you can guarantee that nobody has more than 3 images to submit. But if you give each image is own row, and reference the row to an identifier (username) they can submit unlimitedly, and you will be able to reference then accordingly.

  18. Changed my code slightly, but still not getting a successful result

    Quote

     

    foreach ($_FILES['files']['tmp_name'] as $key => $value)  { 

            if( !empty($value) && is_uploaded_file( $value )){
                //FILE is REAL
                echo "success";
            } else {

                echo "false";

    }

    Does is_uploaded_file merely confirm that the path described is the same path used?

    Does getimagesize() serve any purpose beyond obtaining the MIME type?

    How do I re-create a TIFF file?

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.