savagenoob Posted January 1, 2009 Share Posted January 1, 2009 OK, I already know this to be bad practice and will be flamed. But please help if possible. I can upload files perfectly, but when I try to download them it open the application such as Excel or Adobe but says the file is corrupt and cannot be opened. I will post both my upload and download script as I don't know which one is causing the file to corrupt, but most likely the download script. I am running it locally and looked in my Apache and PHP .ini files and they seem to be setup for upload and download, but maybe not. The only file type I can download is a .txt file. Any help/ideas will be greatly appreciated. Here is my upload script: <?php $fileName = $_FILES['userfile']['name']; $tmpName = $_FILES['userfile']['tmp_name']; $fileSize = $_FILES['userfile']['size']; $fileType = $_FILES['userfile']['type']; $File = preg_replace("/[&'_ ]/","",$fileName); // strip whitespace and special characters $fp = fopen($tmpName, 'r'); $content = fread($fp, filesize($tmpName)); $content = addslashes($content); fclose($fp); if(!get_magic_quotes_gpc()) { $File = addslashes($File); } require_once('config.php'); //Array to store validation errors $errmsg_arr = array(); //Validation error flag $errflag = false; //Connect to mysql server $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } //Select database $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } $ClientID = $_POST['clientid']; $query = "INSERT INTO upload (name, size, type, content, ClientID) ". "VALUES ('$File', '$fileSize', '$fileType', '$content', '$ClientID')"; $result = mysql_query($query); echo $query; echo "<br>File $fileName uploaded<br>"; ?> And my download script: <?php if(isset($_GET['id'])) { require_once('config.php'); //Array to store validation errors $errmsg_arr = array(); //Validation error flag $errflag = false; //Connect to mysql server $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } //Select database $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } $id = $_GET['id']; $query = "SELECT name, type, size, content " . "FROM upload WHERE id = '$id'"; $result = mysql_query($query) or die("Couldn't get file list"); list($name, $type, $size, $content) =mysql_fetch_array($result); header("Content-type:$type"); header("Content-length:$size"); header("Content-Disposition: attachment; filename=$name"); echo $content; exit; } ?> Quote Link to comment Share on other sites More sharing options...
ucffool Posted January 2, 2009 Share Posted January 2, 2009 You are doing: $content = addslashes($content); Yet not doing stripslashes() before outputting it. Not sure if that's your only issue, but it's a start. Quote Link to comment Share on other sites More sharing options...
savagenoob Posted January 2, 2009 Author Share Posted January 2, 2009 OK, I modified the download file to stripslashes but still not working. I did it right before the echo, here is the script: list($name, $type, $size, $content)=mysql_fetch_array($result); header("Content-type:$type"); header("Content-length:$size"); header("Content-Disposition: attachment; filename=$name"); $content = stripslashes($content); echo $content; Is it necessary to addslashes on the upload? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 2, 2009 Share Posted January 2, 2009 What does a phpinfo() statement show for magic_quotes_gpc and magic_quotes_runtime? Your upload code is doing addslashes() twice if magic_quotes_gpc is off, which could mean that your data has double escape characters. There is actually a second problem in that magic_quotes_gpc has nothing to do with uploaded files. However, magic_quotes_runtime does affect fread(). Your upload code should actually be turning off magic_quotes_runtime and then using mysql_real_escape_string() on the file data before the data is put into the database. Your download code should be turning off magic_quotes_runtime and then it only needs to retrieve the data and output it (after the proper headers have been sent.) Quote Link to comment Share on other sites More sharing options...
savagenoob Posted January 2, 2009 Author Share Posted January 2, 2009 :-\ They are both turned on... What is the code to turn them off? Thanks for the help... Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 2, 2009 Share Posted January 2, 2009 If you have access to the master php.ini, you can turn them off in the master php.ini (stop and start your web server to get any changes made to php.ini to take effect.) If php is running as an Apache module (and your web host allows you to change the values), you can put php_flag statements in a .htaccess file. If php is running as a CGI application (and your web host allows you to change the values), you can put assignment statements in a local php.ini. You can also turn off magic_quotes_runtime in your script using a set_magic_quotes_runtime statement. Quote Link to comment Share on other sites More sharing options...
savagenoob Posted January 2, 2009 Author Share Posted January 2, 2009 I just turned them both off in php.ini... ran the file through mysql_real_esape_string() and now the file name is disappearing ??? I used the old magic gpc way and uploaded a file and here is the $query output... alot of slashes... INSERT INTO upload (name, size, type, content, ClientID) VALUES ('ProducerApplication.pdf', '1768513', 'application/pdf', '%PDF-1.3 3 0 obj << /Type /XObject /Subtype /Image /Filter /DCTDecode /Width 1654 /Height 2153 /Length 371338 /BitsPerComponent 8 /ColorSpace /DeviceRGB >> stream ÿØÿà\\0JFIF\\0\\0\\0È\\0È\\0\\0ÿþ\\0LEAD Technologies Inc. V1.01\\0ÿÛ\\0„\\0 \\\"$$\\\"!!&+7.&(4)!!0A049:=>=%.CHC”\\0˜ôÇå@ ÓŠ\\0(h(\\0 \\0Ð@\\0(h(\\0 €€P@\\0\\0b€ \\0(\\0 €@J\\0Z\\0J\\0(\\0J\\0Z\\0J\\0(\\0 €PPŠ\\0(\\0 €\\01@\\0\\0b€ \\01ƒ@ @ @\\0\\0P\\0FqÉ €€\\01@\\0àP@ @ @\\0\\0P@\\0\\0£Š\\0J\\0(\\0 \\0P@J\\0 etc etc I still have the stripslashes on the content, shouldnt that get rid of them? Im a noob so bear with me. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 2, 2009 Share Posted January 2, 2009 Did you verify that the settings are off using a phpinfo() statement? Quote Link to comment Share on other sites More sharing options...
savagenoob Posted January 2, 2009 Author Share Posted January 2, 2009 Yeah, Im an idiot... I forgot to restart Apache Its getting late... Now its half way working. Now it is only saying SOME of the data is corrupt. I uploaded an Excel spreadsheet and it worked... but a PDF i uploaded came out crazy looking and a word doc said some data was corrupt and wouldnt open. Im suspecting a missing argument in my header information... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.