Upload

rcharris · August 9, 2006

Hi there

This is probably a really simple PHP Question for someone who knows what theyre doing, and thats not me.

Im building a really simple PHP Content Management System, and I havent got the faintest how to implement an Image Upload into the following code:

[quote]<?php
session_start();
if(!$_SESSION['username']){
header("Location: login.php");
exit();
}
include('../includes/config.inc.php');
include('../includes/dbconnect.inc.php');

if($_GET['delete']){
$sql = "DELETE FROM `portfolio` WHERE id='" . $_GET['delete'] . "'";
$result = mysql_query($sql) or die ("<b>ERROR: </b>" . mysql_error() . "<b>SQL: </b>$sql");
header("Location: pages.php");
exit();
}
?>
<html>
<head>
<title>NOBA Admin - Add or Edit News Story</title>
<meta http-equiv="description-Type" description="text/html;">
<style type="text/css">

</style>
<script language="JavaScript" type="text/JavaScript">

</script>
</head>
<body>
<form id="editArticleForm" name="editArticleForm" method="post" action="<?=$_SERVER['PHP_SELF'];?>" enctype="multipart/form-data" >
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><div align="center">
<?php
if(!isset($_POST['Submit'])){
$id = $_GET['edit'];
$sql = "SELECT * FROM `news` WHERE id='$id'";
$result = mysql_query($sql) or die ("<b>ERROR: </b>" . mysql_error() . "<b>SQL: </b>$sql");
$rows = mysql_num_rows($result);
while ($news = mysql_fetch_array($result)) {
$news_title = $news["title"];
$news_content = $news["content"];
$news_picturename = $news["picturename"];
$news_alt = $news["alt"];
$news_url = $news["url"];
}
?>
<img src="assets/toplogo.gif" width="771" height="127"></div></td>
</tr>
</table>
<table width="589" height="414" border="0" align="center" cellpadding="3" cellspacing="1">
<tr>
<td bgcolor="#000033"><strong> <img src="assets/title.gif" width="30" height="12"></strong></td>
<td><input name="title" type="text" class="txtboxlrg" value="<?=$news_title;?>" size="50"></td>
</tr>
<tr>
<td valign="top" bgcolor="#000033"><strong> <img src="assets/story.gif" width="38" height="15"></strong></td>
<td><textarea name="content" cols="50" rows="22" class="txtboxlrg" id="content" width="472"><?=$news_content;?>
</textarea></td>
</tr>
<tr>
<td valign="top" bgcolor="#000033"><strong> <img src="assets/pic_filename_and_ext.gif" width="178" height="12"></strong></td>
<td>[b]I NEED IT HERE. [/b]</td>
</tr>
<tr>
<td width="218" bgcolor="#000033"><strong> <img src="assets/alt_tag.gif" width="53" height="12"></strong></td>
<td width="484"><input name="alt" type="text" class="txtboxlrg" id="alt" value="<?=$news_alt;?>" size="50"></td>
</tr>
<input name="id" type="hidden" value="<?=$id;?>">

<tr>
<td bgcolor="#000033"><p><strong> <img src="assets/url.gif" width="53" height="12"></strong></p></td>
<td align="center" class="header2"><div align="left">
<input name="url" type="text" class="txtboxlrg" id="url" value="<?=$news_url;?>" size="50">
</div></td>
</tr>
<tr>
<td></td>
<td align="center" class="header2"><input name="Submit" type="submit" onFocus="this.blur();" value="Update"></td>
</tr>
</table>
</form>
<?php
} else {
if((!$_POST['title']) || (!$_POST['content']) || (!$_POST['picturename']) || (!$_POST['alt']) || (!$_POST['url'])){
echo "You are missing a required field, please <a href=\"javascript:history.back()\">go back</a> and correct before proceeding!";
} else {
if($_POST['id']){
$sql = "UPDATE `news` SET title='" . $_POST['title'] . "', content='" . $_POST['content'] . "', picturename='" . $_POST['picturename'] . "', alt='" . $_POST['alt'] . "', url='" . $_POST['url'] . "', author='" . $_SESSION['firstname'] . " " . $_SESSION['lastname'] . "', updated=NOW() WHERE id = '" . $_POST['id'] . "'";
$result = mysql_query($sql) or die ("<b>ERROR: </b>" . mysql_error() . "<b>SQL: </b>$sql");
echo "news \"" . $_POST['title'] . "\" updated successfully - return to <a href=\"news.php\" onFocus=\"this.blur();\">news</a>!";
} else {
$sql = "INSERT INTO `news` ( `id` , `title` , `content` , `picturename` , `alt` , `url` , `author`, `added` ) VALUES('', '" . $_POST['title'] . "', '" . $_POST['content'] . "', '" . $_POST['picturename'] . "', '" . $_POST['alt'] . "', '" . $_POST['url'] . "', '" . $_SESSION['firstname'] . " " . $_SESSION['lastname'] . "', NOW())";
$result = mysql_query($sql) or die ("<b>ERROR: </b>" . mysql_error() . "<b>SQL: </b>$sql");
$id = mysql_insert_id();
echo "Story \"" . $_POST['title'] . "\" added successfully - return to <a href=\"news.php\" onFocus=\"this.blur();\">news</a> or view <a href=\"../index.php?news=" . $id . "\" onFocus=\"this.blur();\">news here</a>!";
}
}
}
?>
</body>
</html>
[/quote]

I have bolded out where I need the code, and have written I NEED IT HERE. Is it possible that one of you helpful chaps here could please write me a little bit of code to help me do this, but exxplaining it on the way? I need the image to upload to a directory, with the image name with extension being submitted to the database field, "picturename" which I have already inputted.

I will be ever so grateful, thank you in advance

Richard Harris

manmadareddy · August 10, 2006

Please use the following code
<?php
session_start();
if(!$_SESSION['username']){
header("Location: login.php");
exit();
}
include('../includes/config.inc.php');
include('../includes/dbconnect.inc.php');

if($_GET['delete'])
{
$sql = "DELETE FROM `portfolio` WHERE id='" . $_GET['delete'] . "'";
$result = mysql_query($sql) or die ("ERROR: " . mysql_error() . "SQL: $sql");
header("Location: pages.php");
exit();
}
?>
<html>
<head>
<title>NOBA Admin - Add or Edit News Story</title>
<meta http-equiv="description-Type" description="text/html;">
<style type="text/css">

</style>
<script language="JavaScript" type="text/JavaScript">

</script>
</head>
<body>
<form id="editArticleForm" name="editArticleForm" method="post" action="<?=$_SERVER['PHP_SELF'];?>" enctype="multipart/form-data" >
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><div align="center">
<?php
if(!isset($_POST['Submit'])){
$id = $_GET['edit'];
$sql = "SELECT * FROM `news` WHERE id='$id'";
$result = mysql_query($sql) or die ("ERROR: " . mysql_error() . "SQL: $sql");
$rows = mysql_num_rows($result);
while ($news = mysql_fetch_array($result)) {
$news_title = $news["title"];
$news_content = $news["content"];
$news_picturename = $news["picturename"];
$news_alt = $news["alt"];
$news_url = $news["url"];
}
?>
<img src="assets/toplogo.gif" width="771" height="127"></div></td>
</tr>
</table>
<table width="589" height="414" border="0" align="center" cellpadding="3" cellspacing="1">
<tr>
<td bgcolor="#000033"><strong> <img src="assets/title.gif" width="30" height="12"></strong></td>
<td><input name="title" type="text" class="txtboxlrg" value="<?=$news_title;?>" size="50"></td>
</tr>
<tr>
<td valign="top" bgcolor="#000033"><strong> <img src="assets/story.gif" width="38" height="15"></strong></td>
<td><textarea name="content" cols="50" rows="22" class="txtboxlrg" id="content" width="472"><?=$news_content;?>
</textarea></td>
</tr>
<tr>
<td valign="top" bgcolor="#000033"><strong> <img src="assets/pic_filename_and_ext.gif" width="178" height="12"></strong></td>
<td>[b]<input type=file name='picturename' class="txtboxlrg">[/b]</td>
</tr>
<tr>
<td width="218" bgcolor="#000033"><strong> <img src="assets/alt_tag.gif" width="53" height="12"></strong></td>
<td width="484"><input name="alt" type="text" class="txtboxlrg" id="alt" value="<?=$news_alt;?>" size="50"></td>
</tr>
<input name="id" type="hidden" value="<?=$id;?>">

<tr>
<td bgcolor="#000033"><p><strong> <img src="assets/url.gif" width="53" height="12"></strong></p></td>
<td align="center" class="header2"><div align="left">
<input name="url" type="text" class="txtboxlrg" id="url" value="<?=$news_url;?>" size="50">
</div></td>
</tr>
<tr>
<td></td>
<td align="center" class="header2"><input name="Submit" type="submit" onFocus="this.blur();" value="Update"></td>
</tr>
</table>
</form>
<?php
} else {
if((!$_POST['title']) || (!$_POST['content']) || (!$_POST['picturename']) || (!$_POST['alt']) || (!$_POST['url'])){
echo "You are missing a required field, please <a href=\"javascript:history.back()\">go back[/url] and correct before proceeding!";
} else {
[b]$uploadfile="";
if(is_array($_FILES)&&$_FILES['picturename']['name'])
{
$uploaddir = '/var/www/uploads/';//Please set this value accordingly and give the write permissions for this directory
$uploadfile = $uploaddir . basename($_FILES['picturename']['name']);
if(move_uploaded_file($_FILES['picturename']['tmp_name'],$uploadfile))
{
echo "File is valid, and was successfully uploaded.\n";

}else
{
echo "Possible file upload attack!\n";
}

}[/b]
if($_POST['id']){
$sql = "UPDATE `news` SET title='" . $_POST['title'] . "', content='" . $_POST['content'] . "', picturename='" . [b]$uploadfile[/b] . "', alt='" . $_POST['alt'] . "', url='" . $_POST['url'] . "', author='" . $_SESSION['firstname'] . " " . $_SESSION['lastname'] . "', updated=NOW() WHERE id = '" . $_POST['id'] . "'";
$result = mysql_query($sql) or die ("ERROR: " . mysql_error() . "SQL: $sql");
echo "news \"" . $_POST['title'] . "\" updated successfully - return to <a href=\"news.php\" onFocus=\"this.blur();\">news[/url]!";
} else {
$sql = "INSERT INTO `news` ( `id` , `title` , `content` , `picturename` , `alt` , `url` , `author`, `added` ) VALUES('', '" . $_POST['title'] . "', '" . $_POST['content'] . "', '" . [b]$uploadfile[/b] . "', '" . $_POST['alt'] . "', '" . $_POST['url'] . "', '" . $_SESSION['firstname'] . " " . $_SESSION['lastname'] . "', NOW())";
$result = mysql_query($sql) or die ("ERROR: " . mysql_error() . "SQL: $sql");
$id = mysql_insert_id();
echo "Story \"" . $_POST['title'] . "\" added successfully - return to <a href=\"news.php\" onFocus=\"this.blur();\">news[/url] or view <a href=\"../index.php?news=" . $id . "\" onFocus=\"this.blur();\">news here[/url]!";
}
}
}
?>
</body>
</html>

rcharris · August 10, 2006

Hi there ;D

Thanks for stepping up and helping me. Im grateful :)

Im getting this when trying to implement the full code above

[quote]You are missing a required field, please go back[/url] and correct before proceeding![/quote]

Thanks =D

Richard

manmadareddy · August 10, 2006

Just print the query and check
This code is working fine for me...

redarrow · August 10, 2006

might have to $_POST['picturename'];

also valadate that upload code for the correct file exstentions and file sizes ok.

Tip: when you code try not to use javascript as meny users know dont have it on.

manmadareddy · August 10, 2006

I don't think this $_POST['picturename'] will set.
That will be posted as $_FILES['picturename']['name'].

redarrow · August 10, 2006

ive got it see the insert look at the session lastname the ' missing haha

redarrow · August 10, 2006

insert and update chage and try ok

['alt'] . "', '" . $_POST['url'] . "', '" . $_SESSION['firstname'] . " " . $_SESSION['lastname'] . "', NOW())";

to

['alt'] . "', '" . $_POST['url'] . "', ' " . $_SESSION['firstname'] . " ', ' " . $_SESSION['lastname'] . " ', NOW())";

rcharris · August 10, 2006

Doesnt seem to want to work :(

SieRobin · August 10, 2006

[quote author=redarrow link=topic=103556.msg413098#msg413098 date=1155206652]

insert and update chage and try ok

['alt'] . "', '" . $_POST['url'] . "', '" . $_SESSION['firstname'] . " " . $_SESSION['lastname'] . "', NOW())";

to

['alt'] . "', '" . $_POST['url'] . "', ' " . $_SESSION['firstname'] . " ', ' " . $_SESSION['lastname'] . " ', NOW())";
[/quote][quote author=redarrow link=topic=103556.msg413098#msg413098 date=1155206652]

insert and update chage and try ok

['alt'] . "', '" . $_POST['url'] . "', '" . $_SESSION['firstname'] . " " . $_SESSION['lastname'] . "', NOW())";

to

['alt'] . "', '" . $_POST['url'] . "', ' " . $_SESSION['firstname'] . " ', ' " . $_SESSION['lastname'] . " ', NOW())";
[/quote]

That's the exact reason why I don't use '" . It's so sloppy and messy, when all you really need is a single quote.

rcharris · August 11, 2006

Okay, I shall bear it in Mind!

Anyone have any more Ideas?

redarrow · August 11, 2006

you need to redisign the whole insert and update ok.

an example only ok.

[code]
<?php session_start();

// post the varables with addslashes.

$id=addslashes($_POST['id']);
$tilte=addslashes($_POST['title']);
$content=addslashes($_POST(['content']);
$alt==alddslashes($_POST['alt']);
$url==addslashes($_POST['url']);

// session correct format to inser into database.

$username=addslashes($_POST['username']);
$username=$_SESSION['username']=$username;

//get the id.

$id=$_GET['id'];

//then the proper format ok

// if isset post insert into database safely.

if(isset($_POST['submit'])){

$query="INSERT INTO xxxxxx(id,title,content,alt,url,username)
VALUES('$id','$title','$content','$alt','$url','$username')";

$result=mysql_query($query);

}
?>

[/code]

rcharris · August 11, 2006

Okay I shall have a play and let you know how I get on,

Thanks =)

Sign In

Upload

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Archived

Important Information