Jump to content

Recommended Posts

I'v got some problems with this script. What I try to do is the following.

 

In the backoffice of my website I want to upload a file (form1) and insert a line to my database. With the script I build so far, I manage to insert into the database, but the file upload fails.

 

Please give me a hint about what goes wrong.

 

This is my script.

 

<?php

if (!function_exists("GetSQLValueString")) {

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

 

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

 

  switch ($theType) {

    case "text":

      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

      break;   

    case "long":

    case "int":

      $theValue = ($theValue != "") ? intval($theValue) : "NULL";

      break;

    case "double":

      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";

      break;

    case "date":

      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

      break;

    case "defined":

      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

      break;

  }

  return $theValue;

}

}

 

$editFormAction = $_SERVER['PHP_SELF'];

if (isset($_SERVER['QUERY_STRING'])) {

  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);

}

 

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {

$insertSQL = sprintf("INSERT INTO voordelen (ID, Titel, Omschrijving, URL, image) VALUES (%s, %s, %s, %s, %s)",

                      GetSQLValueString($_POST['ID'], "int"),

                      GetSQLValueString($_POST['Titel'], "text"),

                      GetSQLValueString($_POST['Omschrijving'], "text"),

                      GetSQLValueString($_POST['URL'], "text"),

                      GetSQLValueString($_POST['image'], "text"));

 

//Begin || code voor uploaden file en controle

$uploaddir = "uploads"; // Where you want the files to upload to - Important: Make sure this folders permissions is 0777!

$allowed_ext = "jpg, gif, png,"; // These are the allowed extensions of the files that are uploaded

$max_size = "50000"; // 50000 is the same as 50kb

$max_height = "100"; // This is in pixels - Leave this field empty if you don't want to upload images

$max_width = "100"; // This is in pixels - Leave this field empty if you don't want to upload images

// Check Entension

$extension = pathinfo($_FILES['file']['name']);

$extension = $extension[extension];

$allowed_paths = explode(", ", $allowed_ext);

for($i = 0; $i < count($allowed_paths); $i++) {

if ($allowed_paths[$i] == "$extension") {

$ok = "1";

}

}

// Check File Size

if ($ok == "1") {

if($_FILES['file']['size'] > $max_size)

{

print "File size is too big!";

exit;

}

// Check Height & Width

if ($max_width && $max_height) {

list($width, $height, $type, $w) = getimagesize($_FILES['file']['tmp_name']);

if($width > $max_width || $height > $max_height)

{

print "File height and/or width are too big!";

exit;

}

}

// The Upload Part

if(is_uploaded_file($_FILES['file']['tmp_name']))

{

move_uploaded_file($_FILES['file']['tmp_name'],$uploaddir.'/'.$_FILES['file']['name']);

 

} else {

 

print "Incorrect file extension!";

} }

//Eind || code voor uploaden file en controle

 

  mysql_select_db($database_Connect, $Connect);

  $Result1 = mysql_query($insertSQL, $Connect) or die(mysql_error());

 

  $insertGoTo = "voordeel.php";

  if (isset($_SERVER['QUERY_STRING'])) {

  $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";

  $insertGoTo .= $_SERVER['QUERY_STRING'];

  }

  header(sprintf("Location: %s", $insertGoTo));

}

 

 

if (!function_exists("GetSQLValueString")) {

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

 

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

 

  switch ($theType) {

    case "text":

      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

      break;   

    case "long":

    case "int":

      $theValue = ($theValue != "") ? intval($theValue) : "NULL";

      break;

    case "double":

      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";

      break;

    case "date":

      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

      break;

    case "defined":

      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

      break;

  }

  return $theValue;

}

}

 

mysql_select_db($database_Connect, $Connect);

$query_users = "SELECT * FROM users";

$users = mysql_query($query_users, $Connect) or die(mysql_error());

$row_users = mysql_fetch_assoc($users);

$totalRows_users = mysql_num_rows($users);

 

mysql_select_db($database_Connect, $Connect);

$query_Voordelen = "SELECT * FROM voordelen";

$Voordelen = mysql_query($query_Voordelen, $Connect) or die(mysql_error());

$row_Voordelen = mysql_fetch_assoc($Voordelen);

$totalRows_Voordelen = mysql_num_rows($Voordelen);

?>

 

 

 

the following is a bad way to check the file extension. first of all, you would be checking, for example, gif == " gif", which of course is false. put your code in code tags too...

 

another thing, why do you have the file extensions as a string, and then convert it to an array... just make an array

$allowed_ext = "jpg, gif, png,"; // These are the allowed extensions of the files that are uploaded 
$max_size = "50000"; // 50000 is the same as 50kb 
$max_height = "100"; // This is in pixels - Leave this field empty if you don't want to upload images 
$max_width = "100"; // This is in pixels - Leave this field empty if you don't want to upload images 
// Check Entension 
$extension = pathinfo($_FILES['file']['name']); 
$extension = $extension[extension]; 
$allowed_paths = explode(", ", $allowed_ext); 
for($i = 0; $i < count($allowed_paths); $i++) { 
if ($allowed_paths[$i] == "$extension") { 
$ok = "1"; 
} 
} 
// Check File Size 
if ($ok == "1") {

If the filetype isn't correct, than that if statement will throw an undefined variable error

try

$extension = pathinfo($_FILES['file']['name']); 
$extension = $extension[extension]; 
$allowed_paths = array('jpg', 'png', etc);
if (!in_array($extension, $allowed_paths){
echo "Incorrect file type";
exit();
} 
//continue uploading

 

much simpler and elegant. you should also check that your file uploaded before you insert info the your database. IE

 

if(!move_uploaded_file($_FILES['file']['tmp_name'],$uploaddir.'/'.$_FILES['file']['name'])){
echo "Upload failed!"
exit();
}
//upload didnt fail, insert into database

 

idk if you made this yourself, or got it from some website, but a lot of this stuff is kind of pointless.

 

this is how i would do it

$allowed = array('jpg', 'png', etc);
$uploaddir = "uploads"; // Where you want the files to upload to - Important: Make sure this folders permissions is 0777! 
$max_size = "50000"; // 50000 is the same as 50kb 
$max_height = "100"; // This is in pixels - Leave this field empty if you don't want to upload images 
$max_width = "100";

//check extension
$ext = end(explode('.', $_FILES['file']['name']));
if (!in_array($ext, $allowed)){
echo "FIle extension is incorrect";
exit();
}

//check size
if($_FILES['file']['size'] > $max_size) 
{ 
print "File size is too big!"; 
exit; 
}

//check dimensions
list($width, $height, $type, $w) = getimagesize($_FILES['file']['tmp_name']); 
if($width > $max_width || $height > $max_height) 
{ 
echo "File height and/or width are too big!"; 
exit(); 
}

//all checks were passed, now try to move the file
if(!move_uploaded_file($_FILES['file']['tmp_name'],$uploaddir.'/'.$_FILES['file']['name']) && !is_uploaded_file($_FILES['file']['tmp_name'])){
echo "Upload failed!"
exit();
}
//upload succeeded, now go on to SQL stuff

 

edit: a couple of syntax and logical errors

Hey,

 

Thanks for the quick reply.

 

I'll try and change my code tonight. The code I posted came from a web tutorial and has some errors in it. Because i'm new to programming it is hard for me to really read/understand every line.

 

Thanks again.

How can I "hide" the folder where the files are uploaded? I don't like the fact that people who aren't member/logged in can read the files.

 

The page where the files are listed is protected for NOT MEMBERS, but if they type the full URL in the browser they can access the files.

 

Can I use a .htaccess of .htpasword to protect the file?

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.