Rboz Posted October 10, 2009 Share Posted October 10, 2009 I'v got some problems with this script. What I try to do is the following. In the backoffice of my website I want to upload a file (form1) and insert a line to my database. With the script I build so far, I manage to insert into the database, but the file upload fails. Please give me a hint about what goes wrong. This is my script. <?php if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } } $editFormAction = $_SERVER['PHP_SELF']; if (isset($_SERVER['QUERY_STRING'])) { $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']); } if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) { $insertSQL = sprintf("INSERT INTO voordelen (ID, Titel, Omschrijving, URL, image) VALUES (%s, %s, %s, %s, %s)", GetSQLValueString($_POST['ID'], "int"), GetSQLValueString($_POST['Titel'], "text"), GetSQLValueString($_POST['Omschrijving'], "text"), GetSQLValueString($_POST['URL'], "text"), GetSQLValueString($_POST['image'], "text")); //Begin || code voor uploaden file en controle $uploaddir = "uploads"; // Where you want the files to upload to - Important: Make sure this folders permissions is 0777! $allowed_ext = "jpg, gif, png,"; // These are the allowed extensions of the files that are uploaded $max_size = "50000"; // 50000 is the same as 50kb $max_height = "100"; // This is in pixels - Leave this field empty if you don't want to upload images $max_width = "100"; // This is in pixels - Leave this field empty if you don't want to upload images // Check Entension $extension = pathinfo($_FILES['file']['name']); $extension = $extension[extension]; $allowed_paths = explode(", ", $allowed_ext); for($i = 0; $i < count($allowed_paths); $i++) { if ($allowed_paths[$i] == "$extension") { $ok = "1"; } } // Check File Size if ($ok == "1") { if($_FILES['file']['size'] > $max_size) { print "File size is too big!"; exit; } // Check Height & Width if ($max_width && $max_height) { list($width, $height, $type, $w) = getimagesize($_FILES['file']['tmp_name']); if($width > $max_width || $height > $max_height) { print "File height and/or width are too big!"; exit; } } // The Upload Part if(is_uploaded_file($_FILES['file']['tmp_name'])) { move_uploaded_file($_FILES['file']['tmp_name'],$uploaddir.'/'.$_FILES['file']['name']); } else { print "Incorrect file extension!"; } } //Eind || code voor uploaden file en controle mysql_select_db($database_Connect, $Connect); $Result1 = mysql_query($insertSQL, $Connect) or die(mysql_error()); $insertGoTo = "voordeel.php"; if (isset($_SERVER['QUERY_STRING'])) { $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?"; $insertGoTo .= $_SERVER['QUERY_STRING']; } header(sprintf("Location: %s", $insertGoTo)); } if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } } mysql_select_db($database_Connect, $Connect); $query_users = "SELECT * FROM users"; $users = mysql_query($query_users, $Connect) or die(mysql_error()); $row_users = mysql_fetch_assoc($users); $totalRows_users = mysql_num_rows($users); mysql_select_db($database_Connect, $Connect); $query_Voordelen = "SELECT * FROM voordelen"; $Voordelen = mysql_query($query_Voordelen, $Connect) or die(mysql_error()); $row_Voordelen = mysql_fetch_assoc($Voordelen); $totalRows_Voordelen = mysql_num_rows($Voordelen); ?> Quote Link to comment https://forums.phpfreaks.com/topic/177246-problem-with-file-upload-and-insert-to-database/ Share on other sites More sharing options...
mikesta707 Posted October 10, 2009 Share Posted October 10, 2009 the following is a bad way to check the file extension. first of all, you would be checking, for example, gif == " gif", which of course is false. put your code in code tags too... another thing, why do you have the file extensions as a string, and then convert it to an array... just make an array $allowed_ext = "jpg, gif, png,"; // These are the allowed extensions of the files that are uploaded $max_size = "50000"; // 50000 is the same as 50kb $max_height = "100"; // This is in pixels - Leave this field empty if you don't want to upload images $max_width = "100"; // This is in pixels - Leave this field empty if you don't want to upload images // Check Entension $extension = pathinfo($_FILES['file']['name']); $extension = $extension[extension]; $allowed_paths = explode(", ", $allowed_ext); for($i = 0; $i < count($allowed_paths); $i++) { if ($allowed_paths[$i] == "$extension") { $ok = "1"; } } // Check File Size if ($ok == "1") { If the filetype isn't correct, than that if statement will throw an undefined variable error try $extension = pathinfo($_FILES['file']['name']); $extension = $extension[extension]; $allowed_paths = array('jpg', 'png', etc); if (!in_array($extension, $allowed_paths){ echo "Incorrect file type"; exit(); } //continue uploading much simpler and elegant. you should also check that your file uploaded before you insert info the your database. IE if(!move_uploaded_file($_FILES['file']['tmp_name'],$uploaddir.'/'.$_FILES['file']['name'])){ echo "Upload failed!" exit(); } //upload didnt fail, insert into database idk if you made this yourself, or got it from some website, but a lot of this stuff is kind of pointless. this is how i would do it $allowed = array('jpg', 'png', etc); $uploaddir = "uploads"; // Where you want the files to upload to - Important: Make sure this folders permissions is 0777! $max_size = "50000"; // 50000 is the same as 50kb $max_height = "100"; // This is in pixels - Leave this field empty if you don't want to upload images $max_width = "100"; //check extension $ext = end(explode('.', $_FILES['file']['name'])); if (!in_array($ext, $allowed)){ echo "FIle extension is incorrect"; exit(); } //check size if($_FILES['file']['size'] > $max_size) { print "File size is too big!"; exit; } //check dimensions list($width, $height, $type, $w) = getimagesize($_FILES['file']['tmp_name']); if($width > $max_width || $height > $max_height) { echo "File height and/or width are too big!"; exit(); } //all checks were passed, now try to move the file if(!move_uploaded_file($_FILES['file']['tmp_name'],$uploaddir.'/'.$_FILES['file']['name']) && !is_uploaded_file($_FILES['file']['tmp_name'])){ echo "Upload failed!" exit(); } //upload succeeded, now go on to SQL stuff edit: a couple of syntax and logical errors Quote Link to comment https://forums.phpfreaks.com/topic/177246-problem-with-file-upload-and-insert-to-database/#findComment-934605 Share on other sites More sharing options...
Rboz Posted October 12, 2009 Author Share Posted October 12, 2009 Hey, Thanks for the quick reply. I'll try and change my code tonight. The code I posted came from a web tutorial and has some errors in it. Because i'm new to programming it is hard for me to really read/understand every line. Thanks again. Quote Link to comment https://forums.phpfreaks.com/topic/177246-problem-with-file-upload-and-insert-to-database/#findComment-935496 Share on other sites More sharing options...
Rboz Posted October 12, 2009 Author Share Posted October 12, 2009 I've edited my script and it works beautifull. It doesn't only work better, but the script is much easier to read and understand. Great :D Thanks again. Ralph Quote Link to comment https://forums.phpfreaks.com/topic/177246-problem-with-file-upload-and-insert-to-database/#findComment-935706 Share on other sites More sharing options...
Rboz Posted October 13, 2009 Author Share Posted October 13, 2009 How can I "hide" the folder where the files are uploaded? I don't like the fact that people who aren't member/logged in can read the files. The page where the files are listed is protected for NOT MEMBERS, but if they type the full URL in the browser they can access the files. Can I use a .htaccess of .htpasword to protect the file? Quote Link to comment https://forums.phpfreaks.com/topic/177246-problem-with-file-upload-and-insert-to-database/#findComment-935938 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.