New problem, this time images(sorry)

[doddsey_65]

Okay I have my user registration script working like a charm, i also have a my account section that displays their info. ie/ their name, email website etc.

I hae been trying to make an upload script so they can upload images, but i dont wnt blobbing. I want the to be able to upload an image, then the path of the image gets stored in the database(their relevent row). Then i would like the image to be recalled from the path in the db and displayed on their my account section.

[mikesta707]

Do you have any code that you need help with, or do you not know where to start. A tip, wherever you move the uploaded image to via move_uploaded_file(), you want to save the destination path into your mysql databse.

[doddsey_65]

Do you have any code that you need help with, or do you not know where to start. A tip, wherever you move the uploaded image to via move_uploaded_file(), you want to save the destination path into your mysql databse.

 

I haven got a clue where to start, i have the html form but Im stuck with the php

[mikesta707]

this tutorial should get you started

[doddsey_65]

this tutorial should get you started

 

that one doesnt work, even though it says it has uploaded the file it hasnt. And at the bottom it says not to use the script on a public site cos its not safe or secure. plus i want the path of the uploaded image to go into the database where their login details are held so that when it pulls their other details for the my account section it also only pulls their image.

[emopoops]

i know. ive tried it numourous times. do u want an upload image code that checks for file type with javascript too?

but this one i have works rilly good:

if (@is_uploaded_file($_FILES["userfile"]["tmp_name"])) {

$size=$_FILES['userfile']['size'];
$type=$_FILES['userfile']['type'];
$name=$_FILES['userfile']['name'];
$name="avi.png";
list($w, $h) = getsize($_FILES[userfile]['tmp_name']);
$path=$_SERVER["DOCUMENT_ROOT"] . "/" . $nameofdirectoryinvar . "/" . $name;
if($_FILES[userfile][type] == "image/png" || $_FILES[userfile][type] == "image/x-png"){$can = "ok";}else{$can = "x";}  
if ($size<100000 && ereg("image", $type) && $can == "ok" && $w == "55" && $h == "55")
{
move_uploaded_file($_FILES['userfile']['tmp_name'],
$path);
$root= "http://www.socialemo.com/$_SESSION[theusername]/";
$path2=$root . $name;

echo "<h3>Your Image Link Here: </h3><a target='_blank' href='$path2'>$path2</a>";}
if($w != "55" || $h != "55"){
echo "file dimensions MUST be 55x55! that file was ";echo $w."x".$h;}
else{echo "right file dimensions!";}
if ($size>100000)
{echo "ERROR <br> the image size is too big";}
if (!ereg("image", $type) )
{echo "ERROR <br> the file is not image<br>";}
if ($can == "x")
{echo "ERROR <br> the file is not .png must be a png image<br>";}
}

 

alright if u want to allow more types of images AKA gif, jpeg, u have to add the thing for the gif and jpeg images(which i dont have atm cause i am only allowing png)

heres the part to add to:

if($_FILES[userfile][type] == "image/png" || $_FILES[userfile][type] == "image/x-png")

you would just add another || thing and then the code like theres two there now because i guess interenet explorer interprets pngs as x-png or something someone told me on a forum

 

now the $userfile is the variable name input name thingy from the form input that has type="file" and u have to make sure the form is

<form enctype="multipart/form-data" etc....>

you would also need to modify the $name variable. especially the .png part if ur not just accepting .pngs like i am.

 

i guess ie sees jpeg differntly as well as png:

http://articles.sitepoint.com/article/handle-file-uploads-php

"Explorer uses image/pjpeg for JPEG images and image/x-png for PNG images, while Firefox and other browsers use image/jpeg and image/png respectively"

[mikesta707]

this tutorial should get you started

 

that one doesnt work, even though it says it has uploaded the file it hasnt. And at the bottom it says not to use the script on a public site cos its not safe or secure. plus i want the path of the uploaded image to go into the database where their login details are held so that when it pulls their other details for the my account section it also only pulls their image.

 

That one does work, its the one I used when I was trying to do the same exact thing. It was more of a starting point so you can learn how uploading files work. I can't really comment on why your attempt didn't work without seeing any code.

 

 

and @emopoop, using mime type as a file type restricting system is not the best idea as mime types can not only be spoofed, but not all browsers send them and IE (among others) send different mime types for certain formats than most other browsers. If you are allowing multiple types of formats, this can be a pain. What I usually do to restrict file types is like

$allowed_files = array('jpg', 'jpeg', 'png', 'bmp');//array of allowed file types
$fileName = "myFile.jpg";
$extension = end(explode('.', $fileName));//gets the file extension from the file name

if (!if_array($extension, $allowed_files)){
echo "Invalid file type!";
exit();
}

 

this simply checks the file extension, and while it "works", changing the file extension is even easier than spoofing the mime type. You can look into the finfo extension which seems to work pretty well (assuming you have the extension) for finding the file type (this also gets the mime type, but uses a different method, rather than relying on the information the browser sends) you can see some examples on that page.

 

[emopoops]

ii added to my post how ie and firefox differ. but i dont understand how it easier to spoof the filetype i used than it is to just change the extension. i dont understand

 

ok the finfo seems like a bright idea but how i dont see any thing on that page for getting the filetype? how else are u supposed to get what type the file REALLY IS?

[mikesta707]

I actually said it was easier to change the extension than to spoof the mime-type that the browser sends. At that point, I do agree, but a rule of thumb with security is that you should never rely on user input for security, and always verify things yourself. My example wasn't any better, just an example to think about, and a possible starting point that is easier to make work than checking mime type (because mime types are different on different browsers, as you pointed out). If OP is developing in one browser, than it really doesn't matter I suppose.

 

assuming you have the extension, this is an example from the manual that gets the mime type

<?php
$finfo = finfo_open(FILEINFO_MIME_TYPE); // return mime type ala mimetype extension
foreach (glob("*") as $filename) {
    echo finfo_file($finfo, $filename) . "\n";
}
finfo_close($finfo);
?>

 

it outputs the mimetypes from the files (you can check the manual page for the output) The reason this is recommended is because this doesn't rely on what the browser sends, but rather checks for a certain byte sequence.

[emopoops]

ok well i still dont see how the files variable is relying on the user. but if u says finfo is more safe then still my question. how to use it in this specific case . , ?

[mikesta707]

The $_FILES['files']['type'] value is sent from the browser, and thus sent by the user. Most regular users don't really know how to alter mime types, but a malicious user can spoof the mime type, and upload a potentially harmful file. but if detecting the file isn't dependent on what the user sends, then generally you are safer.

 

If you look at my example, it shows you exactly how to use it. The information you want is the mime type. pay attention to the finfo_open() function call, and the info_file() function call. it should be fairly straight forward from the given code.

[emopoops]

i really dont understand

[mikesta707]

Fine, I suppose I can give you a simple example.

 

<?php
$finfo = finfo_open(FILEINFO_MIME_TYPE);
//right Here I am basically initializing the finfo object
//This function returns a resource, that needs to be used 
//with the finfo functions
//it is similar to opening files, where you need a file handler
$fileName = "Path/to/my/file.gif";//File I want to test
$mimeType = finfo_file($finfo, $fileName);
//this function gets the mime type.
//there is also an object oriented way of doing this
//check out the manual for more information

//now that I have the mimeType, I want to test it.
if ($mimeTYpe == "image/gif") {
echo "We have a gif!";//we have one!
}
else {
echo "We don't have a gif!";//we dont!
}
?>

[emopoops]

so ur doing it to the image thats already uploaded? i dont understant where that would go in the code i provided. would it be extra or would it replace the files thing i had

[doddsey_65]

Okay my code doesnt seem to work but i dont know why

 

$uploadDir = 'uploads/';

if(isset($_POST['upload']))
{
$fileName = $_FILES['userfile']['name'];
$tmpName = $_FILES['userfile']['tmp_name'];

$filePath = $uploadDir . $fileName;

$result = move_uploaded_file($tmpName, $filePath);
if (!$result) {
echo "Error uploading file";
exit;
}

if(!get_magic_quotes_gpc())
{
$filePath = addslashes($filePath);
} 

$query = ("UPDATE users SET path = '$filepath' WHERE username = '$username'") or die

(mysql_error());

 

It uploads the image but not the path

Username is already defined earlier in the code and my form is fine. Can anyone see why its not working?

[doddsey_65]

Okay i did an echo on the query and came up with this:

UPDATE users SET path = "uploads/sbbody-l.gif" WHERE username = "doddsey_65"

And when run in phpmyadmin it works fine and updates the row, so why doesnt it do this when i run it within the php file?