Jump to content

writes to the database but does not upload file

sandbudd

By sandbudd
in PHP Coding Help

Recommended Posts

sandbudd Regular Member

sandbudd

Posted
Posted

writes to the database fine but does not upload the image?

I get no errors...sorry for the spacing.


   
      <?php
  
      //This is the directory where images will be saved
   
      $target = 'images/';
   
      $target = $target . basename( $_FILES['photo']['name']);
   
       
  
      //This gets all the other information from the form
   
       $pic=($_FILES['photo']['name']);
  
       
  
      // Connects to your Database
  
      mysql_connect("", "", "") or die(mysql_error()) ;
  
      mysql_select_db("") or die(mysql_error()) ;
  
       
  
      //Writes the information to the database
  
      mysql_query("INSERT INTO `alabama` VALUES ('$pic')") ;
  
       
  
      //Writes the photo to the server
  
      if(move_uploaded_file($_FILES['photo']['tmp_name'], $target))
  
      {

       
  
      //Tells you if its all ok
  
      echo "The file ". basename( $_FILES['photo']['name']). " has been uploaded, and your information has been added to the directory";
  
      }
  
      else {

       

      //Gives and error if its not

      echo "Sorry, there was a problem uploading your file.";

      }

      ?>

waynew Advanced Member

waynew

Posted
Posted

Try this and see what happens:

 

<?php

  //This is the directory where images will be saved  
  $target = 'images/'.$_FILES['photo']['name'];

   

  //This gets all the other information from the form

   $pic= $_FILES['photo']['name'];

   

  // Connects to your Database

  mysql_connect("", "", "") or die(mysql_error()) ;

  mysql_select_db("") or die(mysql_error()) ;

   

  //Writes the information to the database

  mysql_query("INSERT INTO `alabama` VALUES ('$pic')") ;

   

  //Writes the photo to the server

  if(move_uploaded_file($_FILES['photo']['tmp_name'], $target))
  {
  //Tells you if its all ok
  echo "The file ".$_FILES['photo']['name']. " has been uploaded, and your information has been added to the directory";

  }

  else {
  //Gives and error if its not
  echo "Sorry, there was a problem uploading your file.";

  }

?>

waynew Advanced Member

waynew

Posted
Posted

Also please note that are two main security flaws in your script.

 

1: You're not checking to see if the filetype is acceptable, which means that any old file could be uploaded to your server. What if somebody uploaded a .php file? They'd be able to upload it to your server and then execute it.

 

2: You're not using the function is_uploaded_file(). is_uploaded_file() makes sure that the file in question has actually been uploaded. Otherwise, an attacker could give you the file location of a sensitive file outside your root... only to have that sensitive file copied to a publicly viewable location.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.