Jump to content

writes to the database but does not upload file

sandbudd

By sandbudd
in PHP Coding Help

 Share

Recommended Posts

sandbudd Regular Member

sandbudd

Posted
Posted

writes to the database fine but does not upload the image?

I get no errors...sorry for the spacing.


   
      <?php
  
      //This is the directory where images will be saved
   
      $target = 'images/';
   
      $target = $target . basename( $_FILES['photo']['name']);
   
       
  
      //This gets all the other information from the form
   
       $pic=($_FILES['photo']['name']);
  
       
  
      // Connects to your Database
  
      mysql_connect("", "", "") or die(mysql_error()) ;
  
      mysql_select_db("") or die(mysql_error()) ;
  
       
  
      //Writes the information to the database
  
      mysql_query("INSERT INTO `alabama` VALUES ('$pic')") ;
  
       
  
      //Writes the photo to the server
  
      if(move_uploaded_file($_FILES['photo']['tmp_name'], $target))
  
      {

       
  
      //Tells you if its all ok
  
      echo "The file ". basename( $_FILES['photo']['name']). " has been uploaded, and your information has been added to the directory";
  
      }
  
      else {

       

      //Gives and error if its not

      echo "Sorry, there was a problem uploading your file.";

      }

      ?>

Link to comment
Share on other sites
waynew Advanced Member

waynew

Posted
Posted

Try this and see what happens:

 

<?php

  //This is the directory where images will be saved  
  $target = 'images/'.$_FILES['photo']['name'];

   

  //This gets all the other information from the form

   $pic= $_FILES['photo']['name'];

   

  // Connects to your Database

  mysql_connect("", "", "") or die(mysql_error()) ;

  mysql_select_db("") or die(mysql_error()) ;

   

  //Writes the information to the database

  mysql_query("INSERT INTO `alabama` VALUES ('$pic')") ;

   

  //Writes the photo to the server

  if(move_uploaded_file($_FILES['photo']['tmp_name'], $target))
  {
  //Tells you if its all ok
  echo "The file ".$_FILES['photo']['name']. " has been uploaded, and your information has been added to the directory";

  }

  else {
  //Gives and error if its not
  echo "Sorry, there was a problem uploading your file.";

  }

?>

Link to comment
Share on other sites
waynew Advanced Member

waynew

Posted
Posted

Also please note that are two main security flaws in your script.

 

1: You're not checking to see if the filetype is acceptable, which means that any old file could be uploaded to your server. What if somebody uploaded a .php file? They'd be able to upload it to your server and then execute it.

 

2: You're not using the function is_uploaded_file(). is_uploaded_file() makes sure that the file in question has actually been uploaded. Otherwise, an attacker could give you the file location of a sensitive file outside your root... only to have that sensitive file copied to a publicly viewable location.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.