php data injection script 404 error

[joshgarrod]

Hi, I have a script inserting data into a table. I think the problem is something to do with the exit part of the script as it supposed to go to a page named thanks.php once it has finished. The data is inserted into the table but then I get a 404 error?

 

Script:

 

<?php

$idir = "uploads/";   // Path To Images Directory


if (isset ($_FILES['fupload'])){

//upload the image to tmp directory
$url = $_FILES['fupload']['name'];   // Set $url To Equal The Filename For Later Use 
	if ($_FILES['fupload']['type'] == "image/jpg" || $_FILES['fupload']['type'] == "image/jpeg" || $_FILES['fupload']['type'] == "image/pjpeg") { 
		$file_ext = strrchr($_FILES['fupload']['name'], '.');   // Get The File Extention In The Format Of , For Instance, .jpg, .gif or .php 
		$copy = copy($_FILES['fupload']['tmp_name'], "$idir" . $_FILES['fupload']['name']);   // Move Image From Temporary Location To Permanent Location 
			}
			}
if (isset ($_FILES['fupload2'])){

//upload the image to tmp directory
$url = $_FILES['fupload2']['name'];   // Set $url To Equal The Filename For Later Use 
	if ($_FILES['fupload2']['type'] == "image/jpg" || $_FILES['fupload2']['type'] == "image/jpeg" || $_FILES['fupload2']['type'] == "image/pjpeg") { 
		$file_ext = strrchr($_FILES['fupload2']['name'], '.');   // Get The File Extention In The Format Of , For Instance, .jpg, .gif or .php 
		$copy = copy($_FILES['fupload2']['tmp_name'], "$idir" . $_FILES['fupload2']['name']);   // Move Image From Temporary Location To Permanent Location 
			}
			}
if (isset ($_FILES['fupload3'])){

//upload the image to tmp directory
$url = $_FILES['fupload3']['name'];   // Set $url To Equal The Filename For Later Use 
	if ($_FILES['fupload3']['type'] == "image/jpg" || $_FILES['fupload3']['type'] == "image/jpeg" || $_FILES['fupload3']['type'] == "image/pjpeg") { 
		$file_ext = strrchr($_FILES['fupload3']['name'], '.');   // Get The File Extention In The Format Of , For Instance, .jpg, .gif or .php 
		$copy = copy($_FILES['fupload3']['tmp_name'], "$idir" . $_FILES['fupload3']['name']);   // Move Image From Temporary Location To Permanent Location 
			}
			}
if (isset ($_FILES['fupload4'])){

//upload the image to tmp directory
$url = $_FILES['fupload4']['name'];   // Set $url To Equal The Filename For Later Use 
	if ($_FILES['fupload4']['type'] == "image/jpg" || $_FILES['fupload4']['type'] == "image/jpeg" || $_FILES['fupload4']['type'] == "image/pjpeg") { 
		$file_ext = strrchr($_FILES['fupload4']['name'], '.');   // Get The File Extention In The Format Of , For Instance, .jpg, .gif or .php 
		$copy = copy($_FILES['fupload4']['tmp_name'], "$idir" . $_FILES['fupload4']['name']);   // Move Image From Temporary Location To Permanent Location 
			}
			}

error_reporting (E_ALL ^ E_NOTICE);
    $usr = "fghfh";
    $pwd = "fghfh";
    $db = "fhfhhh";
    $host = "213.45454818";

    # connect to database
    $cid = mysql_connect($host,$usr,$pwd);
    if (!$cid) { echo("ERROR: " . mysql_error() . "\n");    }

    if ($_POST['submit']) {

	$company = mysql_real_escape_string($_POST['company']);
	$website = mysql_real_escape_string($_POST['website']);
	$email = mysql_real_escape_string($_POST['email']);
	$tel = mysql_real_escape_string($_POST['tel']);
	$location = mysql_real_escape_string($_POST['location']);
	$address1 = mysql_real_escape_string($_POST['address1']);
	$address2 = mysql_real_escape_string($_POST['address2']);
	$address3 = mysql_real_escape_string($_POST['address3']);
	$address4 = mysql_real_escape_string($_POST['address4']);
	$postcode = mysql_real_escape_string($_POST['postcode']);
	$descr = mysql_real_escape_string($_POST['descr']);
	$lowseason = mysql_real_escape_string($_POST['lowseason']);
	$midseason = mysql_real_escape_string($_POST['midseason']);
	$highseason = mysql_real_escape_string($_POST['highseason']);
	$live = "No";
	$image1 = mysql_real_escape_string("$idir" . $_FILES['fupload2']['name']);
	$image2 = mysql_real_escape_string("$idir" . $_FILES['fupload3']['name']);
	$image3 = mysql_real_escape_string("$idir" . $_FILES['fupload4']['name']);
	$logo = mysql_real_escape_string("$idir" . $_FILES['fupload']['name']);

	//echo "<img src=\"images/processing.gif\">";		
	//$model_chk = (!isset($_POST['model']) || trim($_POST['model']) == "")
	//? die ('ERROR: Enter a model') :
	//mysql_escape_string(trim($_POST['model']));

        $SQL = " INSERT INTO mhhire ";
        $SQL .= " (company, website, email, tel, location, address1, address2, address3, address4, postcode, descr, lowseason, midseason, highseason, image1, image2, image3, logo, live) VALUES ";
        $SQL .= " ('$company', '$website', '$email', '$tel', '$location', '$address1', '$address2', '$address3', '$address4', '$postcode', '$descr', '$lowseason', '$midseason', '$highseason', '$image1', '$image2', '$image3', '$logo', '$live') ";

        
        $result = mysql_db_query($db,$SQL,$cid);
      $last=mysql_insert_id();


        
        if (!$result) { echo("ERROR: " . mysql_error() . "\n$SQL\n");    }

        //echo ("<P><B>Your caravan has been added to our classified section</B></P>\n");
	//printf("<a href=\"view_used_caravan.php?ref=". mysql_insert_id() ."\">Click here to view your advert</a>");

	header("location:thanks.php");
	exit();

    }
?>

 

Thanks

[Adam]

The data is inserted into the table but then I get a 404 error?

 

header("location:thanks.php");

 

Would suggest "thanks.php" doesn't exist. Are they definitely within the same directory?

 

 

 

[joshgarrod]

Hi, thanks for the reply. thanks.php definately exists, I am sorry, it is not a 404 error, this is the error I am getting: "Internet Explorer cannot display the webpage". Also the URL in the address bar remains on the advertise.php page which is where the user starts off?

[cags]

What happens if you change the header to redirect you to google?

 

header("Location: http://www.google.com");

[joshgarrod]

Hi solved it, thanks anyway everyone! Was because I hadn't changed my hosting from Windows to Linux! SORRY