Jump to content


Photo

Why is this upload code only returning the tmp filename in the MySQL database?


  • Please log in to reply
9 replies to this topic

#1 simcoweb

simcoweb
  • Members
  • PipPipPip
  • Advanced Member
  • 1,102 posts
  • LocationCA

Posted 22 September 2006 - 09:19 PM

This was working fine until I added a bit of code to do some form validation via CAPTCHA. I didn't touch the queries or any of the database functions, however. But, for some reason now instead of the file name of the image being inserted i'm getting the /tmp name.

<?php
ob_start();
session_start();
// Turn on magic quotes to prevent SQL injection attacks
if(!get_magic_quotes_gpc())
	set_magic_quotes_runtime(1);
	
if (isset($_POST['submit'])) {
// clean and check form inputs including the secure image code
    $username = trim(strip_tags($_POST['username']));
    $email = trim(strip_tags($_POST['email']));
    $password = trim(strip_tags($_POST['password']));
    $confirmPass = trim(strip_tags($_POST['confirmPass']));
    $secure = strtoupper(trim(strip_tags($_POST['secure'])));
    $match = $_SESSION['loggedin']; // the code on the image

// input error checking
    if ($username=="") {
        $err.= "Please provide a username<br/>";
    }
    if (!$email) {
        $err.= "Please provide your email address<br>";
    }
    if ($email) {
        if (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)) {
            $err.= $email. " is not a valid email address.<br/>";
        }
    } 
    if ($password=="") {
        $err.= "Please provide password<br/>";
    }
    if ($confirmPass=="") {
	    $err.= "Please confirm your password.<br/>";
	}
	if ($confirmPass != $password) {
	  $err.= "Your passwords do not match. Please re-enter your passwords.";
	}
    if (!$secure) {
        $err.= "No security code entered<br/>";
    }
    if (($secure!=$match) && ($secure!="")) {
        $err.= "Security code mismatch<br/>";
    }
    if ($err=="") {
    // success - input passed all tests
    include 'dbconfig.php';	
	// Connect to database
	$eg_objConn1 = mysql_connect($dbhost, $dbuser, $dbpass);
	mysql_select_db($dbname, $eg_objConn1);
	
	  //check if username already exists
	  $sql_user_check = "SELECT * FROM plateau_pros WHERE username='$username'";
      $result_name_check = mysql_query($sql_user_check);
      $usersfound = mysql_num_rows($result_name_check);
      mysql_query($sql_user_check);
      
// if user  found, note that and end
if ($usersfound > 0) {
    $eg_error['username'] = "Username $username is already in use. Please choose another username to continue.";
    } else {
      
	// Upload File
	$eg_success_File1 = false;
	if(!empty($_FILES['photo']['name']))
	{
		// Check file is not larger than specified maximum size
		$eg_allowUpload = $_FILES['photo']['size'] <= 100000 ? true : false;
		// Check file is of the specified type
		if($eg_allowUpload)
			$eg_allowUpload = preg_match('/\\.(gif|jpg|jpeg|png)$/i', $_FILES['photo']['name']) ? true : false;
		
		if($eg_allowUpload)
		{
			if(is_uploaded_file($_FILES['photo']['tmp_name']))
			{
				$eg_uploaddir = $_SERVER['DOCUMENT_ROOT']."/images/photo/";
				
				$eg_uploadFile1 = $eg_uploaddir.rawurlencode($_FILES['photo']['name']);	
				// Create a unique filename for the uploaded file
				$eg_i = 1;
				while (file_exists($eg_uploadFile1))
				{
					$eg_separated_filename = explode(".",$eg_uploadFile1);
					if (substr($eg_separated_filename[0],-1) == $eg_i)
					{
						$eg_separated_filename[0] = substr($eg_separated_filename[0], 0, (strlen($eg_separated_filename[0])-1));
						$eg_i++;
					}
					$eg_separated_filename[0] = $eg_separated_filename[0] . "$eg_i";
					$eg_uploadFile1 = implode(".",$eg_separated_filename);
				}
							
				$eg_success_File1 = move_uploaded_file($_FILES['photo']['tmp_name'], $eg_uploadFile1);
			}
			
		}
		
	}

	// Run query
$sql = "INSERT INTO `plateau_pros`(`username`, `password`, `confirmPass`, `firstname`, `lastname`, `email`, `business`, `title`, `address`, `city`, `zip`, `phone`, `fax`, `mobile`, `category`, `comments`, `specialties`, `photo`) VALUES ('$username', '$password', '$confirmPass', '$firstname', '$lastname', '$email', '$business', '$title', '$address', '$city', '$zip', '$phone', '$fax', '$mobile', '$category', '$comments', '$specialties', '$photo')";
mysql_query($sql) or die(mysql_error());
$newid = mysql_insert_id();
echo $sql;

// $sql2 = "INSERT INTO members_cat (`memberid`, `categoryid`) VALUES ('$newid', '$catid')";
// mysql_query($sql2) or die(mysql_error());

// $sql3 = "INSERT INTO specialties (`memberid`, `specialties`) VALUES ('$newid' '$specialties')";
// mysql_query($sql3) or die(mysql_error());

// set session ID and redirect to login page upon success
// Set Session Value
			//$_SESSION['loggedin'] = @$_POST['username'];
			// Go to page
			header("Location: login.php");
			exit;
}
}
}
?>


help?

#2 Barand

Barand
  • Moderators
  • Sen . ( ile || sei )
  • 18,016 posts

Posted 22 September 2006 - 09:54 PM

You write the variable $photo to the table but I can't see it given a value anywhere
If you are still using mysql_ functions, STOP! Use mysqli_ or PDO. The longer you leave it the more you will have to rewrite.

Donations gratefully received






moon.png

|baaGrid| easy data tables - and more
|baaChart| easy line, column and pie charts

#3 simcoweb

simcoweb
  • Members
  • PipPipPip
  • Advanced Member
  • 1,102 posts
  • LocationCA

Posted 22 September 2006 - 09:58 PM

Barand, wouldn't that come from the $_POST of the form? I didn't post that code but basically it's parsing the form data to obtain the variables. All the other form elements are getting entered perfectly.

#4 Barand

Barand
  • Moderators
  • Sen . ( ile || sei )
  • 18,016 posts

Posted 22 September 2006 - 10:07 PM

But having moved the uploaded file to $eg_uploadFile1, isn't that what you need to store?
If you are still using mysql_ functions, STOP! Use mysqli_ or PDO. The longer you leave it the more you will have to rewrite.

Donations gratefully received






moon.png

|baaGrid| easy data tables - and more
|baaChart| easy line, column and pie charts

#5 simcoweb

simcoweb
  • Members
  • PipPipPip
  • Advanced Member
  • 1,102 posts
  • LocationCA

Posted 23 September 2006 - 06:59 AM

Hmmm... is there a simple fix for this?

#6 Barand

Barand
  • Moderators
  • Sen . ( ile || sei )
  • 18,016 posts

Posted 23 September 2006 - 08:12 AM

You shouldn't get a value in $_POST['photo'] if you are uploading a file.

Does your form tag have enctype="multipart/form-data"

If you run this script you'll see what I mean
<?php
if (isset($_POST['x']))  {
  echo "<h3>POST variables</h3>";  
  echo '<pre>', print_r($_POST, true), '</pre>';
  echo "<h3>FILES[photo] variables</h3>";  
  echo '<pre>', print_r($_FILES['photo'], true), '</pre>';
}
?>
<form method="post" enctype="multipart/form-data">
    Caption <input type="text" name="txt"> <br/>
    Photo <input type="file" name="photo"> <br/>
    <input type="submit" name="x" value="Upload">
</form>

If you are still using mysql_ functions, STOP! Use mysqli_ or PDO. The longer you leave it the more you will have to rewrite.

Donations gratefully received






moon.png

|baaGrid| easy data tables - and more
|baaChart| easy line, column and pie charts

#7 simcoweb

simcoweb
  • Members
  • PipPipPip
  • Advanced Member
  • 1,102 posts
  • LocationCA

Posted 23 September 2006 - 04:44 PM

Hi Barand:

The form is enctype="multipart/form-data" and was previously working fine regarding the upload. I guess where i'm confused is your statement:

You shouldn't get a value in $_POST['photo'] if you are uploading a file.


I'm inserting the name of the pic into a mysql database field ( 'photo' ) so I can bring it up in the page display later. If I don't assign it a value how do I get the name of the pic into that field?



#8 Barand

Barand
  • Moderators
  • Sen . ( ile || sei )
  • 18,016 posts

Posted 23 September 2006 - 05:05 PM

Did you run that scriptlet ^

You will see that the input type=file, name=photo does not appear in the $_POST array.

The value you need to write to the database is the location of the file on the server. You are writing the value from $photo; you should be putting the value from $eg_uploadFile1, which is where you copied it to on the server.
If you are still using mysql_ functions, STOP! Use mysqli_ or PDO. The longer you leave it the more you will have to rewrite.

Donations gratefully received






moon.png

|baaGrid| easy data tables - and more
|baaChart| easy line, column and pie charts

#9 simcoweb

simcoweb
  • Members
  • PipPipPip
  • Advanced Member
  • 1,102 posts
  • LocationCA

Posted 23 September 2006 - 05:22 PM

Ok, ran the scriptlet. Here's the results:

POST variables

Array
(
    [txt] => yoo hoo
    [x] => Upload
)

FILES[photo] variables

Array
(
    [name] => 42dragono1-thumb.jpg
    [type] => image/jpeg
    [tmp_name] => /tmp/phpbEf9lf
    [error] => 0
    [size] => 3439
)


So the value I need to write to the database is the location? I'm so confused. I'm using this to summon pics in the HTML page:

<img src='http://www.sitename.com/images/photo/$photo'>

So storing the file [name] comes from...?

#10 Barand

Barand
  • Moderators
  • Sen . ( ile || sei )
  • 18,016 posts

Posted 23 September 2006 - 05:40 PM

When you are displaying the image on the page they come from the 'photo' column in the table. This column needs to contain the location of the file on the server.

When you are inserting the record it therefore need to contain the location of the image on the server.

You are writing whatever is in the variable '$photo' when you insert the record, which, you say, comes from $_POST['photo'].


$sql = "INSERT INTO `plateau_pros`(`username`, `password`, `confirmPass`,
    `firstname`, `lastname`, `email`, `business`, `title`,
    `address`, `city`, `zip`, `phone`, `fax`, `mobile`,
    `category`, `comments`, `specialties`, `photo`)
    VALUES ('$username', '$password', '$confirmPass',
        '$firstname', '$lastname', '$email', '$business', '$title',
        '$address', '$city', '$zip', '$phone', '$fax', '$mobile',
        '$category', '$comments', '$specialties', '$photo')";


As I demonstrated in the scriptlet, there should be no such thing as $_POST['photo'].

You should be writing the contents of "$eg_uploadFile1" to the 'photo' column in the table, as that is where you have moved the uploaded file.


If you are still using mysql_ functions, STOP! Use mysqli_ or PDO. The longer you leave it the more you will have to rewrite.

Donations gratefully received






moon.png

|baaGrid| easy data tables - and more
|baaChart| easy line, column and pie charts




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users