simcoweb Posted September 22, 2006 Share Posted September 22, 2006 This was working fine until I added a bit of code to do some form validation via CAPTCHA. I didn't touch the queries or any of the database functions, however. But, for some reason now instead of the file name of the image being inserted i'm getting the /tmp name. [code]<?phpob_start();session_start();// Turn on magic quotes to prevent SQL injection attacksif(!get_magic_quotes_gpc()) set_magic_quotes_runtime(1); if (isset($_POST['submit'])) {// clean and check form inputs including the secure image code $username = trim(strip_tags($_POST['username'])); $email = trim(strip_tags($_POST['email'])); $password = trim(strip_tags($_POST['password'])); $confirmPass = trim(strip_tags($_POST['confirmPass'])); $secure = strtoupper(trim(strip_tags($_POST['secure']))); $match = $_SESSION['loggedin']; // the code on the image// input error checking if ($username=="") { $err.= "Please provide a username<br/>"; } if (!$email) { $err.= "Please provide your email address<br>"; } if ($email) { if (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)) { $err.= $email. " is not a valid email address.<br/>"; } } if ($password=="") { $err.= "Please provide password<br/>"; } if ($confirmPass=="") { $err.= "Please confirm your password.<br/>"; } if ($confirmPass != $password) { $err.= "Your passwords do not match. Please re-enter your passwords."; } if (!$secure) { $err.= "No security code entered<br/>"; } if (($secure!=$match) && ($secure!="")) { $err.= "Security code mismatch<br/>"; } if ($err=="") { // success - input passed all tests include 'dbconfig.php'; // Connect to database $eg_objConn1 = mysql_connect($dbhost, $dbuser, $dbpass); mysql_select_db($dbname, $eg_objConn1); //check if username already exists $sql_user_check = "SELECT * FROM plateau_pros WHERE username='$username'"; $result_name_check = mysql_query($sql_user_check); $usersfound = mysql_num_rows($result_name_check); mysql_query($sql_user_check); // if user found, note that and endif ($usersfound > 0) { $eg_error['username'] = "Username $username is already in use. Please choose another username to continue."; } else { // Upload File $eg_success_File1 = false; if(!empty($_FILES['photo']['name'])) { // Check file is not larger than specified maximum size $eg_allowUpload = $_FILES['photo']['size'] <= 100000 ? true : false; // Check file is of the specified type if($eg_allowUpload) $eg_allowUpload = preg_match('/\\.(gif|jpg|jpeg|png)$/i', $_FILES['photo']['name']) ? true : false; if($eg_allowUpload) { if(is_uploaded_file($_FILES['photo']['tmp_name'])) { $eg_uploaddir = $_SERVER['DOCUMENT_ROOT']."/images/photo/"; $eg_uploadFile1 = $eg_uploaddir.rawurlencode($_FILES['photo']['name']); // Create a unique filename for the uploaded file $eg_i = 1; while (file_exists($eg_uploadFile1)) { $eg_separated_filename = explode(".",$eg_uploadFile1); if (substr($eg_separated_filename[0],-1) == $eg_i) { $eg_separated_filename[0] = substr($eg_separated_filename[0], 0, (strlen($eg_separated_filename[0])-1)); $eg_i++; } $eg_separated_filename[0] = $eg_separated_filename[0] . "$eg_i"; $eg_uploadFile1 = implode(".",$eg_separated_filename); } $eg_success_File1 = move_uploaded_file($_FILES['photo']['tmp_name'], $eg_uploadFile1); } } } // Run query$sql = "INSERT INTO `plateau_pros`(`username`, `password`, `confirmPass`, `firstname`, `lastname`, `email`, `business`, `title`, `address`, `city`, `zip`, `phone`, `fax`, `mobile`, `category`, `comments`, `specialties`, `photo`) VALUES ('$username', '$password', '$confirmPass', '$firstname', '$lastname', '$email', '$business', '$title', '$address', '$city', '$zip', '$phone', '$fax', '$mobile', '$category', '$comments', '$specialties', '$photo')";mysql_query($sql) or die(mysql_error());$newid = mysql_insert_id();echo $sql;// $sql2 = "INSERT INTO members_cat (`memberid`, `categoryid`) VALUES ('$newid', '$catid')";// mysql_query($sql2) or die(mysql_error());// $sql3 = "INSERT INTO specialties (`memberid`, `specialties`) VALUES ('$newid' '$specialties')";// mysql_query($sql3) or die(mysql_error());// set session ID and redirect to login page upon success// Set Session Value //$_SESSION['loggedin'] = @$_POST['username']; // Go to page header("Location: login.php"); exit;}}}?>[/code]help? Quote Link to comment Share on other sites More sharing options...
Barand Posted September 22, 2006 Share Posted September 22, 2006 You write the variable $photo to the table but I can't see it given a value anywhere Quote Link to comment Share on other sites More sharing options...
simcoweb Posted September 22, 2006 Author Share Posted September 22, 2006 Barand, wouldn't that come from the $_POST of the form? I didn't post that code but basically it's parsing the form data to obtain the variables. All the other form elements are getting entered perfectly. Quote Link to comment Share on other sites More sharing options...
Barand Posted September 22, 2006 Share Posted September 22, 2006 But having moved the uploaded file to $eg_uploadFile1, isn't that what you need to store? Quote Link to comment Share on other sites More sharing options...
simcoweb Posted September 23, 2006 Author Share Posted September 23, 2006 Hmmm... is there a simple fix for this? Quote Link to comment Share on other sites More sharing options...
Barand Posted September 23, 2006 Share Posted September 23, 2006 You shouldn't get a value in $_POST['photo'] if you are uploading a file.Does your form tag have enctype="multipart/form-data"If you run this script you'll see what I mean[code]<?phpif (isset($_POST['x'])) { echo "<h3>POST variables</h3>"; echo '<pre>', print_r($_POST, true), '</pre>'; echo "<h3>FILES[photo] variables</h3>"; echo '<pre>', print_r($_FILES['photo'], true), '</pre>';}?><form method="post" enctype="multipart/form-data"> Caption <input type="text" name="txt"> <br/> Photo <input type="file" name="photo"> <br/> <input type="submit" name="x" value="Upload"></form>[/code] Quote Link to comment Share on other sites More sharing options...
simcoweb Posted September 23, 2006 Author Share Posted September 23, 2006 Hi Barand:The form is enctype="multipart/form-data" and was previously working fine regarding the upload. I guess where i'm confused is your statement:[quote]You shouldn't get a value in $_POST['photo'] if you are uploading a file.[/quote]I'm inserting the name of the pic into a mysql database field ( 'photo' ) so I can bring it up in the page display later. If I don't assign it a value how do I get the name of the pic into that field? Quote Link to comment Share on other sites More sharing options...
Barand Posted September 23, 2006 Share Posted September 23, 2006 Did you run that scriptlet ^You will see that the input type=file, name=photo does not appear in the $_POST array. The value you need to write to the database is the location of the file on the server. You are writing the value from $photo; you should be putting the value from $eg_uploadFile1, which is where you copied it to on the server. Quote Link to comment Share on other sites More sharing options...
simcoweb Posted September 23, 2006 Author Share Posted September 23, 2006 Ok, ran the scriptlet. Here's the results:[quote]POST variablesArray( [txt] => yoo hoo [x] => Upload)FILES[photo] variablesArray( [name] => 42dragono1-thumb.jpg [type] => image/jpeg [tmp_name] => /tmp/phpbEf9lf [error] => 0 [size] => 3439)[/quote]So the value I need to write to the database is the location? I'm so confused. I'm using this to summon pics in the HTML page:<img src='http://www.sitename.com/images/photo/$photo'> So storing the file [name] comes from...? Quote Link to comment Share on other sites More sharing options...
Barand Posted September 23, 2006 Share Posted September 23, 2006 When you are displaying the image on the page they come from the 'photo' column in the table. This column needs to contain the location of the file on the server.When you are inserting the record it therefore need to contain the location of the image [b]on the server[/b]. You are writing whatever is in the variable '$photo' when you insert the record, which, you say, comes from $_POST['photo'].$sql = "INSERT INTO `plateau_pros`(`username`, `password`, `confirmPass`, `firstname`, `lastname`, `email`, `business`, `title`, `address`, `city`, `zip`, `phone`, `fax`, `mobile`, `category`, `comments`, `specialties`, `photo`) VALUES ('$username', '$password', '$confirmPass', '$firstname', '$lastname', '$email', '$business', '$title', '$address', '$city', '$zip', '$phone', '$fax', '$mobile', '$category', '$comments', '$specialties', '[color=red]$photo[/color]')";As I demonstrated in the scriptlet, there should be no such thing as $_POST['photo'].You should be writing the contents of "$eg_uploadFile1" to the 'photo' column in the table, as that is where you have moved the uploaded file. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.