AlenD Posted June 4, 2011 Share Posted June 4, 2011 Hello everyone, this my code and it updates text and an image in a database. I'm just asking for help on what I can do to refine it? Like security for file uploads and what parameters should I add to it? <?php $hostname = "localhost"; $db_user = "root"; $db_password = ""; $database = "ymir"; $db_table = "content"; $db = mysql_connect($hostname, $db_user, $db_password); mysql_select_db($database,$db); ?> <html> <head> <title>File Uploader</title> </head> <body> <?php if (isset($_REQUEST['Submit']) && $_FILES['userfile']['size'] > 0) { $filename = $_FILES['userfile']['name']; $sql = "UPDATE $db_table SET header = '".mysql_real_escape_string(stripslashes($_REQUEST['header']))."' , body = '".mysql_real_escape_string(stripslashes($_REQUEST['body']))."' , pic = '".mysql_real_escape_string(stripslashes($filename))."'"; if($result = mysql_query($sql ,$db)) { echo '<h1>Thank you</h1>Your information has been entered into our database'; echo "<br>File $filename uploaded<br>"; move_uploaded_file($_FILES["userfile"]["tmp_name"], "upload/" . $_FILES["userfile"]["name"]); echo "Stored in: " . "upload/" . $_FILES["userfile"]["name"]; } else { echo "ERROR: ".mysql_error(); } } ?> <h1>Please insert information and image here</h1><hr> <form method="post" enctype="multipart/form-data" action=""> Title:<br> <input type="text" name="header"> <br> Body:<br> <input type="text" name="body"> <br> <input type="hidden" name="MAX_FILE_SIZE" value="700000" /> Image: <input type="file" name="userfile" /> <br><br> <input type="submit" name="Submit" value="Submit"> </form> </body> </html> Link to comment https://forums.phpfreaks.com/topic/238380-refining-my-updating-page/ Share on other sites More sharing options...
jcbones Posted June 4, 2011 Share Posted June 4, 2011 1. Don't use $_REQUEST, instead use the appropriate $_POST, $_GET, or $_COOKIE. 2. Change the filename to a unique one on. Some just append a time() to the end of the filename (before the ext. of course). 3. You may want to add a WHERE clause to that sql query, unless you want every row in the database updated. 4. You should be checking for $_FILES['userfile']['error'], to see if there are any errors in the image upload. 5. You shouldn't rely on MAX_FILE_SIZE to limit the file size uploaded, that can be spoofed easily. Check that in your script also. 6. I would wrap an if() statement around the move_uploaded_file. Then echo either 'file stored' or 'file failed to store' based on the return of 'true' or 'false'. Think on these, then post back. Link to comment https://forums.phpfreaks.com/topic/238380-refining-my-updating-page/#findComment-1225064 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.