Jump to content

PHP/MySql Submission Form

ryanharper

By ryanharper
in PHP Coding Help

Recommended Posts

ryanharper Newbie

ryanharper

Posted
Posted

Hello all! I am working on a submission form at a website of my. I have it working except that I originally wrote the script to upload files into Mysql. I realized that his is not the method I need and am trying to change the script to upload the selected file into a directory and the link to this directory to go into mysql.

 

Here is the upload.php code

____________________________________________________________________

<?php

include 'dbc.php';

page_protect();

$table = 'upload';

// use the same name as SQL table

 

$password = 'XXXXXX';

// simple upload restriction,

// to disallow uploading to everyone

 

 

 

// This function makes usage of

// $_GET, $_POST, etc... variables

// completly safe in SQL queries

function sql_safe($s)

{

    if (get_magic_quotes_gpc())

        $s = stripslashes($s);

 

    return mysql_real_escape_string($s);

}

 

// If user pressed submit in one of the forms

if ($_SERVER['REQUEST_METHOD'] == 'POST')

{

 

    // cleaning title field

    $title = trim(sql_safe($_POST['title']));

    $name = ($_POST['name']);

    $type = ($_POST['type']);

    $subject = ($_Post['subject']);

    if ($title == '') // if title is not set

        $msg = 'Error: enter username';

       

    if ($name == '') // if name is not set

        $msg = 'Error: enter file name';

       

   

    if ($type == '') // if name is not set

        $msg = 'Error: enter the file type'; 

       

   

       

    if ($_POST['password'] != $password)  // cheking passwors

        $msg = 'Error: wrong upload password';

    else

    {

      if (!isset($msg)) // If there was no error

            {

           

           

                $data = file_get_contents($_FILES['photo']['tmp_name']);

                $data = mysql_real_escape_string($data);

               

               

                // Preparing data to be used in MySQL query

           

                mysql_query("INSERT INTO {$table}

                                SET type='$type', subject='$subject' , name='$name', title='$title',

                                    data='$data'");

 

                $msg = 'Success: file uploaded';

               

               

                }

           

        elseif (isset($_GET['title']))      // isset(..title) needed

            $msg = 'Error: file not loaded';// to make sure we've using

                                            // upload form, not form

                                            // for deletion

 

 

        if (isset($_POST['del'])) // If used selected some photo to delete

        {                        // in 'uploaded images form';

            $id = intval($_POST['del']);

            mysql_query("DELETE FROM {$table} WHERE id=$id");

            $msg = 'Photo deleted';

        }

    }

}

elseif (isset($_GET['show']))

{

    $id = intval($_GET['show']);

 

    $result = mysql_query("SELECT ext, image_time, data

                            FROM {$table}

                            WHERE id=$id LIMIT 1");

 

    if (mysql_num_rows($result) == 0)

        die('no image');

 

    list($ext, $image_time, $data) = mysql_fetch_row($result);

 

    $send_304 = false;

    if (php_sapi_name() == 'apache') {

        // if our web server is apache

        // we get check HTTP

        // If-Modified-Since header

        // and do not send image

        // if there is a cached version

 

        $ar = apache_request_headers();

        if (isset($ar['If-Modified-Since']) && // If-Modified-Since should exists

            ($ar['If-Modified-Since'] != '') && // not empty

            (strtotime($ar['If-Modified-Since']) >= $image_time)) // and grater than

            $send_304 = true;                                    // image_time

    }

 

 

    if ($send_304)

    {

        // Sending 304 response to browser

        // "Browser, your cached version of image is OK

        // we're not sending anything new to you"

        header('Last-Modified: '.gmdate('D, d M Y H:i:s', $ts).' GMT', true, 304);

 

        exit(); // bye-bye

    }

 

    // outputing Last-Modified header

    header('Last-Modified: '.gmdate('D, d M Y H:i:s', $image_time).' GMT',

            true, 200);

 

    // Set expiration time +1 year

    // We do not have any photo re-uploading

    // so, browser may cache this photo for quite a long time

    header('Expires: '.gmdate('D, d M Y H:i:s',  $image_time + 86400*365).' GMT',

            true, 200);

 

    // outputing HTTP headers

    header('Content-Length: '.strlen($data));

    header("Content-type: image/{$type}");

 

    // outputing image

    echo $data;

    exit();

}

?>

<?php include("upheader.html"); ?>

<?php

if (isset($msg)) // this is special section for

                // outputing message

{

?>

<p style="font-weight: bold;"><?=$msg?>

<br>

<a href="<?=$PHP_SELF?>">reload page</a>

<!-- I've added reloading link, because

    refreshing POST queries is not good idea -->

</p>

<?php

}

?>

</form>

<h2>Upload new file:</h2>

<form action="<?=$PHP_SELF?>" method="POST" enctype="multipart/form-data">

<label for="title">Username:</label><br>

<input type="text" name="title" id="title" size="64"><br><br>

<label for="subject">Subject:</label><br>

 

<select name="subject" class="required" id="select8">

                <option value="" selected></option>

                <option value="acct">Accounting</option>

                <option value="anth">Anthropology</option>

                <option value="bio">Biology</option>

                <option value="chem">Chemistry</option>

                <option value="comm">Communications</option>

                <option value="econ">Economics</option>

                <option value="engl">English</option>

                <option value="fmgt">Finance</option>

                <option value="geog">Geography</option>

                <option value="grph">Graphic Design</option><br>

                <option value="hum">Humanities</option>

                <option value="cit">Information Technology</option>

                <option value="mkgt">Marketing</option>

                <option value="phil">Philosophy</option>

                <option value="pols">Political Science</option>

                <option value="psy">Psychology</option>

                <option value="soc">Sociology</option>

              </select><br><br>

<label for="name">File Name:</label><br>

<input type="text" name="name" id="name" size="64"><br><br>

 

<label for="type">File Type:</label><br>

 

<select name="type" class="required" id="select8">

                <option value="" selected></option>

                <option value="doc">.doc</option>

                <option value="docx">.docx</option>

                <option value="rtf">.rtf</option>

                <option value="xls">.xls</option>

                <option value="txt">.txt</option>

                <option value="pdf">.pdf</option>

                <option value="zip">.zip</option>

              </select><br><br>

<label for="photo">Select File:</label><br>

<input type="file" name="photo" id="photo"><br><br>

 

<label for="password">Password:</label><br>

<input type="password" name="password" id="password"><br><br>

 

<input type="submit" value="upload">

</form>

 

<?php include("footer.html"); ?>

_______________________________________________________

 

 

the database is:

 

Field Type         Collation                     Attributes                       Null Default Extra Action

id int(11)                                               No     auto_increment

title varchar(64) utf8_general_ci                                               No

subject varchar(40) utf8_general_ci                                               No

name varchar(60) utf8_general_ci                                               No

type varchar(8) utf8_general_ci                                               No

image_time                           on update current timestamp       No

data text         utf8_general_ci                                       No

*id is primary

 

 

PLEASE HELP!!!

 

I have tried a few different options but cannot get the file to the directory or the link into the database. I think I have worked myself in circles at this point and need a fresh perspective... ANY thoughts or help is GREATLY appreciated!!!

 

rh

 

Link to comment
https://forums.phpfreaks.com/topic/241724-phpmysql-submission-form/
Share on other sites
Kustom_Vegas Newbie

Kustom_Vegas

Posted
Posted

woah that alot of code to sort though

 

1. dont't use $PHP_SELF for the action of your form, leads to XSS injection...one option is to use "#" instead...

http://www.google.com/#sclient=psy&hl=en&source=hp&q=xss+injection+php_self&aq=f&aqi=&aql=f&oq=&pbx=1&bav=on.2,or.r_gc.r_pw.&fp=fce33a84b0764b22&biw=849&bih=200

2. you will want to use move_uploaded_file to move the uploaded file to a specifeid directory and an INSERT statement to insert the file path into your db table

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.