Help with File Uploading

[leachus2002]

Hi There,

 

I have been reading a tutorial on a website that shows people how to upload files into a MYSQL server - which seems to work perfectly.

 

** Code Extract **

 

if(isset($_POST['upload']) && $_FILES['userfile']['size'] > 0)
{
$fileName = $_FILES['userfile']['name'];
$tmpName  = $_FILES['userfile']['tmp_name'];
$fileSize = $_FILES['userfile']['size'];
$fileType = $_FILES['userfile']['type'];

$fp      = fopen($tmpName, 'r');
$content = fread($fp, filesize($tmpName));
$content = addslashes($content);
fclose($fp);

if(!get_magic_quotes_gpc())
{
    $fileName = addslashes($fileName);
}

 

However, the problem I am faced with is that I would like to use MSSQL as the server to upload to, and I understand that the ADDSLASHES command will not work with MSSQL? I have tried using a combination of ADDSLASHES and str_replace commands, to escape the single quotes - but to no avail I am afraid.

 

Can anyone help by helping me to modify the code above to allow me to upload to my MSSQL DB?

 

Thanks in advance

Matt

[possien]

I think you want to create a table with the file name and other information you want about the file.  Gather that when you upload the file. You aren't using the variables for file size and type? Here is some code for upload photos, you can see it checks to see if it meets the size and type requirements and if a successful transfer, writes info I want to the database.  I use the size and type constants to limit the size and type of file. You can link a directory/file name (from the database) when you want the file.  You don't need to read and write the file unless you are manipulating the content.

 

I also show an include for notifying the admin when a file is uploaded for approval.

 

<?php //Add Photos

define('UPLOADPATH','upimages/');

define('MAXFILESIZE', 3000000);

$dbc = mysqli_connect(DB_HOST,DB_USER,DB_PASSWORD,DB_NAME);

if(isset($_POST['submit'])){

$date_taken = mysqli_real_escape_string($dbc, trim($_POST['date_taken']));

$description = mysqli_real_escape_string($dbc, trim($_POST['description']));

$file_name = mktime() . mysqli_real_escape_string($dbc, trim($_FILES['file_name']['name']));

$uploaded_by = mysqli_real_escape_string($dbc, trim($_POST['uploaded_by']));

$file_name_type = $_FILES['file_name']['type'];

$file_name_size = $_FILES['file_name']['size']; 
if(!empty($date_taken) && !empty($description) && !empty($file_name) && !empty($uploaded_by)){

if((($file_name_type == 'image/gif') || ($file_name_type == 'image/jpeg') || ($file_name_type == 'image/pjpeg') ||($file_name_type == 'image/png')) && ($file_name_size > 0) && ($file_name_size <= MAXFILESIZE)) {

	if ($_FILES['file_name']['error'] == 0){
$target = UPLOADPATH . $file_name;
if (move_uploaded_file($_FILES['file_name']['tmp_name'], $target)) {
$query = "INSERT INTO photos(date_taken, description, file_name, uploaded_by) VALUES('$date_taken', '$description',  '$file_name', '$uploaded_by')";

mysqli_query($dbc, $query); 

require_once('includes/admin_notify.php');
$admin->photo();

echo "<hr />";

echo '<h4> Thanks for adding your photo!<h4/>';

echo '<p> Date Taken: '. $date_taken.'</p>';

echo '<p> Description: '. $description.'</p>';

echo '<p> Uploaded by: ' . $uploaded_by . '</p>';

echo '<p> <image src="' . UPLOADPATH . $file_name .'" alt="Photo" /></p>';

echo "<hr />";

$date_taken = '';

$description = '';

$file_name = '';

$uploaded_by = '';

mysqli_close($dbc);
}

else {

echo '<p>There was a problem uploading your photo.</p>';

	}

}

}

else{

echo '<p>The photo file must be a GIF, JPEG or PNG image file no greater than 3 megabytes</p>';

}

@unlink($_FILES['file_name']['tmp_name']);

}

else {

echo '<h4> Please insure all information was added</h4>';

}

}

?>

[xyph]

Try using this instead of addslashes()

 

http://stackoverflow.com/questions/574805/how-to-escape-strings-in-mssql-using-php