Bubblychaz Posted November 16, 2012 Share Posted November 16, 2012 (edited) So I changed host today and now my image upload script isnt working.. can someone help please form is: <FORM ACTION="upload.pro.php" enctype="multipart/form-data" METHOD=POST> <table width="366" border="0" cellspacing="0" cellpadding="0"> <tr> <td colspan="2"><center>Upload An Image</center></td> </tr> <tr> <td>Made By:</td> <td><input type="text" name="madeby" value="<? echo $check["username"] ?>"></td> </tr> <tr> <td>You are?:</td> <td><input type="text" name="submitted" value="<? echo $check["username"] ?>"></td> </tr> <tr> <td>Name of Graphic:</td> <td><input type="text" name="name" value=""></td> </tr> <tr> <td>Filed Under:</td> <td><select name="filedunder"> <option value="avatars">Avatar</option> <option value=backgrounds>Background</option> <option value=banners>Banner</option> <option value=blinkies>Blinkie</option> <option value=buttons>Button</option> <option value=gallerys>Gallery Layout</option> <option value=glitters>Glitter</option> <option value=guides>Guide Image</option> <option value=guilds>Guild Layout</option> <option value=misc> Miscellaneous</option> <option value=nbhelp>NeoBoard Help</option> <option value=petlookups>Pet Lookup</option> <option value=petpages>PetPage Layout</option> <option value=shields>Shield</option> <option value=shops>Shop Layout</option> <option value=tutorials>Tutorial Image</option> <option value=userlookups>User Lookup</option> </select></td> </tr> <tr> <td>Upload Image:</td> <td><input type="file" name="Image"></td> </tr> <tr> <td> </td> <td> </td> </tr> <tr> <td colspan="2"><center><font size="-1"><i> <input type="submit" name="Submit" value="Add"> </i></font></center></td> </tr> </table></FORM> then the action page is $name = $_POST['name']; $madeby = $_POST['madeby']; $submitted = $_POST['submitted']; $filedunder = $_POST['filedunder']; $filedunder2 = $filedunder.'img'; $Image = $HTTP_POST_FILES['Image']; $directoryName = "$baseurl/images/$filedunder"; if (!file_exists($directoryName)) { mkdir($directoryName, 0777); } $directoryName2 = "$baseurl/images/$filedunder"; if (!file_exists($directoryName2)) { mkdir($directoryName2, 0777); } if (!eregi("$images/", $HTTP_POST_FILES['Image']['type']) ) { die(" Please only use image files"); } if ((!$name) OR (!$filedunder) OR (!$Image)) { die("Please dont leave blank info"); } else { mysql_query("INSERT INTO $filedunder2 (madeby,name,date,submitted) VALUES ('$madeby','$name','$timestamp','$submitted')"); $insert_id = mysql_insert_id(); $image = $insert_id . "img.png"; mysql_query("UPDATE $filedunder2 SET url = '$baseurl/images/$filedunder/$image' WHERE id = '$insert_id' "); $file = $HTTP_POST_FILES['Image']['tmp_name']; $dest = $_SERVER['DOCUMENT_ROOT'].'/images/'.$filedunder.'/'.$insert_id.'img.png'; copy($file, $dest); die("oooohhhhh It Added! <P> <B>Take note of this url, as Your uploads page is currently down!!!</b><P> <Textarea>www.spardel.com/images/$filedunder/$image</Textarea> "); } I dont know if it matters but, the form is on a subdomain and then upload directory is off the sub-domain $baseurl = "http://www.spardel.com/"; Once I upload an image I get "Please only use image files" Edited November 16, 2012 by Bubblychaz Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 16, 2012 Share Posted November 16, 2012 $HTTP_POST_FILES is deprecated and should be updated to $_FILES. Make that change, then try again and see if it makes a difference. Also, ereg functions should be changed to preg functions. Those will stop working in a future version of php too. Quote Link to comment Share on other sites More sharing options...
Bubblychaz Posted November 17, 2012 Author Share Posted November 17, 2012 (edited) Okay done that, before changing the eregi the script would update the database but not upload the file... After changing both files and preg, It will still give the error please only use image file $name = $_POST['name']; $madeby = $_POST['madeby']; $submitted = $_POST['submitted']; $filedunder = $_POST['filedunder']; $filedunder2 = $filedunder.'img'; $Image = $_FILES['Image']; $directoryName = "$baseurl/images/$filedunder"; if (!file_exists($directoryName)) { mkdir($directoryName, 0777); } $directoryName2 = "$baseurl/images/$filedunder"; if (!file_exists($directoryName2)) { mkdir($directoryName2, 0777); } if (!preg_match("$images/", $_FILES['Image']['type']) ) { die(" Please only use image files"); } if ((!$name) OR (!$filedunder) OR (!$Image)) { die("Please dont leave blank info");} else { mysql_query("INSERT INTO $filedunder2 (madeby,name,date,submitted) VALUES ('$madeby','$name','$timestamp','$submitted')"); $insert_id = mysql_insert_id(); $image = $insert_id . "img.png"; mysql_query("UPDATE $filedunder2 SET url = '$baseurl/images/$filedunder/$image' WHERE id = '$insert_id' "); $file = $_FILES['Image']['tmp_name']; $dest = $_SERVER['DOCUMENT_ROOT'].'/images/'.$filedunder.'/'.$insert_id.'img.png'; copy($file, $dest); die("oooohhhhh It Added! <P> <B>Take note of this url, as Your uploads page is currently down!!!</b><P> <Textarea>www.spardel.com/images/$filedunder/$image</Textarea> "); } I removed this completely if (!preg_match("$images/", $_FILES['Image']['type']) ) { die(" Please only use image files"); } And it went through and said it added, though the image didnt upload, the script added the correct info to the database. Edited November 17, 2012 by Bubblychaz Quote Link to comment Share on other sites More sharing options...
Adam Posted November 18, 2012 Share Posted November 18, 2012 $images/ is not a valid PCRE, however you don't need to use a regex here. Just use: if (strpos($_FILE['Image']['type'], 'images/') !== 0) { // ... } Quote Link to comment Share on other sites More sharing options...
Bubblychaz Posted November 19, 2012 Author Share Posted November 19, 2012 (edited) $images/ is not a valid PCRE, however you don't need to use a regex here. Just use: if (strpos($_FILE['Image']['type'], 'images/') !== 0) { // ... } Sorry this has confused me can you explain more please Where am I putting this? What it replaces? And What does it do? I am still learning Edited November 19, 2012 by Bubblychaz Quote Link to comment Share on other sites More sharing options...
Adam Posted November 19, 2012 Share Posted November 19, 2012 (edited) Take a look at the manual for strpos - it checks the position of a string within another. In this case if the return value is not 0 (i.e. the string "images/" is not at position 0 within the file type,) run that code. Given we can do that, there's no need for the overhead of a regex just to check if a string starts with something. PCRE stands for Perl-Compatible Regular Expression, and is syntactically different to POSIX regular expressions (used by the ereg functions). You can't just change the function name to convert to PCRE from POSIX. Edited November 19, 2012 by Adam Quote Link to comment Share on other sites More sharing options...
Bubblychaz Posted November 19, 2012 Author Share Posted November 19, 2012 Ok Thanks. So I would do something like: if (!preg_match("$images/", $_FILES['Image']['type']) ) { die(" Please only use image files"); } replaced with if (strpos($_FILE['Image']['type'], 'images/') !== 0) { die(" Please only use image files"); } ? Or Am I misunderstanding? Quote Link to comment Share on other sites More sharing options...
AyKay47 Posted November 19, 2012 Share Posted November 19, 2012 Ok Thanks. So I would do something like: if (!preg_match("$images/", $_FILES['Image']['type']) ) { die(" Please only use image files"); } replaced with if (strpos($_FILE['Image']['type'], 'images/') !== 0) { die(" Please only use image files"); } ? Or Am I misunderstanding? You are correct. However as a note, only use the die() function during development and not for production. Not very user friendly. Quote Link to comment Share on other sites More sharing options...
Bubblychaz Posted November 19, 2012 Author Share Posted November 19, 2012 Well just tested it as $name = $_POST['name']; $madeby = $_POST['madeby']; $submitted = $_POST['submitted']; $filedunder = $_POST['filedunder']; $filedunder2 = $filedunder.'img'; $Image = $_FILES['Image']; $directoryName = "$baseurl/images/$filedunder"; if (!file_exists($directoryName)) { mkdir($directoryName, 0777); } $directoryName2 = "$baseurl/images/$filedunder"; if (!file_exists($directoryName2)) { mkdir($directoryName2, 0777); } if (strpos($_FILE['Image']['type'], 'images/') !== 0) { die(" Please only use image files"); } if ((!$name) OR (!$filedunder) OR (!$Image)) { die("Please dont leave blank info");} else { mysql_query("INSERT INTO $filedunder2 (madeby,name,date,submitted) VALUES ('$madeby','$name','$timestamp','$submitted')"); $insert_id = mysql_insert_id(); $image = $insert_id . "img.png"; mysql_query("UPDATE $filedunder2 SET url = '$baseurl/images/$filedunder/$image' WHERE id = '$insert_id' "); $file = $_FILES['Image']['tmp_name']; $dest = $_SERVER['DOCUMENT_ROOT'].'/images/'.$filedunder.'/'.$insert_id.'img.png'; copy($file, $dest); die("oooohhhhh It Added! <P> <B>Take note of this url, as Your uploads page is currently down!!!</b><P> <Textarea>www.spardel.com/images/$filedunder/$image</Textarea> "); } And Im still getting the please only use image files error.. Also what would I use instead of Die? Quote Link to comment Share on other sites More sharing options...
Adam Posted November 19, 2012 Share Posted November 19, 2012 (edited) Add: print_r($_FILES); exit; .. To the top of your script and post us the output, within tags (those spoiler tags you're using don't display in a fixed-width font.) Although you should be aware your script has security issues with it. For a start, the file type can be spoofed so it's not reliable to verify the actual file type. Also you're blindly inserting values into the database without escaping them. Edited November 19, 2012 by Adam Quote Link to comment Share on other sites More sharing options...
Bubblychaz Posted November 19, 2012 Author Share Posted November 19, 2012 (edited) Array ( [image] => Array ( [name] => zebra.JPG [type] => image/jpeg [tmp_name] => /var/tmp/phppBpmma [error] => 0 [size] => 59038 ) ) is printed now. How do I escape the insert to the database? How would I make it more secure? Edited November 19, 2012 by Bubblychaz Quote Link to comment Share on other sites More sharing options...
Adam Posted November 19, 2012 Share Posted November 19, 2012 (edited) Ah yeah, ha. It's not "image/", just "image/". Missed that! As I said though, you're better off verifying the file extension is valid instead of the file type. Even if it's not actually an image that the user uploads, but it has an image extension, the server will still treat it like an image. Use this: $extension = strtolower(pathinfo($Image['name'], PATHINFO_EXTENSION)); if (!in_array($extension, array('jpg', 'jpeg', 'gif', 'png'))) { // ... } That parses the file extension from the name, then checks if that extension is not in the array of allowed extensions. As for the unescaped variables, you just need to run them through mysql_real_escape_string before use in the query. Edited November 19, 2012 by Adam Quote Link to comment Share on other sites More sharing options...
Bubblychaz Posted November 19, 2012 Author Share Posted November 19, 2012 I now have in coding print_r($_FILES); exit; $name = $_POST['name']; $madeby = $_POST['madeby']; $submitted = $_POST['submitted']; $filedunder = $_POST['filedunder']; $filedunder2 = $filedunder.'img'; $Image = $_FILES['Image']; $directoryName = "$baseurl/images/$filedunder"; $extension = strtolower(pathinfo($Image['name'], PATHINFO_EXTENSION)); if (!in_array($extension, array('jpg', 'jpeg', 'gif', 'png'))) { // ... } if (!file_exists($directoryName)) { mkdir($directoryName, 0777); } $directoryName2 = "$baseurl/images/$filedunder"; if (!file_exists($directoryName2)) { mkdir($directoryName2, 0777); } if (strpos($_FILE['Image']['type'], 'image/') !== 0) { die(" Please only use image files"); } if ((!$name) OR (!$filedunder) OR (!$Image)) { die("Please dont leave blank info");} else { mysql_query("INSERT INTO $filedunder2 (madeby,name,date,submitted) VALUES ('$madeby','$name','$timestamp','$submitted')"); $insert_id = mysql_insert_id(); $image = $insert_id . "img.png"; mysql_query("UPDATE $filedunder2 SET url = '$baseurl/images/$filedunder/$image' WHERE id = '$insert_id' "); $file = $_FILES['Image']['tmp_name']; $dest = $_SERVER['DOCUMENT_ROOT'].'/images/'.$filedunder.'/'.$insert_id.'img.png'; copy($file, $dest); die("oooohhhhh It Added! <P> <B>Take note of this url, as Your uploads page is currently down!!!</b><P> <Textarea>www.spardel.com/images/$filedunder/$image</Textarea> "); } and the print out is Array ( [image] => Array ( [name] => zebra.JPG [type] => image/jpeg [tmp_name] => /var/tmp/phpFbholc [error] => 0 [size] => 59038 ) ) Quote Link to comment Share on other sites More sharing options...
Adam Posted November 19, 2012 Share Posted November 19, 2012 (edited) You'll want to remove the print_r() line now, that was just for debugging purposes. Also change "// ..." to a die statement. Though as mentioned, once you get this working, you should replace the die statements with proper error handling. Edited November 19, 2012 by Adam Quote Link to comment Share on other sites More sharing options...
Bubblychaz Posted November 19, 2012 Author Share Posted November 19, 2012 Ok its now, (I didnt know what to put) $extension = strtolower(pathinfo($Image['name'], PATHINFO_EXTENSION)); if (!in_array($extension, array('jpg', 'jpeg', 'gif', 'png'))) { die("Statement here"); } Run the script and got please only use image files Quote Link to comment Share on other sites More sharing options...
Adam Posted November 19, 2012 Share Posted November 19, 2012 You need to correct the typo in "images/" I mentioned a couple of posts ago. You're type check if still checking for images/, not image/. Quote Link to comment Share on other sites More sharing options...
Bubblychaz Posted November 19, 2012 Author Share Posted November 19, 2012 I cant see any images with the checks, only in the file destination of $baseurl/images/ $name = $_POST['name']; $madeby = $_POST['madeby']; $submitted = $_POST['submitted']; $filedunder = $_POST['filedunder']; $filedunder2 = $filedunder.'img'; $Image = $_FILES['Image']; $directoryName = "$baseurl/images/$filedunder"; $extension = strtolower(pathinfo($Image['name'], PATHINFO_EXTENSION)); if (!in_array($extension, array('jpg', 'jpeg', 'gif', 'png'))) { die("Statement here"); } if (!file_exists($directoryName)) { mkdir($directoryName, 0777); } $directoryName2 = "$baseurl/images/$filedunder"; if (!file_exists($directoryName2)) { mkdir($directoryName2, 0777); } if (strpos($_FILE['Image']['type'], 'image/') !== 0) { die(" Please only use image files"); } if ((!$name) OR (!$filedunder) OR (!$Image)) { die("Please dont leave blank info");} else { mysql_query("INSERT INTO $filedunder2 (madeby,name,date,submitted) VALUES ('$madeby','$name','$timestamp','$submitted')"); $insert_id = mysql_insert_id(); $image = $insert_id . "img.png"; mysql_query("UPDATE $filedunder2 SET url = '$baseurl/images/$filedunder/$image' WHERE id = '$insert_id' "); $file = $_FILES['Image']['tmp_name']; $dest = $_SERVER['DOCUMENT_ROOT'].'/images/'.$filedunder.'/'.$insert_id.'img.png'; copy($file, $dest); die("oooohhhhh It Added! <P> <B>Take note of this url, as Your uploads page is currently down!!!</b><P> <Textarea>www.spardel.com/images/$filedunder/$image</Textarea> "); } Quote Link to comment Share on other sites More sharing options...
Adam Posted November 19, 2012 Share Posted November 19, 2012 My bad! The code I gave you is wrong, needs to be $_FILES, not $_FILE. Though, I'm surprised you didn't get a PHP notice about that? Quote Link to comment Share on other sites More sharing options...
AyKay47 Posted November 19, 2012 Share Posted November 19, 2012 Bubblychaz, I encourage you to study the code that you have been given so that you may find some of these errors yourself instead of asking as soon as you are thrown an error. Make sure that you have error_reporting() set to -1 and display_errors() set to 1 or 'on'. That way PHP will let you know when and where something goes wrong so you can debug the code yourself. Quote Link to comment Share on other sites More sharing options...
Bubblychaz Posted November 20, 2012 Author Share Posted November 20, 2012 (edited) My bad! The code I gave you is wrong, needs to be $_FILES, not $_FILE. Though, I'm surprised you didn't get a PHP notice about that? That added, But. didnt upload the image to the server? ---- Edit: I did some work on the script, the script is on a subdomain, I want it to upload the images to a folder in the main domain, So out of curiousity I made a folder in subdomain called images and that is where the images are now uploading too. Edited November 20, 2012 by Bubblychaz Quote Link to comment Share on other sites More sharing options...
Bubblychaz Posted November 20, 2012 Author Share Posted November 20, 2012 Bubblychaz, I encourage you to study the code that you have been given so that you may find some of these errors yourself instead of asking as soon as you are thrown an error. Make sure that you have error_reporting() set to -1 and display_errors() set to 1 or 'on'. That way PHP will let you know when and where something goes wrong so you can debug the code yourself. How do I set up the error_reporting? Quote Link to comment Share on other sites More sharing options...
Bubblychaz Posted November 20, 2012 Author Share Posted November 20, 2012 I think the issue is the $_SERVER['DOCUMENT_ROOT'] in my addon.php i have $ip=$_SERVER['REMOTE_ADDR']; $baseurl = "http://www.spardel.com"; $_SERVER['DOCUMENT_ROOT'] = "/home4/spardelc/"; Am I missing something? Quote Link to comment Share on other sites More sharing options...
Bubblychaz Posted November 20, 2012 Author Share Posted November 20, 2012 I fixed it.. I think.. Im unsure if this is the correct way around it but I took $_SERVER['DOCUMENT_ROOT'] = "/home4/spardelc/"; off the addon.php and put it at the top of my script, But I also checked my file manager to see exactly what my root was called which and added this to the top of my script $_SERVER['DOCUMENT_ROOT'] = "/home4/spardelc/public_html/"; Quote Link to comment Share on other sites More sharing options...
Adam Posted November 20, 2012 Share Posted November 20, 2012 Unless the domains point to the same server, or the servers can talk to each other and transfer the file in the background through some other process, you won't be able to do that. Quote Link to comment Share on other sites More sharing options...
Adam Posted November 20, 2012 Share Posted November 20, 2012 Hmm hang about. Something went a bit crazy then and your last three posts only just showed up. What I meant in my previous post was directed at you saying you wanted to upload from one domain to the other. In response to the document root stuff, I don't really understand what you're trying to fix? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.