Uploading Files

[samseen]

Hello fellas, I'm trying to write a simple application that uploads a file other than an image into a database. I mean files such as pdf, doc and some common image extensions.

 

My php version is 5.5.24.

 

I have an index page which displays the information of various user high scores, and an addscore script which uploads a new info into the database. The program works fine if i only allow users to upload a file with an extension of type .gif,.jpg, .png and .pjpeg. With the permission of a .doc, .pdf, it doesn't allow the upload anymore and it brings up the error it ought to display if its more than the specified size (even though i'm still within the permissible range!).

 

This is the index code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">


<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Guitar Wars - High Scores</title>

<link rel="stylesheet" type="text/css6"href="style.css" />


</head>


<body>

<h2>Guitar Wars - High Scores</h2>

<p>Welcome, Guitar Warrior, do you have what it takes to crack the high score list? If so, just <a href="addscore.php">add your own score</a>.</p>



<hr />




<?php

require_once('appvars.php');
require_once('connectvars.php');



// Connect to the database


$dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die("Error querying database");




// Retrieve the score data from MySQL

$query = "SELECT * FROM guitarwars ORDER BY name ASC" ;

$data = mysqli_query($dbc, $query);


// Loop through the array of score data, formatting it as HTML

echo '<table>';
$i = 0;



while ($row = mysqli_fetch_array($data)) {

// Display the score data

if ($i == 0) {
echo '<tr><td colspan="2" class="topscoreheader">Top Score:'.
$row['score'].'</td></tr>';
}


echo '<tr><td class="scoreinfo">';

echo '<span class="score">' . $row['score'] . '</span><br />';


echo '<strong>Name:</strong> ' . $row['name'] . '<br />';


echo '<strong>Date:</strong> ' . $row['date'] . '</td>';
if(is_file(GW_UPLOADPATH . $row['screenshot']) && filesize(GW_UPLOADPATH . $row['screenshot']) > 0) {
echo '<td><img src ="' . GW_UPLOADPATH . $row['screenshot'] .'"alt="Score image" /></td></tr>';

}
else {
echo '<td><img src="' . GW_UPLOADPATH . 'unverified.gif' .
'" alt="Unverified score" /></td></tr>';
}

$i++;

}

echo '</table>';

mysqli_close($dbc);

?>

</body>
</html>

 

This is the addscore script:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">


<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Guitar Wars - Add Your High Score</title>

<link rel="stylesheet" type="text/css" href="style.css" />


</head>


<body>

<h2>Guitar Wars - Add Your High Score</h2>



<?php

// Define the upload path and maximum file size constants
require_once('appvars.php');
require_once('connectvars.php');



if (isset($_POST['submit'])) {
// Grab the score data from the POST

$name = $_POST['name'];

$score = $_POST['score'];
$screenshot = $_FILES['screenshot']['name'];
$screenshot_type = $_FILES['screenshot']['type'];
$screenshot_size = $_FILES['screenshot']['size'];



if (!empty($name) && !empty($score) && !empty($screenshot)) {
if ((($screenshot_type == 'image/gif') || ($screenshot_type == 'image/jpeg') ||
($screenshot_type == 'image/pjpeg') || ($screenshot_type == 'image/png') ||
($screenshot_type == 'image/pdf') || ($screenshot_type == 'image/docx')) &&
($screenshot_size > 0) && ($screenshot_size <= GW_MAXFILESIZE)) {
if ($_FILES['screenshot']['error'] == 0) {


//Move the file to the target upload folder
$target = GW_UPLOADPATH . $screenshot;


if (move_uploaded_file($_FILES['screenshot']['tmp_name'], $target)) {
// Connect to the database

$dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);


// Write the data to the database

$query = "INSERT INTO guitarwars VALUES (0, NOW(), '$name', '$score', '$screenshot')";

mysqli_query($dbc, $query);


// Confirm success with the user

echo '<p>Thanks for adding your new high score!</p>';

echo '<p><strong>Name:</strong> ' . $name . '<br />';

echo '<strong>Score:</strong> ' . $score . '<br />';


if (($screenshot_type == 'image/pdf') || ($screenshot_type == 'image/docx')) {
echo '<img src="scroll.jpg" alt="Score image" /></p>';
} else {

echo '<img src="' . GW_UPLOADPATH .$screenshot.'" alt="Score image" /></p>';


}


echo '<p><a href="index.php"><< Back to high scores</a></p>';


// Clear the score data to clear the form

$name = "";

$score = "";


$screenshot ="";

mysqli_close($dbc);

}
else {

echo '<p class ="error">Sorry, there was a problem uploading your screen shot image.</p>';

}
}
} else {
echo '<p class="error">The screen shot must be a GIF, JPEG, or PNG image file no ' .
'greater than ' . (GW_MAXFILESIZE / 1024) . ' KB in size.</p>';
}


// Try to delete the temporary screen shot image file
@unlink($_FILES['screenshot']['tmp_name']);


}
else {
echo '<p class="error">Please enter all of the information to add your high score.</p>';
}


}


?>



<hr />

<form enctype="multipart/form-data" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">


<input type="hidden" name="MAX_FILE_SIZE" value="102400" />
<label for="name">Name:</label>

<input type="text" id="name" name="name" value="<?php if (!empty($name)) echo $name; ?>" />
<br />


<label for="score">Score:</label>


<input type="text" id="score" name="score" value="<?php if (!empty($score)) echo $score; ?>" />


<br />


<label for="screenshot">Screen shot:</label>
<input type="file" id="screenshot" name="screenshot" />

<hr />
<input type="submit" value="Add" name="submit" />


</form>


</body>


</html>

 

I've been on this for the past one week. Googling stuffs on how to upload a file other than an image file. I'll so much appreciate it if i can get how else it is to upload a file other than an image.

 

Thank you in advance!

[PFMaBiSmAd]

The following lines of code are the problem -

 

if (!empty($name) && !empty($score) && !empty($screenshot)) {
if ((($screenshot_type == 'image/gif') || ($screenshot_type == 'image/jpeg') ||
($screenshot_type == 'image/pjpeg') || ($screenshot_type == 'image/png') ||
($screenshot_type == 'image/pdf') || ($screenshot_type == 'image/docx')) &&
($screenshot_size > 0) && ($screenshot_size <= GW_MAXFILESIZE)) {
if ($_FILES['screenshot']['error'] == 0) {

 

1) By testing the ['error'] element last, you are doomed to display your type/size application error message any time the upload fails. The ['error'] check must be first, so that you ONLY use the uploaded file information when you know that the upload was successful.

 

2) By lumping the type and size checks together, you are doomed to never know which one of those checks failed. Each validation test must be separate and produce a distinct and unique message telling the visitor exactly why the validation test failed.

 

3) Your distinct and unique validation error messages should display the value that failed the test and the acceptable value(s) so that the visitor (and you when debugging your script) know what value was submitted to the code and what the code allows. This step will let you see that the mime types for pdf and doc don't even have 'image' in them.

 

To make your type test easier to modify, you should put the 'image/gif' ... values into an array and use in_array to test if the submitted value is one of the permitted values.