Loading.gif image when pressing upload file button

[mikkel809h]

Hello 'freaks'

 

Im making a test website where i can press a button ( then the windows explorer menu pops up and i have to choose a file to upload ) and then when i press the submit button i want a loading animation 

But im not sure how to do that...

 

<form action="upload_file.php" method="post" enctype="multipart/form-data">
<div id="fields">

	<p>Type: <input type="text" name="type" required autofocus></p>
	<p>Desc: <input type="text" name="desc" required></p>
	<p>Filename: <input type="file" name="file" id="file" required></p><br>
	<p><input type="submit" name="submit" value="submit" /></p>
	<body onload="makeLoadingGifDisappear()">
	<img src="images/loading.gif" id="myLoadingGif">
	<script type="text/javascript">
		function makeLoadingGifDisappear() {
			document.getElementById('myLoadingGif').style.display = 'none';
		}
	</script>
	</body>

				
</div>
</form>

Anyone who knows how to do that?

 

 

Thanks in Freakvance

Edited November 23, 2013 by mikkel809h

[Ch0cu3r]

Not possible, unless you are performing the file upload using AJAX.

[mikkel809h]

Hmm Okay.. Im going to use AJAX.. (searching on Google)

 

 

Thanks for your help

Edited November 23, 2013 by mikkel809h

[mikkel809h]

Hmm.. I've got into a problem with something else in the same code... This is a mysql error, which i dont know why is happening:

code

$host = "somehost.com";
    $db = "somedatabase";
    $user = "someone";
    $pass = "someonespass";
    //echo 'fail' . $_POST['type'] . '<br/>' . $_POST['desc'];
    $_POST['time']=date('d-m-Y H:i');
    $_POST['fileend']='http://ahiddenwebsitename/upload/'.$_FILES["myfile"]["name"];
    $con = mysql_connect($host,$user,$pass) or die(mysql_error);
    mysql_select_db($db);

    //upload.php
    $output_dir = "upload/";
    
    if(isset($_FILES["myfile"])) {
        //Filter the file types , if you want.
        if ($_FILES["myfile"]["error"] > 0)
        {
          echo "Error: " . $_FILES["file"]["error"] . "<br>";
        }
        else
        {
          //move the uploaded file to uploads folder;
          move_uploaded_file($_FILES["myfile"]["tmp_name"],$output_dir. $_FILES["myfile"]["name"]);
          echo "Uploaded File :".$_FILES["myfile"]["name"];
        }
    }

    $typ = 'list'.$_POST['course'];
    $typ = strtolower($typ);
    //echo 'TYPE: '.$typ;
    echo 'End : '.$_POST['fileend'].'<br>Type : '.$_POST['type'].'<br>Time : '.$_POST['desc']; //All in this echo returns correct variables
    $sqlcourse = "INSERT INTO $typ VALUES ('','$_POST[type]','$_POST[time]','$_POST[desc]','$_POST[fileend]')"; //This is somehow erroring with mysql error when querying it.
    //$resultcourse = mysql_query($sqlcourse,$con); //first try
    mysql_query($sqlcourse) or die(mysql_error); //third try
    //$resultcourse = mysql_query($sqlcourse); //second try
    if (!resultcourse) {
      echo 'DB Error! cannot insert course';
      exit();
    } else{
      echo 'Inserted!';
      mysql_close($con)
      ?>

      <?php
    }

Thanks in FreakVance

[Ch0cu3r]

What is the actual error you are getting?

 

You should at least pass any $_POST values to mysql_real_escape_string before using them in your SQL Queries. This is to protect you from SQL Injection.

$sqlcourse = sprintf("INSERT INTO $typ VALUES ('','%s','%s','%s','%s')",
                                                                         mysql_real_escape_string($_POST['type']),
                                                                         mysql_real_escape_string($_POST['time']),
                                                                         mysql_real_escape_string($_POST['desc']),
                                                                         mysql_real_escape_string($_POST['fileend']);

[objnoob]

$sqlcourse = "INSERT INTO $typ VALUES ('','$_POST[type]','$_POST[time]','$_POST[desc]','$_POST[fileend]')"; //This is somehow erroring with mysql error when querying it.

 

 

 

let's start by....  

 

$varSQLSafeType = do_Escape_This_Shit($_POST['type']);

$varSQLSafeTime = do_Escape_This_Shit($_POST['time']);

$varSQLSafeDesc = do_Escape_This_Shit($_POST['desc']);

$varSQLSafeFileEnd = do_Escape_This_Shit($_POST['fileend']);

 

$sql = "INSERT INTO {$TABLENAME_BETTER_NOT_BE_USER_INPUT_WO_VALIDATING} (which_column, what_column, that_column, oops_i_missed_one) VALUES ('{$varSQLSafeType}', '{$varSQLSafeTime}','{$varSQLSafeDesc}','{$varSQLSafeFileEnd }')";

 

let's finish by....  if you find yourself doing INSERT INTO tblTable (column1) VALUES ('');        allow column 1 to accept null values.    INSERT INTO tblTable (column1) VALUES (NULL);

Edited November 23, 2013 by objnoob

[mikkel809h]

Answer to Ch0cu3r

 

Well.. The only thing i get is :"MySql_error"

 

So..

I Need to make them "real escape-thingy" before?

 

so:

<?php
if(!isset($_COOKIE['authorised']) || ($_COOKIE['authorised'] != 'true'))
{
  ?>
    <style>
      body {
        background-color:#d0e4fe;
      }
    </style>
    <center>
      <a href="secure.html"><img src="/images/badsmiley.png" alt="Smiley face" height=195 width=210></a>
      
      <b>
        <br />
        <font face="Comic Sans MS" size="6" type="bold">
          Åhhh nej!!
          <br />
          Du har ikke adgang til denne side!
        </font>
      </b>
    </center>
  <?php
  exit();
}

if(isset($_POST['submit']))
  {
    // see what is in the _POST
    // printf('<pre>%s</pre>', print_r($_POST, 1));

    // add the course details to the database here
    // echo 'TODO: Add course to database';

    $host = "somehost.com";
    $db = "somedatabase";
    $user = "someuser";
    $pass = "somepass";
    //echo 'fail' . $_POST['type'] . '<br/>' . $_POST['desc'];
    $_POST['time']=date('d-m-Y H:i');
    $_POST['fileend']='http://something.com/upload/'.$_FILES["myfile"]["name"];
    $con = mysql_connect($host,$user,$pass) or die(mysql_error);
    mysql_select_db($db);

    //upload.php
    $output_dir = "upload/";
    
    if(isset($_FILES["myfile"])) {
        //Filter the file types , if you want.
        if ($_FILES["myfile"]["error"] > 0)
        {
          echo "Error: " . $_FILES["file"]["error"] . "<br>";
        }
        else
        {
          //move the uploaded file to uploads folder;
          move_uploaded_file($_FILES["myfile"]["tmp_name"],$output_dir. $_FILES["myfile"]["name"]);
          echo "Uploaded File :".$_FILES["myfile"]["name"];
        }
    }

    $typ = 'list'.$_POST['course'];
    $typ = strtolower($typ);
    //echo 'TYPE: '.$typ;
    echo 'End : '.$_POST['fileend'].'<br>Type : '.$_POST['type'].'<br>Time : '.$_POST['desc'];
    $sqlcourse = sprintf("INSERT INTO $typ VALUES ('','$_POST[type]','$_POST[time]','$_POST[desc]','$_POST[fileend]')");
    mysql_real_escape_string($_POST['type']);
    mysql_real_escape_string($_POST['time']);
    mysql_real_escape_string($_POST['desc']);
    mysql_real_escape_string($_POST['fileend']);
    //$resultcourse = mysql_query($sqlcourse,$con);
    mysql_query($sqlcourse,$con) or die(mysql_error);
    //$resultcourse = mysql_query($sqlcourse);
    if (!resultcourse) {
      echo 'DB Error! cannot insert course';
      exit();
    } else{
      echo 'Inserted!';
      mysql_close($con)
      ?>

      <?php
    }
  }

?>

Well that returns "mysql_error" again..

 

 

 

 

Answer to objnoob:

Well first of all... The tablename is not entered as a text.. there is 5 radio-buttons on another page which leads to this. Then it submits that, and the upload_file code ( the code above as answer to Ch0cu3r )makes that string to lowercase. so theres NO wrong things in the tablename....

But theres something that is confusing me when it comes to mysql:

I dont know why there has to be (or does it) that "(which_column,what_column etc...)" and whatever... Mysql is my weakest knowen functions or language (whatever its called).

 

(Sorry if its so hard to teach me)

 

But lets just try something:

mysql_query("INSERT INTO $typ VALUES ('','$_POST[type]','$_POST[time]','$_POST[desc]','$_POST[fileend]')");

that SHOULD work... but somehow it isn't.

 

the $typ is a table which exists.. its not possible to make errors in that (because its radiobuttons...)

then the

('','$_POST[type]','$_POST[time]','$_POST[desc]','$_POST[fileend]')");

Isn't it possible to make the $_POST[fileend] as a link? the fileend is a link to the file like this:

"someserver.com/upload/filename.someextension"

Edited November 23, 2013 by mikkel809h

[objnoob]

mysql_error is a function........       

 

die(mysql_error);   is nonsense because mysql_error in this context is nothing but dumb dumb that php implicitly converts to string (unless you've defined a constant named mysql_error)

 

 

 

Try    die(mysql_error())  

Bingo.

[mikkel809h]

Wait!

 

Ohhhh...

 

 

I solved it.... Thanks!!!!

 

 

solution:

the real error was that i wasnt posting the $_POST['course'] so the 'list'.$_POST['course'] returned false

 

 

Thanks!!!!

 

 

I also didn't notice that i was missing that () at the end of mysql_error...

 

Thanks for everything

[objnoob]

You're most welcome. I'm glad you were able to fix it up,

And, yes, always always always validate and escape user input before using it in an SQL statement.

An alternative and more secure way of handling database exchanges that use any data that was supplied by the user is to parameterize with prepared statements.

 

You won't be able to use prepared statements with mysql_*  but you shouldn't be using mysql_* anyways.   Switch to mysqli_* and reap the benefits!

 

Bye