Jump to content

Recommended Posts

Hello 'freaks'

 

Im making a test website where i can press a button ( then the windows explorer menu pops up and i have to choose a file to upload ) and then when i press the submit button i want a loading animation 

But im not sure how to do that...

 

<form action="upload_file.php" method="post" enctype="multipart/form-data">
<div id="fields">

	<p>Type: <input type="text" name="type" required autofocus></p>
	<p>Desc: <input type="text" name="desc" required></p>
	<p>Filename: <input type="file" name="file" id="file" required></p><br>
	<p><input type="submit" name="submit" value="submit" /></p>
	<body onload="makeLoadingGifDisappear()">
	<img src="images/loading.gif" id="myLoadingGif">
	<script type="text/javascript">
		function makeLoadingGifDisappear() {
			document.getElementById('myLoadingGif').style.display = 'none';
		}
	</script>
	</body>

				
</div>
</form>
Anyone who knows how to do that?

 

 

Thanks in Freakvance

Edited by mikkel809h

Hmm.. I've got into a problem with something else in the same code... This is a mysql error, which i dont know why is happening:

code

$host = "somehost.com";
    $db = "somedatabase";
    $user = "someone";
    $pass = "someonespass";
    //echo 'fail' . $_POST['type'] . '<br/>' . $_POST['desc'];
    $_POST['time']=date('d-m-Y H:i');
    $_POST['fileend']='http://ahiddenwebsitename/upload/'.$_FILES["myfile"]["name"];
    $con = mysql_connect($host,$user,$pass) or die(mysql_error);
    mysql_select_db($db);

    //upload.php
    $output_dir = "upload/";
    
    if(isset($_FILES["myfile"])) {
        //Filter the file types , if you want.
        if ($_FILES["myfile"]["error"] > 0)
        {
          echo "Error: " . $_FILES["file"]["error"] . "<br>";
        }
        else
        {
          //move the uploaded file to uploads folder;
          move_uploaded_file($_FILES["myfile"]["tmp_name"],$output_dir. $_FILES["myfile"]["name"]);
          echo "Uploaded File :".$_FILES["myfile"]["name"];
        }
    }

    $typ = 'list'.$_POST['course'];
    $typ = strtolower($typ);
    //echo 'TYPE: '.$typ;
    echo 'End : '.$_POST['fileend'].'<br>Type : '.$_POST['type'].'<br>Time : '.$_POST['desc']; //All in this echo returns correct variables
    $sqlcourse = "INSERT INTO $typ VALUES ('','$_POST[type]','$_POST[time]','$_POST[desc]','$_POST[fileend]')"; //This is somehow erroring with mysql error when querying it.
    //$resultcourse = mysql_query($sqlcourse,$con); //first try
    mysql_query($sqlcourse) or die(mysql_error); //third try
    //$resultcourse = mysql_query($sqlcourse); //second try
    if (!resultcourse) {
      echo 'DB Error! cannot insert course';
      exit();
    } else{
      echo 'Inserted!';
      mysql_close($con)
      ?>

      <?php
    }

Thanks in FreakVance

What is the actual error you are getting?

 

You should at least pass any $_POST values to mysql_real_escape_string before using them in your SQL Queries. This is to protect you from SQL Injection.

$sqlcourse = sprintf("INSERT INTO $typ VALUES ('','%s','%s','%s','%s')",
                                                                         mysql_real_escape_string($_POST['type']),
                                                                         mysql_real_escape_string($_POST['time']),
                                                                         mysql_real_escape_string($_POST['desc']),
                                                                         mysql_real_escape_string($_POST['fileend']);

$sqlcourse = "INSERT INTO $typ VALUES ('','$_POST[type]','$_POST[time]','$_POST[desc]','$_POST[fileend]')"; //This is somehow erroring with mysql error when querying it.

 

 

 

let's start by....  

 

$varSQLSafeType = do_Escape_This_Shit($_POST['type']);

$varSQLSafeTime = do_Escape_This_Shit($_POST['time']);

$varSQLSafeDesc = do_Escape_This_Shit($_POST['desc']);

$varSQLSafeFileEnd = do_Escape_This_Shit($_POST['fileend']);

 

$sql = "INSERT INTO {$TABLENAME_BETTER_NOT_BE_USER_INPUT_WO_VALIDATING} (which_column, what_column, that_column, oops_i_missed_one) VALUES ('{$varSQLSafeType}', '{$varSQLSafeTime}','{$varSQLSafeDesc}','{$varSQLSafeFileEnd }')";

 

let's finish by....  if you find yourself doing INSERT INTO tblTable (column1) VALUES ('');        allow column 1 to accept null values.    INSERT INTO tblTable (column1) VALUES (NULL);

Edited by objnoob

Answer to Ch0cu3r

 

Well.. The only thing i get is :"MySql_error"

 

So..

I Need to make them "real escape-thingy" before?

 

so:

<?php
if(!isset($_COOKIE['authorised']) || ($_COOKIE['authorised'] != 'true'))
{
  ?>
    <style>
      body {
        background-color:#d0e4fe;
      }
    </style>
    <center>
      <a href="secure.html"><img src="/images/badsmiley.png" alt="Smiley face" height=195 width=210></a>
      
      <b>
        <br />
        <font face="Comic Sans MS" size="6" type="bold">
          Åhhh nej!!
          <br />
          Du har ikke adgang til denne side!
        </font>
      </b>
    </center>
  <?php
  exit();
}

if(isset($_POST['submit']))
  {
    // see what is in the _POST
    // printf('<pre>%s</pre>', print_r($_POST, 1));

    // add the course details to the database here
    // echo 'TODO: Add course to database';

    $host = "somehost.com";
    $db = "somedatabase";
    $user = "someuser";
    $pass = "somepass";
    //echo 'fail' . $_POST['type'] . '<br/>' . $_POST['desc'];
    $_POST['time']=date('d-m-Y H:i');
    $_POST['fileend']='http://something.com/upload/'.$_FILES["myfile"]["name"];
    $con = mysql_connect($host,$user,$pass) or die(mysql_error);
    mysql_select_db($db);

    //upload.php
    $output_dir = "upload/";
    
    if(isset($_FILES["myfile"])) {
        //Filter the file types , if you want.
        if ($_FILES["myfile"]["error"] > 0)
        {
          echo "Error: " . $_FILES["file"]["error"] . "<br>";
        }
        else
        {
          //move the uploaded file to uploads folder;
          move_uploaded_file($_FILES["myfile"]["tmp_name"],$output_dir. $_FILES["myfile"]["name"]);
          echo "Uploaded File :".$_FILES["myfile"]["name"];
        }
    }

    $typ = 'list'.$_POST['course'];
    $typ = strtolower($typ);
    //echo 'TYPE: '.$typ;
    echo 'End : '.$_POST['fileend'].'<br>Type : '.$_POST['type'].'<br>Time : '.$_POST['desc'];
    $sqlcourse = sprintf("INSERT INTO $typ VALUES ('','$_POST[type]','$_POST[time]','$_POST[desc]','$_POST[fileend]')");
    mysql_real_escape_string($_POST['type']);
    mysql_real_escape_string($_POST['time']);
    mysql_real_escape_string($_POST['desc']);
    mysql_real_escape_string($_POST['fileend']);
    //$resultcourse = mysql_query($sqlcourse,$con);
    mysql_query($sqlcourse,$con) or die(mysql_error);
    //$resultcourse = mysql_query($sqlcourse);
    if (!resultcourse) {
      echo 'DB Error! cannot insert course';
      exit();
    } else{
      echo 'Inserted!';
      mysql_close($con)
      ?>

      <?php
    }
  }

?>

Well that returns "mysql_error" again..

 

 

 

 

Answer to objnoob:

Well first of all... The tablename is not entered as a text.. there is 5 radio-buttons on another page which leads to this. Then it submits that, and the upload_file code ( the code above as answer to Ch0cu3r )makes that string to lowercase. so theres NO wrong things in the tablename....

But theres something that is confusing me when it comes to mysql:

I dont know why there has to be (or does it) that "(which_column,what_column etc...)" and whatever... Mysql is my weakest knowen functions or language (whatever its called).

 

(Sorry if its so hard to teach me)

 

But lets just try something:

mysql_query("INSERT INTO $typ VALUES ('','$_POST[type]','$_POST[time]','$_POST[desc]','$_POST[fileend]')");
that SHOULD work... but somehow it isn't.

 

the $typ is a table which exists.. its not possible to make errors in that (because its radiobuttons...)

then the

('','$_POST[type]','$_POST[time]','$_POST[desc]','$_POST[fileend]')");

Isn't it possible to make the $_POST[fileend] as a link? the fileend is a link to the file like this:

"someserver.com/upload/filename.someextension"

Edited by mikkel809h

mysql_error is a function........       

 

die(mysql_error);   is nonsense because mysql_error in this context is nothing but dumb dumb that php implicitly converts to string (unless you've defined a constant named mysql_error)

 

 

 

Try    die(mysql_error())  

Bingo.

Wait!

 

Ohhhh...

 

 

I solved it.... Thanks!!!!

 

 

solution:

the real error was that i wasnt posting the $_POST['course'] so the 'list'.$_POST['course'] returned false

 

 

Thanks!!!!

 

 

I also didn't notice that i was missing that () at the end of mysql_error...

 

Thanks for everything ;)

You're most welcome. I'm glad you were able to fix it up,

And, yes, always always always validate and escape user input before using it in an SQL statement.

An alternative and more secure way of handling database exchanges that use any data that was supplied by the user is to parameterize with prepared statements.

 

You won't be able to use prepared statements with mysql_*  but you shouldn't be using mysql_* anyways.   Switch to mysqli_* and reap the benefits!

 

Bye

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.