mikkel809h Posted November 23, 2013 Share Posted November 23, 2013 (edited) Hello 'freaks' Im making a test website where i can press a button ( then the windows explorer menu pops up and i have to choose a file to upload ) and then when i press the submit button i want a loading animation But im not sure how to do that... <form action="upload_file.php" method="post" enctype="multipart/form-data"> <div id="fields"> <p>Type: <input type="text" name="type" required autofocus></p> <p>Desc: <input type="text" name="desc" required></p> <p>Filename: <input type="file" name="file" id="file" required></p><br> <p><input type="submit" name="submit" value="submit" /></p> <body onload="makeLoadingGifDisappear()"> <img src="images/loading.gif" id="myLoadingGif"> <script type="text/javascript"> function makeLoadingGifDisappear() { document.getElementById('myLoadingGif').style.display = 'none'; } </script> </body> </div> </form> Anyone who knows how to do that? Thanks in Freakvance Edited November 23, 2013 by mikkel809h Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted November 23, 2013 Share Posted November 23, 2013 Not possible, unless you are performing the file upload using AJAX. Quote Link to comment Share on other sites More sharing options...
mikkel809h Posted November 23, 2013 Author Share Posted November 23, 2013 (edited) Hmm Okay.. Im going to use AJAX.. (searching on Google) Thanks for your help Edited November 23, 2013 by mikkel809h Quote Link to comment Share on other sites More sharing options...
mikkel809h Posted November 23, 2013 Author Share Posted November 23, 2013 Hmm.. I've got into a problem with something else in the same code... This is a mysql error, which i dont know why is happening: code $host = "somehost.com"; $db = "somedatabase"; $user = "someone"; $pass = "someonespass"; //echo 'fail' . $_POST['type'] . '<br/>' . $_POST['desc']; $_POST['time']=date('d-m-Y H:i'); $_POST['fileend']='http://ahiddenwebsitename/upload/'.$_FILES["myfile"]["name"]; $con = mysql_connect($host,$user,$pass) or die(mysql_error); mysql_select_db($db); //upload.php $output_dir = "upload/"; if(isset($_FILES["myfile"])) { //Filter the file types , if you want. if ($_FILES["myfile"]["error"] > 0) { echo "Error: " . $_FILES["file"]["error"] . "<br>"; } else { //move the uploaded file to uploads folder; move_uploaded_file($_FILES["myfile"]["tmp_name"],$output_dir. $_FILES["myfile"]["name"]); echo "Uploaded File :".$_FILES["myfile"]["name"]; } } $typ = 'list'.$_POST['course']; $typ = strtolower($typ); //echo 'TYPE: '.$typ; echo 'End : '.$_POST['fileend'].'<br>Type : '.$_POST['type'].'<br>Time : '.$_POST['desc']; //All in this echo returns correct variables $sqlcourse = "INSERT INTO $typ VALUES ('','$_POST[type]','$_POST[time]','$_POST[desc]','$_POST[fileend]')"; //This is somehow erroring with mysql error when querying it. //$resultcourse = mysql_query($sqlcourse,$con); //first try mysql_query($sqlcourse) or die(mysql_error); //third try //$resultcourse = mysql_query($sqlcourse); //second try if (!resultcourse) { echo 'DB Error! cannot insert course'; exit(); } else{ echo 'Inserted!'; mysql_close($con) ?> <?php } Thanks in FreakVance Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted November 23, 2013 Share Posted November 23, 2013 What is the actual error you are getting? You should at least pass any $_POST values to mysql_real_escape_string before using them in your SQL Queries. This is to protect you from SQL Injection. $sqlcourse = sprintf("INSERT INTO $typ VALUES ('','%s','%s','%s','%s')", mysql_real_escape_string($_POST['type']), mysql_real_escape_string($_POST['time']), mysql_real_escape_string($_POST['desc']), mysql_real_escape_string($_POST['fileend']); Quote Link to comment Share on other sites More sharing options...
objnoob Posted November 23, 2013 Share Posted November 23, 2013 (edited) $sqlcourse = "INSERT INTO $typ VALUES ('','$_POST[type]','$_POST[time]','$_POST[desc]','$_POST[fileend]')"; //This is somehow erroring with mysql error when querying it. let's start by.... $varSQLSafeType = do_Escape_This_Shit($_POST['type']); $varSQLSafeTime = do_Escape_This_Shit($_POST['time']); $varSQLSafeDesc = do_Escape_This_Shit($_POST['desc']); $varSQLSafeFileEnd = do_Escape_This_Shit($_POST['fileend']); $sql = "INSERT INTO {$TABLENAME_BETTER_NOT_BE_USER_INPUT_WO_VALIDATING} (which_column, what_column, that_column, oops_i_missed_one) VALUES ('{$varSQLSafeType}', '{$varSQLSafeTime}','{$varSQLSafeDesc}','{$varSQLSafeFileEnd }')"; let's finish by.... if you find yourself doing INSERT INTO tblTable (column1) VALUES (''); allow column 1 to accept null values. INSERT INTO tblTable (column1) VALUES (NULL); Edited November 23, 2013 by objnoob Quote Link to comment Share on other sites More sharing options...
mikkel809h Posted November 23, 2013 Author Share Posted November 23, 2013 (edited) Answer to Ch0cu3r Well.. The only thing i get is :"MySql_error" So.. I Need to make them "real escape-thingy" before? so: <?php if(!isset($_COOKIE['authorised']) || ($_COOKIE['authorised'] != 'true')) { ?> <style> body { background-color:#d0e4fe; } </style> <center> <a href="secure.html"><img src="/images/badsmiley.png" alt="Smiley face" height=195 width=210></a> <b> <br /> <font face="Comic Sans MS" size="6" type="bold"> Åhhh nej!! <br /> Du har ikke adgang til denne side! </font> </b> </center> <?php exit(); } if(isset($_POST['submit'])) { // see what is in the _POST // printf('<pre>%s</pre>', print_r($_POST, 1)); // add the course details to the database here // echo 'TODO: Add course to database'; $host = "somehost.com"; $db = "somedatabase"; $user = "someuser"; $pass = "somepass"; //echo 'fail' . $_POST['type'] . '<br/>' . $_POST['desc']; $_POST['time']=date('d-m-Y H:i'); $_POST['fileend']='http://something.com/upload/'.$_FILES["myfile"]["name"]; $con = mysql_connect($host,$user,$pass) or die(mysql_error); mysql_select_db($db); //upload.php $output_dir = "upload/"; if(isset($_FILES["myfile"])) { //Filter the file types , if you want. if ($_FILES["myfile"]["error"] > 0) { echo "Error: " . $_FILES["file"]["error"] . "<br>"; } else { //move the uploaded file to uploads folder; move_uploaded_file($_FILES["myfile"]["tmp_name"],$output_dir. $_FILES["myfile"]["name"]); echo "Uploaded File :".$_FILES["myfile"]["name"]; } } $typ = 'list'.$_POST['course']; $typ = strtolower($typ); //echo 'TYPE: '.$typ; echo 'End : '.$_POST['fileend'].'<br>Type : '.$_POST['type'].'<br>Time : '.$_POST['desc']; $sqlcourse = sprintf("INSERT INTO $typ VALUES ('','$_POST[type]','$_POST[time]','$_POST[desc]','$_POST[fileend]')"); mysql_real_escape_string($_POST['type']); mysql_real_escape_string($_POST['time']); mysql_real_escape_string($_POST['desc']); mysql_real_escape_string($_POST['fileend']); //$resultcourse = mysql_query($sqlcourse,$con); mysql_query($sqlcourse,$con) or die(mysql_error); //$resultcourse = mysql_query($sqlcourse); if (!resultcourse) { echo 'DB Error! cannot insert course'; exit(); } else{ echo 'Inserted!'; mysql_close($con) ?> <?php } } ?> Well that returns "mysql_error" again.. Answer to objnoob: Well first of all... The tablename is not entered as a text.. there is 5 radio-buttons on another page which leads to this. Then it submits that, and the upload_file code ( the code above as answer to Ch0cu3r )makes that string to lowercase. so theres NO wrong things in the tablename.... But theres something that is confusing me when it comes to mysql: I dont know why there has to be (or does it) that "(which_column,what_column etc...)" and whatever... Mysql is my weakest knowen functions or language (whatever its called). (Sorry if its so hard to teach me) But lets just try something: mysql_query("INSERT INTO $typ VALUES ('','$_POST[type]','$_POST[time]','$_POST[desc]','$_POST[fileend]')"); that SHOULD work... but somehow it isn't. the $typ is a table which exists.. its not possible to make errors in that (because its radiobuttons...) then the ('','$_POST[type]','$_POST[time]','$_POST[desc]','$_POST[fileend]')"); Isn't it possible to make the $_POST[fileend] as a link? the fileend is a link to the file like this: "someserver.com/upload/filename.someextension" Edited November 23, 2013 by mikkel809h Quote Link to comment Share on other sites More sharing options...
objnoob Posted November 23, 2013 Share Posted November 23, 2013 mysql_error is a function........ die(mysql_error); is nonsense because mysql_error in this context is nothing but dumb dumb that php implicitly converts to string (unless you've defined a constant named mysql_error) Try die(mysql_error()) Bingo. Quote Link to comment Share on other sites More sharing options...
mikkel809h Posted November 23, 2013 Author Share Posted November 23, 2013 Wait! Ohhhh... I solved it.... Thanks!!!! solution: the real error was that i wasnt posting the $_POST['course'] so the 'list'.$_POST['course'] returned false Thanks!!!! I also didn't notice that i was missing that () at the end of mysql_error... Thanks for everything Quote Link to comment Share on other sites More sharing options...
objnoob Posted November 23, 2013 Share Posted November 23, 2013 You're most welcome. I'm glad you were able to fix it up, And, yes, always always always validate and escape user input before using it in an SQL statement. An alternative and more secure way of handling database exchanges that use any data that was supplied by the user is to parameterize with prepared statements. You won't be able to use prepared statements with mysql_* but you shouldn't be using mysql_* anyways. Switch to mysqli_* and reap the benefits! Bye Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.