Registration and Upload not working

[IlaminiAyebatonyeDagogo]

I have a script to upload image to a folder and store image name in the database but there seems to be something wrong with my scripting and me please some one help me out.

<?php
//start a session for error reporting.
session_start();

//call our connection file.

require("include/conn.php");

// check to see if the type of file uploaded is valid image type.


function is_valid_type($file)
{
//This is an array that holds the valid image MIME Types

$valid_types=array("image/jpg","image/gif","image/png","image/swf","image/jpeg","image/x-ms-bmp","image/x-png");

if (in_array($file["type"],$valid_types))

return 1;
return 0;

}
//just a short function that print out the content of an array in mannerthat is easy to read
// set some constants
//this variable is the part to the image folder where all the images are going to be stored
//Note that there is trailing forward slash

$target_path="upload_images/";
//Get our Posted variables

$name=$_POST["name"];
$phone=$_POST["phone"];
$address=$_POST["address"];
$email=$_POST["email"];
$username=$_POST["username"];
$password=$_POST["password"];
$pin=$_POST["pin"];
$family=$_POST["family"];
$image=$_FILES["image"];

//***sanitizing our inputs
//
$name=mysql_real_escape_string($name);
$name=stripslashes($name); 
// end sanitizing name input

$phone=mysql_real_escape_string($phone);
$phone=stripslashes($phone);
// end sanitizing phone input
$address=mysql_real_escape_string($address);
$address=stripslashes($address);
// end sanitizing address input
$email=mysql_real_escape_string($email);
$email=stripslashes($email);
// end sanitizing $email input
$username=mysql_real_escape_string($username);
$username=stripslashes($username);
// end sanitizing username input
$password=mysql_real_escape_string($password);
$password=stripslashes($password);
// end sanitizing password input
$pin=mysql_real_escape_string($pin);
$pin=stripslashes($pin);
// end sanitizing pin input
$family=mysql_real_escape_string($family);
$family=stripslashes($family);
// end sanitizing family input
$image['name']=mysql_real_escape_string($image['name']);
$image['name']=stripslashes($image['name']);
// end sanitizing image name input


//Build our target path full string. this is where the filewill be moved to.

$target_path.=$image['name'];

// make sure all the fields are entered

if (empty($name)||empty($phone)||empty($address)||empty($email)||empty($username)||empty($password)||empty($pin)||empty($family)||empty($image["name"]))
{
$_SESSION["error"]="All Fields Are Required";
header("location:register.php");
exit;
}

//check to make sure that our file is actually an image

//we check the file type instead of the extension because the extension can easily be faked.

if(is_valid_type($image)==False)
{
$_SESSION["error"]="You Must Upload a Jpeg,gif,png,swf or jpg image file ";
header("location:register.php");
exit;
}
// here we check to see if a file with that name already exists and we rename it
//we just rename all file
$rand=rand(0,9999999999);
$new_image=$rand.$image["name"];
if(file_exists($target_path))
{$_SESSION["error"]="Please Rename Your Image And Try Again ";
header("location:register.php");
exit;
}
// attempting to move the file from its temporary directory to its new home


if(move_uploaded_file($new_image["tmp_name"],$target_path))
{
// we are putting a reference to the file in the database.


$sql=mysql_query("INSERT INTO facilitators(name,phone,address,email,username,password,pin,family,image)VALUE('$name','$phone','$address','$email','$username','$password','$pin','$family','"$new_image['name']."')")or die("Could Not Insert into the Data Base:".mysql_error());

header("location:index.php");
exit;
}
else
{
{$_SESSION["error"]="Could Not Register You Please contact Web Master on 08132841856 ";
header("location:register.php");


}
?>

It display a prase error on 114

Parse error: parse error in C:\wamp\www\Teens Site\check.php on line 114

and this line 114

$sql=mysql_query("INSERT INTO facilitators(name,phone,address,email,username,password,pin,family,image)VALUE('$name','$phone','$address','$email','$username','$password','$pin','$family','"$new_image['name']."')")or die("Could Not Insert into the Data Base:".mysql_error());

Thanks a lot for all the assistance i have been receiving.

[davidannis]

YOu are missing a period

'"$new_

should be:

'".$new_

[scootstah]

davidannis solved your problem, but you have several other issues that need attention.

 

1. First and foremost: if you run stripslashes() after mysql_real_escape_string(), then you aren't escaping anything.

 

$name=mysql_real_escape_string($name);
$name=stripslashes($name);

This is not escaped, and leaves your script vulnerable to SQL injection.

 

 

2. Don't rely on $file["type"] to determine the file's mimetype. Instead, use finfo_file or mime_content_type (this is deprecated).

 

3. You're not sanitizing the final $target_path to remove a directory/file path or other bad things.

 

4.

if (in_array($file["type"],$valid_types))
 
return 1;
return 0;

This is confusing, use brackets or proper indentation. For example, this is much more readable:

function is_valid_type($file)
{
	//This is an array that holds the valid image MIME Types
	 
	$valid_types=array("image/jpg","image/gif","image/png","image/swf","image/jpeg","image/x-ms-bmp","image/x-png");
	 
	if (in_array($file["type"],$valid_types)) {
		return true;
	}

	return false; 
}

Also, if you're intending on returning a boolean, then you should use a boolean and not 0 or 1.

 

This can also be simplified to:

return (in_array($file["type"], $valid_types));

Hope that helps.

[IlaminiAyebatonyeDagogo]

Is not working

Please Help

[Ch0cu3r]

Is not working

What do you mean by this? Have you made the changes suggested by davidannis and scootstah above?

[davidannis]

Please put these two lines at the top of your program

ini_set("display_errors", "1");
error_reporting(-1);

and tell us what error messages you get.

 

Another issue I noticed that would keep it from working is that when you use header() you MUST have a capital L in location and a space after the :

[scootstah]

Another issue I noticed that would keep it from working is that when you use header() you MUST have a capital L in location and a space after the :

That is not true, it will work either way.

 

Though, you should write it like you say, because that is true to the spec.

Edited December 16, 2013 by scootstah

[davidannis]

I have seen a malformed header cause issues. Most browser will have no problem but who wants to track down a bug that affects one user in a thousand?

 

1. All used headers have first letters uppercase, so you MUST follow this. For example:

Location, not location
Content-Type, not content-type or CONTENT-TYPE

2. Then there MUST be colon and space, like

good: header("Content-Type: text/plain");

wrong: header("Content-Type:text/plain");

3. Location header MUST be absolute uri with scheme, port and so on.

good: header("Location: http://www.example.com/something.php?a=1");

4. It can't be relative:

wrong:  Location: /something.php?a=1
wrong:  Location: ?a=1

It will make proxy server and http clients happier.

quote stolen from comment on http://php.net/manual/en/function.header.php

[scootstah]

Alright, touché.

[davidannis]

sorry, sleep deprived and cranky. I actually use partial URIs in my own code, it is only a missing space after the colon that I have ever seen cause a problem.

Edited December 17, 2013 by davidannis