Chrisj Posted October 10, 2014 Share Posted October 10, 2014 Can you please tell me what each of these lines of code means? $allowedExts = array("gif", "jpeg", "jpg", "png"); $temp = explode(".", $_FILES["file"]["name"]); $extension = strtolower( end($temp) ); $length = 20; $newfilename = $_SESSION['user_id'].$_FILES["file"]["name"]; $thumbnail = $newfilename . "." . $extension; move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $thumbnail); $sql = "INSERT INTO videos ( filename ) VALUES( $thumbnail )"; mysql_query($sql); $file_location = '<a href="http://www.--.com/upload/' . $thumbnail . '">' . $thumbnail . '</a>'; $description = $description . " \n " . $newfilename; Quote Link to comment Share on other sites More sharing options...
ginerjm Posted October 10, 2014 Share Posted October 10, 2014 A little knowledge could be bad. Do you not understand php code yet? Assuming the answer is yes, then why do you want to know? The code, with an obvious flaw in it, attempts to take an uploaded user file and append a userid to the front and then save the uploaded file to a new place with that new name. Problem is that it appends an extra extension to it. Does this help? Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted October 10, 2014 Share Posted October 10, 2014 Which line do you have questions? Quote Link to comment Share on other sites More sharing options...
Chrisj Posted October 10, 2014 Author Share Posted October 10, 2014 Thanks for the replies. Yes, how can I fix the extra extension please? Regarding "which line", can you please explain what this code is doing with $thumbnail and $newfilename? Quote Link to comment Share on other sites More sharing options...
ginerjm Posted October 10, 2014 Share Posted October 10, 2014 leave out the part that grabs $extension and remove it from the later ref. Quote Link to comment Share on other sites More sharing options...
Chrisj Posted October 10, 2014 Author Share Posted October 10, 2014 Thanks for your reply, but I don't understand what you're saying Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted October 10, 2014 Share Posted October 10, 2014 Thanks for the replies. Yes, how can I fix the extra extension please? Regarding "which line", can you please explain what this code is doing with $thumbnail and $newfilename? $temp is set to an array containing the filename and file extension, and then $extension is set to the last element of that array. The code is not complete, and you should add something like if(isset($allowedExts[$extention] {... to ensure only valid files are uploaded. In regards to $newfilename, it changes the name from "myimage.gif" to "123myimage.gif" where 123 is the user's PK. Why, I have no idea. In then sets $newfilename to "123myimage.gif.gif". Again, why, I have no idea. Quote Link to comment Share on other sites More sharing options...
ginerjm Posted October 10, 2014 Share Posted October 10, 2014 $allowedExts = array("gif", "jpeg", "jpg", "png"); $temp = explode(".", $_FILES["file"]["name"]); $extension = strtolower( end($temp) ); // ADD CHECK FOR VALID FILE if (!in_array($extension,$allowedExts)) { echo ("Error - bad file uploaded"); exit(); // or do whatever else you want here } $length = 20; $newfilename = $_SESSION['user_id'].$_FILES["file"]["name"]; // $thumbnail = $newfilename; // DON'T NEED THIS . "." . $extension; // move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $thumbnail); // $sql = "INSERT INTO videos ( filename ) VALUES( '$thumbnail' )"; // ADDED QUOTES ON $THUMBNAIL // mysql_query($sql); $file_location = '<a href="http://www.--.com/upload/' . $thumbnail . '">' . $thumbnail . '</a>'; $description = $description . " \n " . $newfilename; Quote Link to comment Share on other sites More sharing options...
Chrisj Posted October 10, 2014 Author Share Posted October 10, 2014 Thank you. Can you please tell me something about how $thumbnail? Quote Link to comment Share on other sites More sharing options...
Chrisj Posted October 10, 2014 Author Share Posted October 10, 2014 Thanks ginerjm for that. Much appreciated. Very helpful. Another question, please; Currently, the user id populates the Thumbnail field, of the Upload Form, upon the Form page opening. And after Submit, the (uploaded) file name is added to the user_id, in that field. How can I change it so the user_id doesn't populate the Thumbnail field upon opening the Form page, but is added to the (uploaded) file name, after Submit? Any help will be appreciated Quote Link to comment Share on other sites More sharing options...
ginerjm Posted October 10, 2014 Share Posted October 10, 2014 Show us how the form is created. Quote Link to comment Share on other sites More sharing options...
Chrisj Posted October 10, 2014 Author Share Posted October 10, 2014 Thanks for your reply. I believe this is what you're asking for - see attached file Quote Link to comment Share on other sites More sharing options...
Chrisj Posted October 10, 2014 Author Share Posted October 10, 2014 Trying again: <?php include_once ('classes/config.php'); include_once ('classes/sessions.php'); include 'uploader_conlib.php'; $config['notification_error'] = $lang_error; $page_title = $lang_upload_video; if ($_SESSION['user_id'] == "") { header("Location: " . "$base_url/login.php"); die(); } $load_javascript = 1; $ahah = 1; $thickbox = 1; /////////////////////////////////////////////////////////////////////////////////////// // ADDED SPAMMER UPLOAD TRACKING LOGING // $member_uploading = $_SESSION['user_name']; $tracking_log_file = 'logs/uploader_log.txt'; $admin_email = $config['admin_notify_email']; $user_ip = mysql_escape_string($_SERVER['REMOTE_ADDR']); $referer = mysql_real_escape_string($_SERVER['HTTP_REFERER']); if ( $referer == '' ) die_spammer_alerts(); if ( !ereg ($_SERVER['SERVER_NAME'], $referer) ) die_spammer_alerts(); /////////////////////////////////////////////////////////////////////////////////////// //echo $debugmodex; //get channel data, create "select" form fields to load into form $sql = "SELECT channel_id, channel_name FROM channels"; $result1 = @mysql_query($sql); $count_cats = @mysql_num_rows($result1); $fields_all = ''; $sub_fields_all = ''; $show_fields = ''; $fields_all .= '<option value="99999">Select One</option>'; while ($result = @mysql_fetch_array($result1)) { $fields_all .= '<option value="'.$result['channel_id'].'">'.$result['channel_name'].'</option>'; } $sub_cat_choice = (int) mysql_real_escape_string( $_GET['sub_cat'] ); if ( $sub_cat_choice ) { if ( $sub_cat_choice == '99999' ) { $sub_fields_all .= '<select class="image_form" style="width:160px;" size="1" name="sub_cat">'; $sub_fields_all .= '<option value="99999">'.$lang_no_sub_categories.'</option>'; $sub_fields_all .= '</select> ('.$lang_select.')'; echo $sub_fields_all; die(); } else { $sql2 = "SELECT * from sub_channels WHERE parent_channel_id = $sub_cat_choice"; $query = @mysql_query($sql2); $sub_fields_all .= '<select class="image_form" style="width:160px;" size="1" name="sub_cat">'; while ($result2 = @mysql_fetch_array($query)) { $count_subs = @mysql_num_rows($query); $sub_fields_all .= '<option value="'.$result2['sub_channel_id'].'">'.$result2['sub_channel_name'].'</option>'; } if ( $count_subs == '' ) { $sub_fields_all .= '<option value="99999">'.$lang_no_sub_categories.'</option>'; } $sub_fields_all .= '</select> ('.$lang_select.')'; echo $sub_fields_all; die(); } } // grab values from form if any $form_submitted = $_POST['form_submitted']; $title = $_POST['title']; $description = $_POST['description']; $tags = $_POST['tags']; $thumbnail = $_POST['thumbnail']; $location_recorded = $_POST['location_recorded']; $allow_comments = $_POST['allow_comments']; $allow_embedding = $_POST['allow_embedding']; $public_private = $_POST['public_private']; $channel = $_POST['channel']; $sub_cat = $_POST['sub_cat']; $procede = true; /////////////////////////////////////// ///////////////////////////////////////// $allowedExts = array("gif", "jpeg", "jpg", "pdf", "png"); $temp = explode(".", $_FILES["file"]["name"]); $extension = strtolower( end($temp) ); // ADD CHECK FOR VALID FILE if (!in_array($extension,$allowedExts)) { echo ("Error - Invalid File Name"); //exit(); // or do whatever else you want here } $length = 20; $newfilename = $_SESSION['user_id'].$_FILES["file"]["name"]; // $thumbnail = $newfilename; // move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $thumbnail); // $sql = "INSERT INTO videos ( filename ) VALUES( '$thumbnail' )"; // mysql_query($sql); $file_location = '<a href="http://www.--.com/upload/' . $thumbnail . '">' . $thumbnail . '</a>'; /////////////////////////////////////// ///////////////////////////////////////// $row = mysql_query("SELECT channel_name FROM channels WHERE channel_id = '$channel'"); while( $result = mysql_fetch_assoc($row) ) $channel_name = $result['channel_name']; // validate form if ($form_submitted == 'yes') { if ($_SESSION['user_id'] == '') die(); $post_vid_upload_token = mysql_real_escape_string( $_POST['vid_upload_token'] ); if ( $post_vid_upload_token != $_SESSION['vid_upload_token'] ) die(); foreach ($_POST as $key => $value) { if ($key == 'title' || $key == 'description' || $key == 'tags' || $key == '$channel') { if (!isset($value) || ($value == '')) { $display_key = @str_replace('_', ' ', $key); $error_message = $config['notification_error']; $blk_notification = 1; $error_message = $error_message . " - " . $display_key . " - $lang_required "; $procede = false; } } } if ( $channel == '99999' ) { $error_message = $config['notification_error']; $blk_notification = 1; $error_message = $error_message . " - $lang_select_channel"; $procede = false; } } else { $procede = false; } // display page with form error if ($procede == false && $form_submitted == 'yes') { $template = "themes/$user_theme/templates/main_1.htm"; $inner_template1 = "themes/$user_theme/templates/inner_upload_video_form.htm"; $TBS = new clsTinyButStrong; $TBS->NoErr = true; $TBS->LoadTemplate("$template"); $TBS->Render = TBS_OUTPUT; $TBS->Show(); @mysql_close(); die(); } // disply clean page if (!isset($form_submitted) || ($form_submitted == "")) { $template = "themes/$user_theme/templates/main_1.htm"; $inner_template1 = "themes/$user_theme/templates/inner_upload_video_form.htm"; $TBS = new clsTinyButStrong; $TBS->NoErr = true; $TBS->LoadTemplate("$template"); $TBS->Render = TBS_OUTPUT; $TBS->Show(); @mysql_close(); die(); } if ($procede == true && $form_submitted == 'yes') { if ($_SESSION['user_id'] == "") die(); //=================================START OF UPLOAD================================= $THIS_VERSION = '2.0'; if (isset($_GET['cmd']) && $_GET['cmd'] == 'about') { kak("<u><b>UBER UPLOADER FILE UPLOAD</b></u><br>UBER UPLOADER VERSION = <b>" . $UBER_VERSION . "</b><br>UU_FILE_UPLOAD = <b>" . $THIS_VERSION . "<b><br>\n"); } $tmp_sid = md5(uniqid(mt_rand(), true)); /////////////////////////////////////////////////////////////////////// // This is where you might set your config file eg. // // if($_SESSION['user'] == "tom"){ $config_file = 'uu_tom_config'; } // /////////////////////////////////////////////////////////////////////// $config_file = $default_config_file; $path_to_upload_script .= '?tmp_sid=' . $tmp_sid; $path_to_ini_status_script .= '?tmp_sid=' . $tmp_sid; if ($MULTI_CONFIGS_ENABLED) { $path_to_upload_script .= "&config_file=$config_file"; $path_to_ini_status_script .= "&config_file=$config_file"; } //allow form to be refilled on error foreach($_POST as $key=>$value) { $$key = $value; } $template = "themes/$user_theme/templates/main_1.htm"; $inner_template1 = "themes/$user_theme/templates/inner_upload_video.htm"; $TBS = new clsTinyButStrong; $TBS->NoErr = true;// no more error message displayed. $TBS->LoadTemplate("$template"); $TBS->Render = TBS_OUTPUT; $TBS->Show(); @mysql_close(); die(); //===============================================================END OF UPLOADER================================================================ } function die_spammer_alerts() { global $member_uploading, $user_ip, $admin_email, $site_name; $subject = 'Possible Video Spamming !!'; $message = "The following member uploaded a possible spam video: => " . $member_uploading . "\n\n" . "The IP used: " . $user_ip . "\n"; $to = $admin_email; $from = $site_name; mail($to, $subject, $message, "From: $from"); // if config auto ban spammer is true - enter user name and ip to ban table /* include_once ('classes/config.php'); $sql = "DELETE FROM videos WHERE video_id = '$raw_video'"; $query = @mysql_query($sql); */ write_log($message); } function write_log($message) { global $tracking_log_file; if (@file_exists($tracking_log_file)) { $fo = @fopen($tracking_log_file, 'a'); @fwrite($fo, $message); @fclose($fo); } else { $fo = @fopen($tracking_log_file, 'w'); @fwrite($fo, $message); @fclose($fo); } exit(); } ?> Quote Link to comment Share on other sites More sharing options...
ginerjm Posted October 10, 2014 Share Posted October 10, 2014 Looking at this code I see no setting of a 'thumbnail' field. But I do see some horribly bad usage of the @ sign to suppress errors. WHY WOULD YOU EVER WANT TO HIDE ERRORS????? Dont' to it. Quote Link to comment Share on other sites More sharing options...
Chrisj Posted October 10, 2014 Author Share Posted October 10, 2014 Thanks for all of your help and for your insight. I think I've got it now. Much thanks again Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.