Jump to content

Recommended Posts

<?php
   error_reporting(E_ERROR | E_WARNING | E_PARSE);

 include("../Connections/Connect.php");

// this function is used to sanitize code against sql injection attack.
function ms_escape_string($data) {
        if ( !isset($data) or empty($data) ) return '';
        if ( is_numeric($data) ) return $data;

        $non_displayables = array(
            '/%0[0-8bcef]/',            // url encoded 00-08, 11, 12, 14, 15
            '/%1[0-9a-f]/',             // url encoded 16-31
            '/[\x00-\x08]/',            // 00-08
            '/\x0b/',                   // 11
            '/\x0c/',                   // 12
            '/[\x0e-\x1f]/'             // 14-31
        );
        foreach ( $non_displayables as $regex )
            $data = preg_replace( $regex, '', $data );
        $data = str_replace("'", "''", $data );
        return $data;
    }

    // You may want to add document root
    $target = $_SERVER['DOCUMENT_ROOT']."/uploads";
    // I am filtering the files incase there are empty uploads
    // You need to have the proper file input name (item)
    $_FILES['item']['tmp_name'] =   array_filter($_FILES['item']['tmp_name']);
    $_FILES['item']['name'] =   array_filter($_FILES['item']['name']);
    $_FILES['item']['type'] =   array_filter($_FILES['item']['type']);
    $_FILES['item']['size'] =   array_filter($_FILES['item']['size']);


    foreach($_FILES['item']['name'] as $i => $value ) {
            $file_name              =   $_FILES['item']['name'][$i];
            $file_size              =   $_FILES['item']['size'][$i];
            $file_tmp               =   $_FILES['item']['tmp_name'][$i];
            $file_type              =   $_FILES['item']['type'][$i];

            $bidDate                =   ms_escape_string($_POST['txtBidDate']);
            $dueDate                =   ms_escape_string($_POST['txtDueDate']);
            $dueTime                =   ms_escape_string($_POST['txtDueTime']);
            $bidTitle               =   ms_escape_string($_POST['BidTitle']);
            $bidId                  =   ms_escape_string($_POST['BidID']);
            $desc                   =   ms_escape_string($_POST['Description']);
            $dept                   =   ms_escape_string($_POST['Department']);
            $bidContact             =   ms_escape_string($_POST['BidContact']);
            $contactEmail           =   ms_escape_string($_POST['ContactEmail']);
            $contactPhone           =   ms_escape_string($_POST['ContactPhone']);
            $numBids                =   ms_escape_string($_POST['NumofBids']);
            $awardDate              =   ms_escape_string($_POST['txtAwardDate']);
            $awardrecip1            =   ms_escape_string($_POST['AwardRecip']);
            $bidType                =   ms_escape_string($_POST['BidType']);
            $lastUpdate             =   ms_escape_string($_POST['txtLastUpdate']);
            $notes                  =   ms_escape_string($_POST['Notes']);
            $status                 =   ms_escape_string($_POST['Status']);

            $sqlArr['values'][$i]   =   "'".ms_escape_string($_FILES['item']['name'][$i])."'";
            $sqlArr['columns'][$i]  =   "Addend".$i;
            $sqlArr['columns']  =   "SignInSheet";
            $sqlArr['columns']  =   "TabSheet";
            $sqlArr['columns']  =   "BidFile";
            // At this point you are only notifying user.
            // You have no code to prevent this limitation.
            if ($file_type!="application/pdf" || $file_type!="image/gif" || $file_type!="image/jpeg")
                 $echo =    'You can only upload PDFs, JPEGs or GIF files.<br>';
            // So far, this is just for notification, you haven't
            // actually done anything about this limitation
            if($file_size >  (8 * 1024 * 1024))
                $echo='File size must be less than 8 MB';

            // Makes the folder if not already made.
            if(!is_dir($target))
                mkdir($target,0755,true);

            //Writes the files to the server
            if(move_uploaded_file($_FILES['item']['tmp_name'][$i], $target."/".$file_name)) {
                //If all is ok
                echo "The file ". $file_name. " has been uploaded to the directory and records saved to the database";
            }
            else {

            //Gives and error if its not
            echo "Sorry, there was a problem uploading your file.";
            }
        }
if(isset($sqlArr['columns'])) {
    $sql="INSERT INTO bids (BidDate,DueDate,DueTime,BidTitle,BidID,Description,,'".implode("','",$sqlArr['columns'])."',Department,Xcontract,ContactEmail,ContactPhone,NumofBids,AwardDate,AwardRecip1,BidType,LastUpdate,Notes,BidStatus)
              VALUES ('$bidDate', '$dueDate','$dueTime',$bidTitle','$bidId','$desc',".implode(",",$sqlArr['values']).", '$dept','$bidContact','$contactEmail','$contactPhone','$numBids','$awardDate','$awardrecip1','$bidType','$lastUpdate','$notes',$status')" ;
    $objQuery = sqlsrv_query($conn, $sql);
    sqlsrv_close($conn);
} ?>

php 

Hi again,

 

The following code is supposed to upload atleast one file or as many as 9 files to the upload folder called uploads and then save the rest of the data to the database.

 

When I run the code, I get my custom message that file(s) successfully uploaded to the folder and records successfully saved to the database.

 

When I check the db, no records. When I check the folder, no files.

 

I have verified that folder has proper permission and that form has POST method with encype attributes.

 

When I debugged the insert code, I see one major problem.

 

Addend should be Addend1 through Addend6. Then three others called SignInSheet, TabSheet and BidFile.

 

Instead, the INSERT statement shows Addend0 as well as Addend8.

 

I a .net guy and got over my head unfortunately by accepting to do php project and this part is a bit over my head.

 

Your kind help is greatly appreciated.

 

 

 

Tried the upload portion on 2 different servers, it made the directory and also uploaded 2 different files.

 

Double check permissions.

 

check that file uploads is enabled in php.ini

file_uploads = On
            $file_name              =   $_FILES['item']['name'][$i];
            $file_size              =   $_FILES['item']['size'][$i];
            $file_tmp               =   $_FILES['item']['tmp_name'][$i];
            $file_type              =   $_FILES['item']['type'][$i];

             $sqlArr['values'][$i]   =   "'".ms_escape_string($_FILES['item']['name'][$i])."'";
            $sqlArr['columns'][$i]  =   "Addend".$i;
            $sqlArr['columns'][]    =   "SignInSheet";
            $sqlArr['columns'][]    =   "TabSheet";
            $sqlArr['columns'][]    =   "BidFile";

Ok, good to know this.

 

Thanks very much.

 

However, I still need help figuring out this last part.

 

Please bolded lines:

 

When I debug the INSERT statement, I see that the code is trying to insert Addend to the database incorrectly.

 

For instance, Here are the following file names on the database: BidFile, Addend has Addend1, Addend2, Addend3, Addend4, Addend5, Addend6, SignInSheet, and TabSheet. These are files that need to be uploaded to the server and their filenames saved to the database.

 

When I debug the INSERT statement, it treats BidFile, which is the first one, as Addend0 and treats TabSheet which is the last file to be uploaded as Addend8.

 

That's wrong and because of this nothing is getting inserted into the database.

Can anyone please help?

Edited by kelechi
$sql="INSERT INTO mytable(BidFile,'".implode("','",$sqlArr['columns'])."',SignInSheet,TabSheet)
VALUES('$bidFile',".implode(",",$sqlArr['values']).",'$signSheet','$tabSheet') and rest of the fields.

//Then declaration:

            $bidFile                =   "'".ms_escape_string($_FILES['BidFile']['name'])."'";
            $sqlArr['values'][$i]   =   "'".ms_escape_string($_FILES['item']['name'][$i])."'";
            $sqlArr['columns'][$i]  =   "Addend".$i;
            $signSheet                =   "'".ms_escape_string($_FILES['SignInSheet']['name'])."'";
            $tabSheet                =   "'".ms_escape_string($_FILES['TabSheet']['name'])."'";

UPDATE: I was able to separate the files and everything seems to be in sync.

 

For instance, now, I have the following insert statement above.

Now, the files being uploaded match up with files saved to the database.

 

*ONLY* thing left now is to get Addend to start at position 1 as opposed to 0.

So, I know php like most scripting languages have array start at index 0 but how can I get Addend to start at 1 instead of 0?

 

For instance, instead of Addend0, it starts at Addend1.

 

Thanks

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.