Jump to content

php file upload path in db and on server

ianhaney

By ianhaney
in PHP Coding Help

 Share

Recommended Posts

ianhaney Advanced Member

ianhaney

Posted
Posted

Hi


 


I need some help please, I have a form that stores data in the db but now I would like to be able to store a filepath in a db table and the actual txt file on the server, I have managed to get the filepath stored in the db but the file does not upload on the server


 


also once that is done, I would like to download that txt file that relates to the id number of the record data added to the db


 


hope that makes sense, below is the coding I have




<?php


ini_set('display_startup_errors', 1);

ini_set('display_errors', 1);

error_reporting(-1);


	require_once("../session.php");


	require_once("../class.user.php");

	$auth_user = new USER();



	$user_id = $_SESSION['user_session'];


	$stmt = $auth_user->runQuery("SELECT * FROM users WHERE user_id=:user_id");

	$stmt->execute(array(":user_id"=>$user_id));


	$userRow=$stmt->fetch(PDO::FETCH_ASSOC);


?>


<?php

/*

Allows the user to both create new records and edit existing records

*/


// connect to the database

include("connect-db.php");


// creates the new/edit record form

// since this form is used multiple times in this file, I have made it a function that is easily reusable

function renderForm($service = '', $website_design_price = '', $seo_price = '', $textfiles = '', $error = '', $id = '')

{ ?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html>

<head>

<title>

<?php if ($id != '') { echo "Edit Price List"; } else { echo "New Price List"; } ?>

</title>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>

<link href="css/admin-styles.css" rel="stylesheet" type="text/css" />

</head>

<body>

<h1><?php if ($id != '') { echo "Edit Contact"; } else { echo "New Contact"; } ?></h1>

<?php if ($error != '') {

echo "<div style='padding:4px; border:1px solid red; color:red'>" . $error

. "</div>";

} ?>


<form action="" method="post" class="basic-grey" enctype="multipart/form-data">

<div>

<?php if ($id != '') { ?>

<input type="hidden" name="id" value="<?php echo $id; ?>" />

<p>ID: <?php echo $id; ?></p>

<?php } ?>


<label>Service: *</label> <input type="text" name="service" value="<?php echo $service; ?>"/>

<br/>

<label>Website Design Price: *</label> <input type="text" name="website_design_price" value="<?php echo $website_design_price; ?>"/>

<br>

<label>SEO Price: *</label> <input type="text" name="seo_price" value="<?php echo $seo_price; ?>"/>

<br>

<label>text file for this category: *</label> <input type="hidden" name="size" value="350000"> <input type="file" name="textfile"> 

<p>* required</p>

<br>

<input type="submit" name="submit" value="Submit" />

</div>

</form>

</body>

</html>


<?php }


/*


EDIT RECORD


*/


// if the 'id' variable is set in the URL, we know that we need to edit a record

if (isset($_GET['id']))

{

// if the form's submit button is clicked, we need to process the form

if (isset($_POST['submit']))

{

// make sure the 'id' in the URL is valid

if (is_numeric($_POST['id']))

{


//This is the directory where images will be saved

$target = "/home/sites/broadwaymediadesigns.co.uk/public_html/admin/price-list/txtfileuploads/";

$target = $target . basename( $_FILES['textfile']['name']);


// get variables from the URL/form

$id = $_POST['id'];

$service = htmlentities($_POST['service'], ENT_QUOTES);

$website_design_price = htmlentities($_POST['website_design_price'], ENT_QUOTES);

$seo_price = htmlentities($_POST['seo_price'], ENT_QUOTES);

$textfiles = ($_FILES['textfile']['name']);


// check that firstname and lastname are both not empty

if ($service == '' || $website_design_price == '' || $seo_price == '')

{

// if they are empty, show an error message and display the form

$error = 'ERROR: Please fill in all required fields!';

renderForm($service, $website_design_price, $seo_price, $error, $id);

}

else

{

// if everything is fine, update the record in the database

if ($stmt = $mysqli->prepare("UPDATE pricelist SET service = ?, website_design_price = ?, seo_price = ?, textfile = ? WHERE id=?"))

{

$stmt->bind_param("ssssi", $service, $website_design_price, $seo_price, $textfiles, $id);

$stmt->execute();

$stmt->close();

}


//Writes the photo to the server

if(move_uploaded_file($_FILES['textfile']['tmp_name'], $target))

{

echo "Uploaded and added all ok";

}


// show an error message if the query has an error

else

{

echo "ERROR: could not prepare SQL statement.";

}


// redirect the user once the form is updated

header("Location: view-price-list.php");

}

}

// if the 'id' variable is not valid, show an error message

else

{

echo "Error!";

}

}

// if the form hasn't been submitted yet, get the info from the database and show the form

else

{

// make sure the 'id' value is valid

if (is_numeric($_GET['id']) && $_GET['id'] > 0)

{

// get 'id' from URL

$id = $_GET['id'];


// get the recod from the database

if($stmt = $mysqli->prepare("SELECT * FROM pricelist WHERE id=?"))

{

$stmt->bind_param("i", $id);

$stmt->execute();


$stmt->bind_result($id, $service, $website_design_price, $seo_price, $textfiles);

$stmt->fetch();


// show the form

renderForm($service, $website_design_price, $seo_price, $textfiles, NULL, $id);


$stmt->close();

}

// show an error if the query has an error

else

{

echo "Error: could not prepare SQL statement";

}

}

// if the 'id' value is not valid, redirect the user back to the view.php page

else

{

header("Location: view-price-list.php");

}

}

}


/*


NEW RECORD


*/

// if the 'id' variable is not set in the URL, we must be creating a new record

else

{

// if the form's submit button is clicked, we need to process the form

if (isset($_POST['submit']))

{


// This is the directory where images will be saved

$target = "txtfileuploads";

$target = $target . basename( $_FILES['textfile']['name']);


// get the form data

$service = htmlentities($_POST['service'], ENT_QUOTES);

$website_design_price = htmlentities($_POST['website_design_price'], ENT_QUOTES);

$seo_price = htmlentities($_POST['seo_price'], ENT_QUOTES);

$textfiles = ($_FILES['textfile']['name']);


// check that firstname and lastname are both not empty

if ($service == '' || $website_design_price == '' || $seo_price == '')

{

// if they are empty, show an error message and display the form

$error = 'ERROR: Please fill in all required fields!';

renderForm($service, $website_design_price, $seo_price, $error);


}

else

{

// insert the new record into the database

if ($stmt = $mysqli->prepare("INSERT pricelist (service, website_design_price, seo_price, textfile) VALUES (?, ?, ?, ?)"))

{

$stmt->bind_param("ssss", $service, $website_design_price, $seo_price, $textfiles);

$stmt->execute();

$stmt->close();

}

// show an error if the query has an error

else

{

echo "ERROR: Could not prepare SQL statement.";

}


// redirec the user

header("Location: view-price-list.php");

}


}

// if the form hasn't been submitted yet, show the form

else

{

renderForm();

}

}


// close the mysqli connection

$mysqli->close();

?>

Thank you in advance


 


Ian


Link to comment
Share on other sites
mac_gyver Prolific Member

mac_gyver

Posted
Posted

you don't even have any code to move the uploaded file in the NEW RECORD logic. are you looking at your code at all?

 

you shouldn't be duplicating the code between the EDIT RECORD and and the NEW RECORD logic. the only thing that's different is the UPDATE query, when you have an id, or the INSERT query when you don't. you should have ONE instance of the logic, then a simple conditional if/else branch to form either the UPDATE or the INSERT query, then back to ONE instance of the logic to execute the query.

Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted

It's generally an odd approach to insert the filename before the file is even created. If anything goes wrong, you'll be left with garbage records pointing to files that don't exist.

 

And then there's the total lack of security. You accept arbitrary files and put them straight into your document root. You don't even prevent request forgery, which means the uploaded files could come from absolutely anybody. It almost like improvised FTP.

 

Since you appearently offer quasi-professional services, I strongly recommend you take security more seriously and implement the upload properly. Don't just copy-and-paste the example code from the PHP manual (or wherever you got this from).

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.