Jump to content

Recommended Posts

Ok, here we go.

I have a script that uploads some pictures to my web server, and inserts a link to the picture in my database..... this works fune... no problem.

Now, however, i want to change the file name to something like "username1.jpg", "username2.jpg" etc etc, in order to guarentee unique filenames for each members pictures.

Ive managed to change the filename to "username1" .. but im loosing the extension jpg, gif etc .... the wierd thing is it still seems to work, i mean they display correctly and everything... but i dont think this is the correct way of doing it,

So, my first question is how would i modify the script below to change the filename and preserve the file extension..... oh... and $filetype = $_FILES['filename']['type']; doesnt work because it returne type/gif not .gif, I suppose i could do this with some if else statements based around "$filetype = $_FILES['filename']['type'];", but is that really the only way? .... & whats the most secure way? I understand $filetype = $_FILES['filename']['type']; is only the mime type, and is therefore completely under the controll of the user anyway.... so i guess id like some suggestions on how to make sure of the filetype being uploaded.

Heres the script for uploading the first picture;

[code]
<?php
session_start();
include("include.inc");
if ( $_SESSION['login'] != "true" )
{
header("location: hacker.php");
}

else
{
$filetype = $_FILES['filename']['type'];
$username = $_SESSION['username'];
$filename = $_FILES['filename']['name'];
$new_filename = $username."1";
$filepath = "pictures/".$new_filename;
echo "<h1 align = 'center'>Your File has been uploaded. Click <a href='picturemanager.php'>Here</a>to Return</h1>";

      $source = "pictures";
      move_uploaded_file($_FILES['filename']['tmp_name'],
              "../xxx/xxx/$source/".$new_filename); // this line is for local host
  /*"../xxx/$source/".$_FILES['filename']['name']);*/ //this line is for remote server
}

$connection=mysql_connect($host, $user, $passwd)
or die ("Could not connect !");
$db = mysql_select_db($database, $connection)
or die ("Could not connect to Database");

$username = $_SESSION['username'];
$query = "UPDATE members SET picture = '$filepath' WHERE user_name='$username'";
$result = mysql_query($query)
or die ("could not add picture.");

?>[/code]

My second question is about overwriting files.............. lets say i have a user called Frank ... his first picture would be frank1.jpg, then frank2.jpg etc etc.

Now this ensures that other useres dont try and upload files with the same names.

But what if Frank wants to change his pictures???

At the moment i get an error if i try to upload a picture with the same name as one that allready exists in the designated file, so how do i go about allowing my users (frank in this case) to overwrite a picture that allready exists ?
Why not just use a regular expression... Give this a try:

[code]<?php
$filetype = $_FILES['filename']['type'];
$username = $_SESSION['username'];
$filename = $_FILES['filename']['name'];
preg_match("/\.w{3}$/", $filename, $matches); // I added this
$new_filename = $username."1".$matches[1]; // and the last part of this
$filepath = "pictures/".$new_filename;
?>[/code]

This line
[code=php:0]preg_match("/\.w{3}$/", $filename, $matches);[/code]
just says capture anything that has a period, followed by three letters, followed by an end of line.

Regards
Huggie
Things arnt working as planned huggie mate.

It still wont pick up things like .jpeg (presumably becasue this is 4 letters after the period)

and i now have a problem with my if else statements.... could you possibly take a look?

hers the script as it is now

[code]
<?php
session_start();
include("include.inc");
if ( $_SESSION['login'] != "true" )
{
header("location: hacker.php");
}

else
{
if ($_FILES['filename']['type'] != "image/jpeg || image/gif")
{
echo "Sorry you must upload only files of the type .jpg .jpeg or .gif, Click <a href='picturemanager.php'>Here</a> to try again";
}
else
{

$filetype = $_FILES['filename']['type'];
$username = $_SESSION['username'];
$filename = $_FILES['filename']['name'];
preg_match("/\.w{4}$/", $filename, $matches); // I added this
$new_filename = $username."1".$matches[1]; // and the last part of this

$myFile = $new_filename;
unlink("pictures/".$myFile);

$filepath = "pictures/".$new_filename;
echo "<h1 align = 'center'>Your File has been uploaded. Click <a href='picturemanager.php'>Here</a>to Return</h1>";

      $source = "pictures";
      move_uploaded_file($_FILES['filename']['tmp_name'],
              "../xxx/xxx/$source/".$new_filename); // this line is for local host
  /*"../xxx/$source/".$_FILES['filename']['name']);*/ //this line is for remote server

}
}

$connection=mysql_connect($host, $user, $passwd)
or die ("Could not connect !");
$db = mysql_select_db($database, $connection)
or die ("Could not connect to Database");

$username = $_SESSION['username'];
$query = "UPDATE members SET picture = '$filepath' WHERE user_name='$username'";
$result = mysql_query($query)
or die ("could not add picture.");

?>[/code]
Sorry, my fault.

The code I posted should have looked like this...

[code]<?php
preg_match('/\.\w{3,4}$/', $filename, $matches);
$new_filename = $username."1".$matches[0];
?>[/code]

This will work with .jpg, .jpeg, .gif

Regards
Huggie
This is what i ahve now :

[code]
<?php
session_start();
include("Vars.inc");
if ( $_SESSION['login'] != "true" )
{
header("location: hacker.php");
}

else
{
if ($_FILES['filename']['type'] != "image/jpg" || "image/gif" || "image/pjpeg")
{
echo "Sorry you must upload only files of the type .jpg .jpeg or .gif, Click <a href='picturemanager.php'>Here</a> to try again";
}
else
{

$filetype = $_FILES['filename']['type'];
$username = $_SESSION['username'];
$filename = $_FILES['filename']['name'];
preg_match('/\.\w{3,4}$/', $filename, $matches);
$new_filename = $username."1".$matches[0];

$myFile = $new_filename;
unlink("pictures/".$myFile);

$filepath = "pictures/".$new_filename;
echo "<h1 align = 'center'>Your File has been uploaded. Click <a href='picturemanager.php'>Here</a>to Return</h1>";

      $source = "pictures";
      move_uploaded_file($_FILES['filename']['tmp_name'],
              "../xxx/xxx/$source/".$new_filename); // this line is for local host
  /*"../xxx/$source/".$_FILES['filename']['name']);*/ //this line is for remote server

}
}


$connection=mysql_connect($host, $user, $passwd)
or die ("Could not connect !");
$db = mysql_select_db($database, $connection)
or die ("Could not connect to Database");

$username = $_SESSION['username'];
$query = "UPDATE members SET picture = '$filepath' WHERE user_name='$username'";
$result = mysql_query($query)
or die ("could not add picture.");

?>[/code]

It seems to allways drop through to the ... "you must upload a gif, jpg or jpeg" statement
Make the first line of your if look like this:

[code=php:0]if ($_FILES['filename']['type'] != "image/jpeg" || $_FILES['filename']['type'] != "image/pjpeg" || $_FILES['filename']['type'] != "image/gif")[/code]

Not this:

[code=php:0]if ($_FILES['filename']['type'] != "image/jpg" || "image/gif" || "image/pjpeg")[/code]

That should fix it.

Huggie
Sorry about this Huggie...... but it wont upload anything now

I tried
[code]
<?php
if ($_FILES['filename']['type'] != ("image/jpg" || "image/gif" || "image/pjpeg"))
?>
[/code]
But that just allowed everything to be uploaded, however;
[code]
<?php
if ($_FILES['filename']['type'] != "image/jpeg" || $_FILES['filename']['type'] != "image/pjpeg" || $_FILES['filename']['type'] != "image/gif")
?>
[/code]
Wont allow anything to be uploaded....... lol, this is driving me mad
I think you should be doing something like this (notice I'm using an array key here) I'm sure this is where things are going wrong for you, as each component within the $_FILES array is an array in itself, so [code=php:0]$_FILES['imagefile']['type'][/code] is an array too:

[code]
<?php
foreach ($_FILES['imagefile']['error'] as $k => $error){
  if ($_FILES['imagefile']['error'][$k] == 0){
      if ($_FILES['imagefile']['type'][$k] == "image/jpeg" || $_FILES['imagefile']['type'][$k] == "image/gif" || $_FILES['imagefile']['type'][$k] == "image/pjpeg"){
        // Do your processing here
      }
  }
}
?>
[/code]

Huggie
OK, I'll cover that in a minute, in the mean time, try changing this:

[code=php:0]if ($_FILES['filename']['type'] != "image/jpeg" || $_FILES['filename']['type'] != "image/pjpeg" || $_FILES['filename']['type'] != "image/gif")[/code]

To this:

[code=php:0]if ($_FILES['filename']['type'][0] != "image/jpeg" || $_FILES['filename']['type'][0] != "image/pjpeg" || $_FILES['filename']['type'][0] != "image/gif")[/code]

and attempt to upload one file and see what happens.

Huggie
heres the code again;

[code]
<?php
session_start();
include("Vars.inc");
if ( $_SESSION['login'] != "true" )
{
header("location: hacker.php");
}

else
{
if ($_FILES['filename']['type']['0'] != "image/jpeg" || $_FILES['filename']['type']['0'] != "image/pjpeg" || $_FILES['filename']['type']['0'] != "image/gif") 
{
echo "Sorry you must upload only files of the type .jpg .jpeg or .gif, Click <a href='picturemanager.php'>Here</a> to try again";
}
else
{

$filetype = $_FILES['filename']['type'];
$username = $_SESSION['username'];
$filename = $_FILES['filename']['name'];
preg_match('/\.\w{3,4}$/', $filename, $matches);
$new_filename = $username."1".$matches[0];

$myFile = $new_filename;
unlink("pictures/".$myFile);

$filepath = "pictures/".$new_filename;
echo "<h1 align = 'center'>Your File has been uploaded. Click <a href='picturemanager.php'>Here</a>to Return</h1>";

      $source = "pictures";
      move_uploaded_file($_FILES['filename']['tmp_name'],
              "../xxx/xxx/$source/".$new_filename); // this line is for local host
  /*"../xxx/$source/".$_FILES['filename']['name']);*/ //this line is for remote server
 
 

$connection=mysql_connect($host, $user, $passwd)
or die ("Could not connect !");
$db = mysql_select_db($database, $connection)
or die ("Could not connect to Database");

$username = $_SESSION['username'];
$query = "UPDATE members SET picture = '$filepath' WHERE user_name='$username'";
$result = mysql_query($query)
or die ("could not add picture.");
}
}


?>[/code]
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.