duduwudu Posted July 7, 2007 Share Posted July 7, 2007 Hello, I've been building a test version of an on-line local business directory. (using php and mysql) It's going really well (especially as I'm still a beginner really). So far I've got some information in my database, a search page, master listing, admin area for editing the information and I've also created a page for adding new entries to the database. So far it's all working very well but I would like to make an addition... On the page where you can add new entries to the database, one of the text fields is for an image url. I'd like to be able to change this to an option that would let you upload in an image from your computer to the server, and take the location of the image on the server and put that in the database. Apologies if this isn't too clear, I've not done this before so I am not sure how easy would this be to do? Can anyone offer any help or advice? I'd be very greatfull if you could. Cheers Quote Link to comment Share on other sites More sharing options...
Barand Posted July 7, 2007 Share Posted July 7, 2007 see http://www.php.net/manual/en/features.file-upload.php Quote Link to comment Share on other sites More sharing options...
duduwudu Posted July 7, 2007 Author Share Posted July 7, 2007 see http://www.php.net/manual/en/features.file-upload.php Cheers, Would it be easily implemented into the following? <?php require_once('Connections/JakcamDatabastest.php'); ?> <?php if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } } $editFormAction = $_SERVER['PHP_SELF']; if (isset($_SERVER['QUERY_STRING'])) { $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']); } if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) { $insertSQL = sprintf("INSERT INTO businesses (id, name, type, ad1, ad2, ad3, ad4, tel, email, web, photo, info) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)", GetSQLValueString($_POST['id'], "int"), GetSQLValueString($_POST['name'], "text"), GetSQLValueString($_POST['type'], "text"), GetSQLValueString($_POST['ad1'], "text"), GetSQLValueString($_POST['ad2'], "text"), GetSQLValueString($_POST['ad3'], "text"), GetSQLValueString($_POST['ad4'], "text"), GetSQLValueString($_POST['tel'], "text"), GetSQLValueString($_POST['email'], "text"), GetSQLValueString($_POST['web'], "text"), GetSQLValueString($_POST['photo'], "text"), GetSQLValueString($_POST['info'], "text")); mysql_select_db($database_JakcamDatabastest, $JakcamDatabastest); $Result1 = mysql_query($insertSQL, $JakcamDatabastest) or die(mysql_error()); $insertGoTo = "showall.php"; if (isset($_SERVER['QUERY_STRING'])) { $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?"; $insertGoTo .= $_SERVER['QUERY_STRING']; } header(sprintf("Location: %s", $insertGoTo)); } ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Untitled Document</title> </head> <body> <p>Add a new listing</p> <form action="<?php echo $editFormAction; ?>" method="post" name="form1" id="form1"> <table align="center"> <tr valign="baseline"> <td nowrap="nowrap" align="right">Business Name:</td> <td><input type="text" name="name" value="" size="32" /></td> </tr> <tr valign="baseline"> <td nowrap="nowrap" align="right">Catagory:</td> <td><input type="text" name="type" value="" size="32" /></td> </tr> <tr valign="baseline"> <td nowrap="nowrap" align="right">Address line 1:</td> <td><input type="text" name="ad1" value="" size="32" /></td> </tr> <tr valign="baseline"> <td nowrap="nowrap" align="right">Address line 2:</td> <td><input type="text" name="ad2" value="" size="32" /></td> </tr> <tr valign="baseline"> <td nowrap="nowrap" align="right">Address line 3:</td> <td><input type="text" name="ad3" value="" size="32" /></td> </tr> <tr valign="baseline"> <td nowrap="nowrap" align="right">Address line 4:</td> <td><input type="text" name="ad4" value="" size="32" /></td> </tr> <tr valign="baseline"> <td nowrap="nowrap" align="right">Tel:</td> <td><input type="text" name="tel" value="" size="32" /></td> </tr> <tr valign="baseline"> <td nowrap="nowrap" align="right">Email:</td> <td><input type="text" name="email" value="" size="32" /></td> </tr> <tr valign="baseline"> <td nowrap="nowrap" align="right">Web:</td> <td><input type="text" name="web" value="" size="32" /></td> </tr> <tr valign="baseline"> <td nowrap="nowrap" align="right">Image URL:</td> <td><input type="text" name="photo" value="" size="32" /></td> </tr> <tr valign="baseline"> <td nowrap="nowrap" align="right">Extra Info:</td> <td><input type="text" name="info" value="" size="32" /></td> </tr> <tr valign="baseline"> <td nowrap="nowrap" align="right"> </td> <td><input type="submit" value="Insert record" /></td> </tr> </table> <input type="hidden" name="id" value="" /> <input type="hidden" name="MM_insert" value="form1" /> </form> <p> </p> </body> </html> Quote Link to comment Share on other sites More sharing options...
Wuhtzu Posted July 7, 2007 Share Posted July 7, 2007 I will suggest that you read these tutorials, they will teach you how to create a basic upload script: http://www.tizag.com/phpT/fileupload.php http://www.w3schools.com/php/php_file_upload.asp Regarding the security of fileupload, which alot of tutorials comment on, you just need to think about what you actually allow your users to do. If you create a script which does not require login and allow any type of file to be uploaded then they could place harmful code in the file and go to www.yourdomain.com/newly_uploaded_harmful_file.php and get that code executed. The safest type of file upload is image upload. It can be determined with almost 100% accuracy whether or not a file is an image where as a normal extension check ("I only allow .rar, .zip and .jpg to be uploaded") does no good since you can rename any file to filename.jpg: You could for example check if the file (potentially an image) has a height and width: http://no.php.net/getimagesize Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.