Jump to content

My First "Public File Upload" form... Feedback welcomed.


suttercain

Recommended Posts

Hi everyone,

 

I have built forms in the past for users, but this is my first attempt at allowing visitors to upload an image. The idea is that I have a comicbook database and if I don't already have an image on file for that issue, a visitor can upload one (and save me the time).

 

Would you be so kind to look at my code below and let me know if I am missing anything security wise. I check the size and also the type (jpg or gif only). I also have the file renamed to match the uniquie comicbook id.

 

Thank in advance.

 

<?php
include('../includes/get_connected.php');
if ($_FILES['titleSheet']['size'] < 1250000) {
	if ($_FILES['titleSheet']['type'] === "image/gif" || $_FILES['titleSheet']['type'] === "image/jpg" || $_FILES['titleSheet']['type'] === "image/jpeg") {
	$sqlImage = mysql_query("SELECT comic_id FROM comics WHERE comic_id = '".$_POST['id']."'") or die(mysql_error($connect));
	$image = mysql_fetch_row($sqlImage);
	$imageName = $image['0'];

	// PROCESS IMAGE
	$target_path = "../images/titleSheet/full/";
	$target_path = $target_path . basename( $_FILES['titleSheet']['tmp_name']); 
	$_FILES['titleSheet']['tmp_name'];

	//MOVE THE IMAGE TO THUMBNAILS
	move_uploaded_file($_FILES['titleSheet']['tmp_name'], $target_path);

	//EXPLODE TO RENAME IMAGE
	$fileName = $_FILES['titleSheet']['name'];
	$broken = explode(".", $fileName);
	rename("../images/titleSheet/full/".basename($_FILES['titleSheet']['tmp_name'])."", "../images/titleSheet/full/".$imageName."." .$broken[1]."");

	//Upload Image Name Into Table
	$image = $imageName."." .$broken[1];
	$comic_id = $_POST['id'];
	$insert = mysql_query("INSERT INTO titleSheet (comic_id, image) VALUES ('$comic_id', '$image')") or die(mysql_error());
	if ($insert) { header("Location: http://www.supermandatabase.com/comics/$comic_id"); }
	} else {
	echo "The image file must be in .gif, .jpg or .jpeg format.";
	$passed = FALSE;
	}
} else {
echo "The file was too large!"; 
}
?>

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.