upload works but can not delete file due to spaces.. i think

[jasonc]

the following code for some reason puts a _ in place of the .

 

the files in the directory are named ok, file1.jpg file2.jpg and so on.

 

the source code prior to clicking the delete button shows all the files correctly formed.

 

the uploaddir is also correct. just the . being changed to a _

 

why would that be?

 

this is my upload and delete file.

 

 

<?

$uploaddir = "/home/mysite/public_html/images";

include("dbconfigfile.php");

if ($_POST['d'] == "1") {

foreach($_POST as $key => $val) {

if ($key != "*.*" && $key != "*" && $key != "d") {

// delete file name only from images-filename, but... if the imagelocation is empty then delete the whole entry line from DB.

//delete file from folder if exists !

unlink($uploaddir . $key);

echo($uploaddir . $key."<br><br><br><br>");

echo($key.' Deleted<br>');

mysql_query("DELETE FROM `images` WHERE `filename` ='" . $key . "' LIMIT 1;") or die(mysql_error());

}

}

echo("files are not really deleted yet, still working on it.");

} else {

?><p align="center">Please note that if you upload a file with the same name as another file you have uploaded, this new file will over write the old file.</p><p align="center">Your Existig Files...</p><p align="center">

<? $dh = opendir($uploaddir);

?><form name="form1" method="post" action=""><input name="d" type="hidden" value="1"><?

while (false !== ($filename = readdir($dh))) {

$ext = getFileExtension($filename);

if(in_array($ext, $allowed)) {

?><input type="submit" name="<?=$filename;?>" value="DELETE"> <?=$filename;?><br><?

}

}

?></form></p>

<form action="" method="POST" enctype="multipart/form-data">

<table width="444" height="218" border="1" align="center">

<tr align="center">

<td height="152" colspan="2">

<? if(isset($_REQUEST['submit']) && $_FILES['imgfile']['name'] != "") {

$file = $_FILES['imgfile']['name']; $tmp_file = $_FILES['imgfile']['tmp_name']; $size = $_FILES['imgfile']['size'];

$upload = $uploaddir . $file; $ext = getFileExtension($file);

if(!in_array($ext, $allowed)) { echo "ERROR: Invalid file extension.";

} elseif (move_uploaded_file($tmp_file, $upload)) {

// set info about image in mysql

$update = mysql_query("INSERT INTO `images` (`imagelocation` , `filename`, `uploadedby`) VALUES ('', '" . $file . "', '" . $_SESSION['adminusername'] . "')") or die(mysql_error());

echo $file."<br>Upload successfully!<br>";

} else { echo "Image upload failed.";

}

} else { echo("No file uploaded");

} ?>

</td>

</tr>

<tr><td height="28" colspan="2"><div align="right"><input type="file" name="imgfile"><input type="hidden" name="MAX_FILE_SIZE" value="20000"></div></td></tr>

<tr><td width="372" height="28"><p>.doc .gif .jpg .wma .mp3 .pdf .ppt .pub .rtf .txt .zip      only</p></td><td width="56"><input name="submit" type="submit" value="Upload"></td></tr>

</table>

</form>

<? }

} ?>

[redarrow]

try

 

mysql_real_escape_string();

[jasonc]

thanks

 

i have taken a look at php.net/mysql_real_escape_string

 

not real sure what i am doing in this case using mysql_real_escape_string

 

i have data posted and just placed straight into the database seems this is not the way to do it?

 

if i am right i have to use this to place the data in and again use it to verify that the data in the database is the same as what i am looking for?

 

 

INSERT INTO `stuff` (`field1`, `field2`) VALUES ('mysql_real_escape_string($data1)', 'mysql_real_escape_string($data2));

 

then

 

SELECT * from `stuff` WHERE `field1` = 'mysql_real_escape_string($data1)');

 

 

?