dennismonsewicz Posted March 18, 2008 Share Posted March 18, 2008 Here is my code: Upload.php: <?php include "includes/header.php"; include "includes/sidebar.php"; $_SESSION['username'] = $_GET['username']; ?> <div class="maincontent"> <div class="maincontentheader"> <h2><?php echo ucwords($_SESSION['username']); ?>, use the form below to upload an image!</h2> </div> <form enctype="multipart/form-data" method="post" action="uploadfile.php?username=<?php echo $_SESSION['username']; ?>"> <input type="hidden" name="MAX_FILE_SIZE" value="200000000" /> <p><input name="userfile" type="file" id="userfile" /></p> <p><input type="submit" name="upload" id="upload" value=" Upload " /></p> </form> <div class="maincontentfooter"> </div> </div> <?php include "includes/footer.php"; ?> uploadfile.php: <?php include "includes/header.php"; include "includes/sidebar.php"; $_SESSION['username'] = $_POST['username']; ?> <div class="maincontent"> <div class="maincontentheader"> <h2><?php echo ucwords($_SESSION['username']); ?>, thank you for your upload!</h2> </div> <?php if(isset($_POST['upload']) && $_FILES['userfile']['size'] > 0) { $fileName = $_FILES['userfile']['name']; $tmpName = $_FILES['userfile']['tmp_name']; $fileSize = $_FILES['userfile']['size']; $fileType = $_FILES['userfile']['type']; $fp = fopen($tmpName, 'r'); $content = fread($fp, filesize($tmpName)); $content = addslashes($content); fclose($fp); if(!get_magic_quotes_gpc()) { $fileName = addslashes($fileName); } include "includes/sql.php"; $query = "INSERT INTO uploads (username, name, size, type, content ) ". "VALUES ('" . $_SESSION['username'] . "', '$fileName', '$fileSize', '$fileType', '$content')"; mysql_query($query) or die('Error Message = ' . mysql_error()); echo "<p>File $fileName uploaded</p>"; } ?> <div class="maincontentfooter"> </div> </div> <?php include "includes/footer.php"; ?> Here is my SQL ERROR MESSAGE: Error Message = You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'R�ggdg�>��Xnn֗ ��>��&�ҩ���vť֝�j�}9"��\vq,c�]�k����Ei�����b�O��>�єz' at line 1 Now I have been able to upload two files into the database but for some reason it is a hit and miss with the upload. And my login credentials are dropped after the upload for some reason. Any ideas? Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted March 18, 2008 Share Posted March 18, 2008 it's typically a bad idea to store binary files in a database. i suggest that you store the path and/or name of the file(s) instead. Quote Link to comment Share on other sites More sharing options...
dennismonsewicz Posted March 18, 2008 Author Share Posted March 18, 2008 Is there a way to dump the image into a Database? Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted March 18, 2008 Share Posted March 18, 2008 yes, it is possible to store images in a MySQL database (at least). i'm not familiar with how to accomplish it because: it's typically a bad idea to store binary files in a database. i suggest that you store the path and/or name of the file(s) instead. Quote Link to comment Share on other sites More sharing options...
dennismonsewicz Posted March 18, 2008 Author Share Posted March 18, 2008 Hmmm, Aight I will try that. But wouldn't a person be able to download the image(s) if he/she knew the direct path to the image? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted March 18, 2008 Share Posted March 18, 2008 addslashes() only escapes a small number of the special characters that will break a query. You need to use mysql_real_escape_string() instead. And storing a file in a database is a bad idea for several reasons - it is slower than storing it as a file, you will run up against the mysql maximum data transfer packet size, it makes backing up or transferring your database difficult due to the increased size... Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted March 18, 2008 Share Posted March 18, 2008 To protect against an image being directly downloaded or hot linked, you need to put them into a private folder (a folder that is outside of your web document root or a folder that is protected by a .htaccess file) and then only allow downloading of the image through a php script that can read the actual file in the private folder. Quote Link to comment Share on other sites More sharing options...
dennismonsewicz Posted March 18, 2008 Author Share Posted March 18, 2008 Hmmmm... well the problem with writing the .htaccess file is that we are running IIS not apache so I suppose the way around that would be: to have the files uploaded into a folder and have a PHP file that will check against login credentials? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.