Page 1 of 1

Code problem

Posted: Tue Sep 01, 2009 10:15 pm
by ludmil
HI I have problem with my PHP code,I am trying to upload image ,but doesn't work ,I echo the query and its printing 1
Thank you

Code: Select all

<?php
session_start();
include '../functions.php';
    my_adminheader('Enter Logo');
    $store_name=$_GET['store_name'];
    if($_SESSION['user_info']['type']==3)
    {
    if ($_POST['submit'])
    {
    $name=$_FILES['myfile']['name'];
    $tmp_name=$_FILES['myfile']['tmp_name'];
    if ($name)
    { 
        $location="../uploaded/$name";
        move_uploaded_file($tmp_name,$location);
        db_init();
        $query=mysql_query("update `flyers` set logo='$location' where `store_name`='$store_name'");
        echo $query;
        }
    else
    {
        die ('Select file');
    }
    }
    }
    else
    {
    header('Location:index.php');
    exit();
    }
?>
<form action="enter_store_logo.php" method="post" enctype="multipart/form-data">
File:<input name="myfile" type="file">
<input type="submit" name="submit" value="Upload">
</form>
 
 

Re: Code problem

Posted: Wed Sep 02, 2009 3:03 am
by cpetercarter
You are going to have to give us some more help here. Which bit "doesn't work"? What exactly happens when you use your script to upload a file? Have you got error-messaging switched on?If so, are you getting any error messages?

Re: Code problem

Posted: Wed Sep 02, 2009 8:28 am
by ludmil
I remove mysql_query ($query="update `flyers` set logo='$location' where `store_name`='$store_name'";

echo $query;)


and its echoing me
update `flyers` set logo='../uploaded/PriceChopper_logo.gif' where `store_name`=''
sims its not recognizing $store_name

Re: Code problem

Posted: Wed Sep 02, 2009 12:04 pm
by ludmil
Anybody Help?

Re: Code problem

Posted: Wed Sep 02, 2009 12:28 pm
by peterjwest
You aren't printing the query in your code example. You're printing the result of the query. You would commonly write:
$query = 'SELECT 'something' FROM 'something else';
$result = mysql_query($query);
echo $result;

If result is 1 that means your query was successful.

You should note that $store_name will not be set unless the URL of the script ends with ?store_name=something (this is where GET variables are set).

Re: Code problem

Posted: Wed Sep 02, 2009 12:58 pm
by ludmil
Thanks for the answer,I am passing variables thruogh this code

Code: Select all

<a href="enter_store_logo.php?store_name='.$store_name.'"><b>Add Store Logo</b></a></td>
Yes when I print real query is printing me 1 but no image is insert in the database,becouse of that I put this example in the code

Re: Code problem

Posted: Fri Sep 04, 2009 11:24 am
by peterjwest
Firstly, check the store name is getting input into the query by visting the page at: enter_store_logo.php?store_name=example_store
The query should be: update `flyers` set logo='../uploaded/image_name.gif' where `store_name` = 'example_store';
You can also try inputting that query directly to check your database names/permissions are good.

Re: Code problem

Posted: Fri Sep 04, 2009 12:26 pm
by jackpf
Umm...mysql_error()??

Re: Code problem

Posted: Fri Sep 04, 2009 1:30 pm
by Mirge
jackpf wrote:Umm...mysql_error()??
+1... should always use it to check for errors.

Re: Code problem

Posted: Sat Sep 05, 2009 2:25 am
by stratbeans
Hi ludmil,
As your script sounds you are trying to place image location in Database with passing $location (value : "../uploaded/$name") in logo field.
Firstly you should pass full path to $location then put it in database.
Hope it will work for you.
As per your first problem concern, you can also use input type as hidden instead of using anchor like :
<input type=hidden name=”store_name” value=”<?php echo $store_name?>”>
And same you can access by $_POST[‘store_name’]
This one is good as per security concern.
One more thing you should handle for good code is to handle the return value of function bool move_uploaded_file ( string $filename , string $destination )
Can use this link : http://es.php.net/manual/en/function.mo ... d-file.php

Re: Code problem

Posted: Sun Sep 06, 2009 4:43 am
by peterjwest
Depending on the context, store name may not need to be secure.

Re: Code problem

Posted: Sun Sep 06, 2009 5:50 am
by jackpf
It's user supplied, of course it will.

magic_quotes may be turned on, but that doesn't actually escape all data that could be used for SQL injection.

Re: Code problem

Posted: Mon Sep 07, 2009 9:07 am
by peterjwest
Firstly, I am not saying that the data should not be escaped. All data coming from $_POST or $_GET must be escaped, either for MySQL input or for HTML output, or occasionally both. Secondly $_POST and $_GET are not secure in any way; both can be faked and tampered with easily.

The question of which to use comes down to whether you want specific input values to be visible in the URL or accessible by hyperlink. This depends on the context of the website. For example there may be a list of hyperlinks to store pages, where each page displays a number of forms with various options.