Page 1 of 1

Image upload failing - anyone see why?

Posted: Fri May 06, 2016 10:40 am
by simonmlewis
I've done this so many times, but for some reason it's not seeing $photo.
I've tried various scripts, but it seems not to let me upload anything at all.

Code: Select all

// ADD AVATAR
  if ($update == "addavatar") {
$photo = isset($_FILES['photo']) ? $_FILES['photo'] : null;
$sizechange=filesize($_FILES['photo']['tmp_name']);
if ($sizechange > 400000)
{
	$photo = NULL;
	     echo " <script>
  window.location.replace('/profile=status=error')
  </script>";
}
else
{
    $target = $_SERVER['DOCUMENT_ROOT']."/images/avatars/";
    
  $random = (rand()%99999999);
  $pic=($_FILES['photo']['name']);
  $pic = str_replace(' ', '-', $pic);
  $newname="$random"."$pic";
  $target = $target . $newname;

    mysql_query("UPDATE admin SET avatar = '$newname' WHERE id = '$userid'");
  //Writes the photo to the server
  if(move_uploaded_file($_FILES['photo']['tmp_name'], $target))
    {
     echo " <script>
  window.location.replace('/profile')
  </script>";
    }    
    }
}	


echo "<form method='POST' action='/profile' enctype='multipart/form-data' name='photo'>
<input type='hidden' name='update' value='addavatar'>
Upload a new Avatar:<Br/>
<input type='file' name='photo'><br/>
<input type='submit' value='Upload' class='submit_generic'>
</form>";

Re: Image upload failing - anyone see why?

Posted: Fri May 06, 2016 6:04 pm
by requinix
Well, $photo isn't actually being used anywhere, so there's that...

What do you mean "not seeing $photo"?

And are you aware your script has two huge vulnerabilities: not only are you open to SQL injection, but someone could upload PHP scripts to your site - possibly overwriting other PHP files.

Re: Image upload failing - anyone see why?

Posted: Sat May 07, 2016 3:38 pm
by simonmlewis
I was taking it back to basics to see why it wasn't working.

This is the one I am intending to use, which only allows certain files.

But the same problems remains. On the live version, we'd use PDO for the INSERT.

Code: Select all

if ($update == "addavatar") {
$avatar=$_POST['avatar'];
error_reporting(0);
$change="";
$abc="";

 define ("MAX_SIZE","400");
 function getExtension($str) {
         $i = strrpos($str,".");
         if (!$i) { return ""; }
         $l = strlen($str) - $i;
         $ext = substr($str,$i+1,$l);
         return $ext;
 }

 $errors=0;
  
 if($_SERVER["REQUEST_METHOD"] == "POST")
 {
 	$image =$_FILES["avatar"]["name"];
	$uploadedfile = $_FILES['avatar']['tmp_name'];    
 
 	if ($image) 
 	{
 	
 		$filename = stripslashes($_FILES['avatar']['name']);
 	
  		$extension = getExtension($_FILES['avatar']['name']);
 		$extension = strtolower($extension);
		
		
 if (($extension != "jpg") && ($extension != "jpeg") && ($extension != "png") && ($extension != "gif")) 
 		{
		
 			$change='<div class="msgdiv">Unknown Image extension </div> ';
 			$errors=1;
 		}
 		else
 		{

 $size=filesize($_FILES['avatar']['tmp_name']);


if ($size > MAX_SIZE*1024)
{
	$change='<div class="msgdiv">You have exceeded the size limit!</div> ';
	$errors=1;
}


if($extension=="jpg" || $extension=="jpeg" )
{
$uploadedfile = $_FILES['avatar']['tmp_name'];
$src = imagecreatefromjpeg($uploadedfile);

}
else if($extension=="png")
{
$uploadedfile = $_FILES['avatar']['tmp_name'];
$src = imagecreatefrompng($uploadedfile);

}
else 
{
$src = imagecreatefromgif($uploadedfile);
}

echo $scr;

list($width,$height)=getimagesize($uploadedfile);

$tmp=imagecreatetruecolor($width,$height);

$newwidth=550;
$newheight=($height/$width)*$newwidth1;
$tmp=imagecreatetruecolor($newwidth1,$newheight1);

imagecopyresampled($tmp,$src,0,0,0,0,$width,$height,$width,$height);

$pic=($_FILES['avatar']['name']);
srand(time());
$random = (rand()%99999999);
$newname="$random"."$pic";

$filename = "images/avatars/". $newname;

imagejpeg($tmp,$filename,100);

imagedestroy($src);
imagedestroy($tmp);
}}
}

$result = mysql_query ("SELECT avatar FROM admin WHERE id = '$userid'");
while ($row = mysql_fetch_object($result))
{
  mysql_query("UPDATE admin SET avatar = '$newname' where id = '$userid'");
}
//Writes the photo to the server
if(move_uploaded_file($_FILES['avatar']['tmp_name'], $target))
{
  echo "<div class='admincompletedbox' style='margin-top: 5px'>
		<b>Primary photo has been added.</b></div>";
}
}

Re: Image upload failing - anyone see why?

Posted: Sat May 07, 2016 3:42 pm
by simonmlewis
What seems to be happening is that $newname never has anything in it. The file doesn't seem to be being processed at all.
Yet on another page I used for replacing images for a product, it works.
This is the same code! Just different variable names. Very odd.

Re: Image upload failing - anyone see why?

Posted: Sat May 07, 2016 4:10 pm
by Celauran
If you've got code that's not working and you can't figure out why,

Code: Select all

 error_reporting(0);
that's not doing you any favours.

Re: Image upload failing - anyone see why?

Posted: Sat May 07, 2016 4:19 pm
by simonmlewis
Notice: Undefined index: avatar in C:\xampp\phpMyAdmin\site-custom\includes\profile.inc on line 43

Notice: Undefined index: avatar in C:\xampp\phpMyAdmin\site-custom\includes\profile.inc on line 44

Notice: Undefined variable: newname in C:\xampp\phpMyAdmin\site-custom\includes\profile.inc on line 124

Notice: Undefined index: avatar in C:\xampp\phpMyAdmin\site-custom\includes\profile.inc on line 127

Notice: Undefined variable: target in C:\xampp\phpMyAdmin\site-custom\includes\profile.inc on line 127

I now see this, but it's the same code that we use elsewhere that works.
It's as though this form isn't posting the info!

Re: Image upload failing - anyone see why?

Posted: Sat May 07, 2016 4:27 pm
by Celauran
The snippet above contains no form and I can't rely on line numbers because there are fewer lines in the above snippet than the line numbers causing the errors.

That said, $newname is only defined inside your

Code: Select all

if($_SERVER["REQUEST_METHOD"] == "POST")
block, but you then reference it outside the block here

Code: Select all

mysql_query("UPDATE admin SET avatar = '$newname' where id = '$userid'");
Exact same situation for $target.

Re: Image upload failing - anyone see why?

Posted: Sat May 07, 2016 4:29 pm
by Celauran
Also, and unrelatedly,this

Code: Select all

function getExtension($str) {
    $i = strrpos($str,".");
    if (!$i) { return ""; }
    $l = strlen($str) - $i;
    $ext = substr($str,$i+1,$l);
    return $ext;
}
is built into the language. See http://php.net/manual/en/function.pathinfo.php