Page 1 of 1
Image upload failing - anyone see why?
Posted: Fri May 06, 2016 10:40 am
by simonmlewis
I've done this so many times, but for some reason it's not seeing $photo.
I've tried various scripts, but it seems not to let me upload anything at all.
Code: Select all
// ADD AVATAR
if ($update == "addavatar") {
$photo = isset($_FILES['photo']) ? $_FILES['photo'] : null;
$sizechange=filesize($_FILES['photo']['tmp_name']);
if ($sizechange > 400000)
{
$photo = NULL;
echo " <script>
window.location.replace('/profile=status=error')
</script>";
}
else
{
$target = $_SERVER['DOCUMENT_ROOT']."/images/avatars/";
$random = (rand()%99999999);
$pic=($_FILES['photo']['name']);
$pic = str_replace(' ', '-', $pic);
$newname="$random"."$pic";
$target = $target . $newname;
mysql_query("UPDATE admin SET avatar = '$newname' WHERE id = '$userid'");
//Writes the photo to the server
if(move_uploaded_file($_FILES['photo']['tmp_name'], $target))
{
echo " <script>
window.location.replace('/profile')
</script>";
}
}
}
echo "<form method='POST' action='/profile' enctype='multipart/form-data' name='photo'>
<input type='hidden' name='update' value='addavatar'>
Upload a new Avatar:<Br/>
<input type='file' name='photo'><br/>
<input type='submit' value='Upload' class='submit_generic'>
</form>";
Re: Image upload failing - anyone see why?
Posted: Fri May 06, 2016 6:04 pm
by requinix
Well, $photo isn't actually being used anywhere, so there's that...
What do you mean "not seeing $photo"?
And are you aware your script has two huge vulnerabilities: not only are you open to SQL injection, but someone could upload PHP scripts to your site - possibly overwriting other PHP files.
Re: Image upload failing - anyone see why?
Posted: Sat May 07, 2016 3:38 pm
by simonmlewis
I was taking it back to basics to see why it wasn't working.
This is the one I am intending to use, which only allows certain files.
But the same problems remains. On the live version, we'd use PDO for the INSERT.
Code: Select all
if ($update == "addavatar") {
$avatar=$_POST['avatar'];
error_reporting(0);
$change="";
$abc="";
define ("MAX_SIZE","400");
function getExtension($str) {
$i = strrpos($str,".");
if (!$i) { return ""; }
$l = strlen($str) - $i;
$ext = substr($str,$i+1,$l);
return $ext;
}
$errors=0;
if($_SERVER["REQUEST_METHOD"] == "POST")
{
$image =$_FILES["avatar"]["name"];
$uploadedfile = $_FILES['avatar']['tmp_name'];
if ($image)
{
$filename = stripslashes($_FILES['avatar']['name']);
$extension = getExtension($_FILES['avatar']['name']);
$extension = strtolower($extension);
if (($extension != "jpg") && ($extension != "jpeg") && ($extension != "png") && ($extension != "gif"))
{
$change='<div class="msgdiv">Unknown Image extension </div> ';
$errors=1;
}
else
{
$size=filesize($_FILES['avatar']['tmp_name']);
if ($size > MAX_SIZE*1024)
{
$change='<div class="msgdiv">You have exceeded the size limit!</div> ';
$errors=1;
}
if($extension=="jpg" || $extension=="jpeg" )
{
$uploadedfile = $_FILES['avatar']['tmp_name'];
$src = imagecreatefromjpeg($uploadedfile);
}
else if($extension=="png")
{
$uploadedfile = $_FILES['avatar']['tmp_name'];
$src = imagecreatefrompng($uploadedfile);
}
else
{
$src = imagecreatefromgif($uploadedfile);
}
echo $scr;
list($width,$height)=getimagesize($uploadedfile);
$tmp=imagecreatetruecolor($width,$height);
$newwidth=550;
$newheight=($height/$width)*$newwidth1;
$tmp=imagecreatetruecolor($newwidth1,$newheight1);
imagecopyresampled($tmp,$src,0,0,0,0,$width,$height,$width,$height);
$pic=($_FILES['avatar']['name']);
srand(time());
$random = (rand()%99999999);
$newname="$random"."$pic";
$filename = "images/avatars/". $newname;
imagejpeg($tmp,$filename,100);
imagedestroy($src);
imagedestroy($tmp);
}}
}
$result = mysql_query ("SELECT avatar FROM admin WHERE id = '$userid'");
while ($row = mysql_fetch_object($result))
{
mysql_query("UPDATE admin SET avatar = '$newname' where id = '$userid'");
}
//Writes the photo to the server
if(move_uploaded_file($_FILES['avatar']['tmp_name'], $target))
{
echo "<div class='admincompletedbox' style='margin-top: 5px'>
<b>Primary photo has been added.</b></div>";
}
}
Re: Image upload failing - anyone see why?
Posted: Sat May 07, 2016 3:42 pm
by simonmlewis
What seems to be happening is that $newname never has anything in it. The file doesn't seem to be being processed at all.
Yet on another page I used for replacing images for a product, it works.
This is the same code! Just different variable names. Very odd.
Re: Image upload failing - anyone see why?
Posted: Sat May 07, 2016 4:10 pm
by Celauran
If you've got code that's not working and you can't figure out why,
that's not doing you any favours.
Re: Image upload failing - anyone see why?
Posted: Sat May 07, 2016 4:19 pm
by simonmlewis
Notice: Undefined index: avatar in C:\xampp\phpMyAdmin\site-custom\includes\profile.inc on line 43
Notice: Undefined index: avatar in C:\xampp\phpMyAdmin\site-custom\includes\profile.inc on line 44
Notice: Undefined variable: newname in C:\xampp\phpMyAdmin\site-custom\includes\profile.inc on line 124
Notice: Undefined index: avatar in C:\xampp\phpMyAdmin\site-custom\includes\profile.inc on line 127
Notice: Undefined variable: target in C:\xampp\phpMyAdmin\site-custom\includes\profile.inc on line 127
I now see this, but it's the same code that we use elsewhere that works.
It's as though this form isn't posting the info!
Re: Image upload failing - anyone see why?
Posted: Sat May 07, 2016 4:27 pm
by Celauran
The snippet above contains no form and I can't rely on line numbers because there are fewer lines in the above snippet than the line numbers causing the errors.
That said, $newname is only defined inside your
Code: Select all
if($_SERVER["REQUEST_METHOD"] == "POST")
block, but you then reference it outside the block here
Code: Select all
mysql_query("UPDATE admin SET avatar = '$newname' where id = '$userid'");
Exact same situation for $target.
Re: Image upload failing - anyone see why?
Posted: Sat May 07, 2016 4:29 pm
by Celauran
Also, and unrelatedly,this
Code: Select all
function getExtension($str) {
$i = strrpos($str,".");
if (!$i) { return ""; }
$l = strlen($str) - $i;
$ext = substr($str,$i+1,$l);
return $ext;
}
is built into the language. See
http://php.net/manual/en/function.pathinfo.php