Thanks for you reply.
I ran <? var_dump($_FILES, $_GET, $_POST) ?> and got the following:
array(0) { } array(1) { ["message"]=> string(34) "signals.doc uploaded successfully." } array(0) { }
I hope it is ok but I have pasted all the code so that you can see what I’m up to. Basically I’m trying to use the value of a specific file that is to be deleted from a folder in the root to be passed to DELETE FROM word WHERE wordName=%s so that I can have both the file in the (root) folder and the details in the database deleted simultaneously.
I can successfully delete the file from the root folder ok and as I say if I physically insert a value into =%s everything below works fine but I just can’t get my head around passing the value dynamically to the WHERE clause .
Much appreciate your help again
Regards
Brian
Code: Select all
<?PHP
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
$theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
$editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
if ((isset($_POST["upload"])) && ($_POST["upload"] == "form1")) {
if (!$nomessage && !$nomessage_name) {
$insertSQL = sprintf("INSERT INTO word (wordName, wordDetails) VALUES (%s, %s)",
GetSQLValueString($_FILES['userfile']['name'], "text"),
GetSQLValueString($_POST['wordDetails'], "text"));
mysql_select_db($database_johnston, $johnston);
$Result1 = mysql_query($insertSQL, $johnston) or die(mysql_error());
}
}
?>
<?php
$MAX_SIZE = 10000000;
//Allowable file ext. names. you may add more extension names.
$FILE_EXTS = array('.doc');
//,'.txt','.zip','.sit','.jpg','.jpeg','.png','.gif','.rtf','.rar'
//Allow file delete? no, if only allow upload only
$DELETABLE = true;
//Setup variables
$site_name = $_SERVER['HTTP_HOST'];
$url_dir = "http://".$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']);
$url_this = "http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$upload_dir = "files/";
$upload_url = $url_dir."/files/";
$message ="";
// Create Upload Directory
if (!is_dir("files")) {
if (!mkdir($upload_dir))
die ("upload_files directory doesn't exist and creation failed");
if (!chmod($upload_dir,0755))
die ("change permission to 755 failed.");
}
// Process User's Request
if ($_REQUEST[del] && $DELETABLE) {
$resource = fopen("log.txt","a");
fwrite($resource,date("Ymd h:i:s")."DELETE - $_SERVER[REMOTE_ADDR]"."$_REQUEST[del]\n");
fclose($resource);
$signals = $_FILES['userfile']['name'];
//Delete details from database signals.doc
if ((isset($_GET['wordName'])) && ($_GET['wordName'] != "")) {
$deleteSQL = sprintf("DELETE FROM word WHERE wordName=%s",
GetSQLValueString($_GET['wordName'], "text"));
mysql_select_db($database_johnston, $johnston);
$Result1 = mysql_query($deleteSQL, $johnston) or die(mysql_error());
}
if (strpos($_REQUEST[del],"/.")>0); //possible hacking
else if (strpos($_REQUEST[del],"files/") === false); //possible hacking
else if (substr($_REQUEST[del],0,6)=="files/") {
unlink($_REQUEST[del]);
print "<script>window.location.href='$url_this?message=File deletion successful.'</script>";
}
}
else if ($_FILES['userfile']) {
$resource = fopen("log.txt","a");
fwrite($resource,date("Ymd h:i:s")."UPLOAD - $_SERVER[REMOTE_ADDR]"
.$_FILES['userfile']['name']." "
.$_FILES['userfile']['type']."\n");
fclose($resource);
$file_type = $_FILES['userfile']['type'];
$file_name = $_FILES['userfile']['name'];
$file_ext = strtolower(substr($file_name,strrpos($file_name,".")));
//File Size Check
if ( $_FILES['userfile']['size'] > $MAX_SIZE)
$message = "The file size is over 2MB.";
//File Type/Extension Check
else if (!in_array($file_type, $FILE_MIMES)
&& !in_array($file_ext, $FILE_EXTS) )
$message = "Sorry, $file_name($file_type) is not allowed to be uploaded.";
else
$message = do_upload($upload_dir, $upload_url);
print "<script>window.location.href='$url_this?message=$message'</script>";
}
else if (!$_FILES['userfile']);
else
$message = "Invalid File Specified.";
// List Files
$handle=opendir($upload_dir);
$filelist = "";
while ($file = readdir($handle)) {
if(!is_dir($file) && !is_link($file)) {
$filelist .= "<a href='$upload_dir$file'>".$file."</a>";
if ($DELETABLE)
$filelist .= " - <a href='?del=$upload_dir$file' title='delete'> Delete this file?</a>";
$filelist .= "<sub><small><small><font color=grey> ".date("d-m H:i", filemtime($upload_dir.$file))
."</font></small></small></sub>";
$filelist .="<br>";
}
}
function do_upload($upload_dir, $upload_url) {
$temp_name = $_FILES['userfile']['tmp_name'];
$file_name = $_FILES['userfile']['name'];
$file_name = str_replace("\\","",$file_name);
$file_name = str_replace("'","",$file_name);
$file_path = $upload_dir.$file_name;
//File Name Check
if ( $file_name =="") {
$message = "Invalid File Name Specified";
return $message;
}
$result = move_uploaded_file($temp_name, $file_path);
if (!chmod($file_path,0755))
$message = "change permission to 755 failed.";
else
$message = ($result)?"$file_name uploaded successfully." :
"Somthing is wrong with uploading a file.";
return $message;
}
?>
<center>
<?=$_REQUEST[message]?>
<br>
<form name="upload" id="upload" ENCTYPE="multipart/form-data" method="post"action="<?php echo $editFormAction; ?>">
Your Uploaded Files so far are:
<?=$filelist?>
Upload Word file: <input type="file" id="userfile" name="userfile">
Programme Note title: <?php if (isset($nomessage_name) && !empty($nomessage_name)) {
echo $nomessage_name; } else {
} ?>
<td><input type="text" name="wordDetails" id ="wordDetails"value="" size="32">
<input type="submit" name="upload" value="Insert record"></td>
<input type="hidden" name="upload" value="form1">
</form>
<? var_dump($_FILES, $_GET, $_POST) ?>
</center>