File upload with validation issue

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Dave9666
Forum Newbie
Posts: 16
Joined: Sun Mar 12, 2006 9:56 pm

File upload with validation issue

Post by Dave9666 »

Im using the following to upload a single image file. The form works to limit the size of the file (If the file is over 500k it won't be uploaded). However - my error handling doesn't seem to be working correctly. I've left out the code thats not associated with the image upload below for the most part.

Anyone have any ideas?

Code: Select all

<script language=javascript>
extArray = new Array(".jpg", ".jpeg",".gif");  //".png", , ".gif"
function callSave()
{
    if(!isCurrency(document.frmlisting.txtlistingprice.value)){
        alert("Price: Incorrect data");
        document.frmlisting.txtlistingprice.select();
		return;
    }
	if(isBlank(document.frmlisting.txtlistingtitle.value)){
    	alert("Title is Required");
        document.frmlisting.txtlistingtitle.focus();
    	return;
    }
	if(!isBlank(document.frmlisting.txtlistingimage.value)){
	    if(!isValidFile(document.frmlisting.txtlistingimage.value)){
	        alert("Selected file is not a vaild image type. \nPlease select "+ (extArray.join("  ").toUpperCase())+ " files. ");
	        document.frmlisting.txtlistingimage.select();
	        return;
	    }
    }
	if(isBlank(document.frmlisting.txtlistingemail.value)){
        alert("Email is Required");
        document.frmlisting.txtlistingemail.select();
		return;

    }
    if(!isEmail(document.frmlisting.txtlistingemail.value)){
        alert("Email: Incorrect data");
        document.frmlisting.txtlistingemail.select();
        return;
    }

	document.frmlisting.action="listingsubmit.php";
    document.frmlisting.submit();
}
</script>
<FORM name="frmlisting" method="post" enctype="multipart/form-data">
<input type="hidden" name="MAX_FILE_SIZE" value="500000">
<Input type="file" name="txtlistingimage" style="WIDTH: 275px; HEIGHT: 20px" size="39" maxlength="100">
	             <Input type=hidden name="mode" value="<?=$mode?>">
	             <input type=hidden name="l_id" value="<?=$l_id?>">
	             <input type=hidden name="c_id" value="<?=$c_id?>">
                    <input type=hidden name="cboCity" value="<?=$intcityid?>">
                    <input type=hidden name="txtpreviousimage" value="<?=$listingimage?>">
                    <input type=hidden name="txtfrmpg" value='<?=$frmpg?>'>
<input type="button" class="btn_text" value="Preview" onclick="javascript:callSave();" style="border:solid-1px; color: #333333 ">
The processor "listingsubmit.php"

Code: Select all

<?
include("connection.php");
$c_id = $_POST['c_id'];
$city  = $_POST['cboCity'];
$l_id = $_POST['l_id'];
$listing_title  = $_POST['txtlistingtitle'];
$listing_location  = $_POST['txtlistinglocation'];

if(isset($_POST['txtlistingprice'])){
    $listing_price  = $_POST['txtlistingprice'];
}else{
    $listing_price =0;
}
$listing_text  = $_POST['txtlistingtext'];
$listing_address  = $_POST['txtlistingaddress'];
$listing_city  = $_POST['txtlistingcity'];
$listing_email  = $_POST['txtlistingemail'];
$listing_emailoption  = $_POST['rademailoption'];
$listing_contactinfo  = $_POST['txtlistingcontactinfo'];
$listing_date  = $_POST['txtlistingdate'];
$listing_show  = "N";
$listing_buysell  = $_POST['radfor'];
$listing_premier  = $_POST['chkpremier'];
if($listing_premier=="on"){
    $listing_premier = "Y";
}else{
    $listing_premier = "N";
}
$listing_date = date("Y-m-d");

if(isset($_GET['mode']))
{
    $mode =$_GET['mode'];
}
if(isset($_POST['mode']))
{
    $mode =$_POST['mode'];
}

$frmpg = $_POST['txtfrmpg']; //form vars
$dirupload = "images/listing/"; // path to the image directory

switch ($mode){  //defined on the form and above add or edit
case "Add":

        if($_FILES['txtlistingimage']['name'] == ""){
            $listing_image = "";
        }else{
            $listing_image = getfilename($_FILES['txtlistingimage']['name'],1);
            copy ( $_FILES['txtlistingimage']['tmp_name'],$dirupload.$listing_image)
            or $msgid=2;
        }

//-- GET SIZE OF UPLOADED IMAGE
var_dump($_FILES);
$file = $_FILES['txtlistingimage']; //file from form
$max_size = 500000; // roughly 500K
if(filesize($file['tmp_name']) > $max_size)
  die('File size is too great.');

//$img_info = getimagesize($file['tmp_name']);

$img_info = getimagesize($_FILES['txtlistingimage']['tmp_name']);
if(($img_info[0] > 600) || ($img_info[1] > 600))
  die('Image dimensions are greater than 600px x 600px.');

if(is_uploaded_file($file['tmp_name'])){
if(move_uploaded_file($file['tmp_name'], $dirupload.$file['name'])){
   echo 'w00t!  The file was uploaded and is in '.$dirupload;
}
} else {
echo 'No file uploaded to be moved.';
} 

            $strInsert="Insert into listing_master(city_id,category_id,listing_title,listing_location,listing_price,listing_text,listing_address,listing_city,listing_image,listing_email,listing_email_option,listing_contact_information,listing_date,listing_show,listing_buysell,listing_premier) values (";
        if($listing_date == ""){
            $strInsert=$strInsert . "$city,$c_id,'$listing_title','$listing_location',$listing_price,'$listing_text','$listing_address','$listing_city','$listing_image','$listing_email','$listing_emailoption','$listing_contactinfo',NULL,'$listing_show','$listing_buysell','$listing_premier')";
        }else{
               $strInsert=$strInsert . "$city,$c_id,'$listing_title','$listing_location',$listing_price,'$listing_text','$listing_address','$listing_city','$listing_image','$listing_email','$listing_emailoption','$listing_contactinfo','$listing_date','$listing_show','$listing_buysell','$listing_premier')";
        }
        $MsgId=1;
        if(!($dbResult = mysql_query($strInsert, $dbLink)))
        {
            $success = "false";
            $MsgId=2;
        }

//        $ssql = "SELECT max(listing_id) as listing_id FROM listing_master";


//        $dbResultid = mysql_query($ssql,$dbLink);
//        $rowlistid = mysql_fetch_array($dbResultid, MYSQL_ASSOC);
//        $listingid = $rowlistid['listing_id'];
        $listingid = mysql_insert_id();
          header("Location:listingpreview.php?l_id=$listingid&cityid=".$city."&c_id=$c_id&catid=$c_id&msgid=".$MsgId);
        return;
           break; 

//Begin Edit

case "Edit":
		if($_FILES['txtlistingimage']['name'] != ""){
     		if ($_POST['txtpreviousimage'] != ""){
          		if(file_exists(realpath($dirupload.$_POST['txtpreviousimage']))){
         		unlink(realpath($dirupload.$_POST['txtpreviousimage']));
                }
          	}
	        $listing_image = getfilename($_FILES['txtlistingimage']['name'],1);
	        copy ( $_FILES['txtlistingimage']['tmp_name'],$dirupload.$listing_image)
	        or $msgid=2;
       	}else{
	        if ($_POST['txtpreviousimage'] != ""){
	           $listing_image=$_POST['txtpreviousimage'];
	        }else{
	        	$listing_image="";
	        }
        }
        $strEdit="Update listing_master Set ";
        $strEdit=$strEdit . "city_id  = " . $city . ",";
        $strEdit=$strEdit . "category_id  = " . $c_id . ",";
        $strEdit=$strEdit . "listing_title  = '" . $listing_title . "',";
        $strEdit=$strEdit . "listing_location  = '" . $listing_location . "',";
        $strEdit=$strEdit . "listing_price = ". $listing_price .",";
		$strEdit=$strEdit . "listing_text  = '" . $listing_text . "',";
        $strEdit=$strEdit . "listing_address  = '" . $listing_address . "',";
        $strEdit=$strEdit . "listing_city  = '" . $listing_city . "',";
        $strEdit=$strEdit . "listing_image  = '" . $listing_image . "',";
        $strEdit=$strEdit . "listing_email  = '" . $listing_email . "',";
        $strEdit=$strEdit . "listing_email_option  = '" . $listing_emailoption . "',";
        $strEdit=$strEdit . "listing_contact_information  = '" . $listing_contactinfo . "',";
		if($listing_date == ""){
			$strEdit=$strEdit . "listing_date = NULL,";
        }else{
        	$strEdit=$strEdit . "listing_date  = '" . $listing_date . "',";
        }
        $strEdit=$strEdit . "listing_show  = '" . $listing_show . "',";
        $strEdit=$strEdit . "listing_buysell  = '" . $listing_buysell . "',";
        $strEdit=$strEdit . "listing_premier  = '" . $listing_premier . "'";
        $strEdit=$strEdit . " where listing_id = ". $_POST['l_id'];
//echo $strEdit;
//return;
		$MsgId=1;
  		if(!($dbResult = mysql_query($strEdit, $dbLink)))
		{
            $success = "false";
            $MsgId=2;
		}
//	  	header("Location:listing_list.php?cityid=".$city."&c_id=$c_id&msgid=".$MsgId);
		if($frmpg==""){
	  		header("Location:listingpreview.php?l_id=$l_id&cityid=".$city."&c_id=$c_id&catid=$c_id&msgid=".$MsgId);
		}else{
	  		header("Location:listing_publish.php?l_id=$l_id&cityid=".$city."&c_id=$c_id&catid=$c_id");
        }
        return;
       break;

//Begin Delete

 case "Delete":

?>
Last edited by Dave9666 on Sat Mar 18, 2006 7:29 pm, edited 14 times in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Code: Select all

$_FILES['$listingimage']['size'][$i]
:arrow:

Code: Select all

$_FILES['txtlistingimage']['size']
Dave9666
Forum Newbie
Posts: 16
Joined: Sun Mar 12, 2006 9:56 pm

Post by Dave9666 »

feyd wrote:

Code: Select all

$_FILES['$listingimage']['size'][$i]
:arrow:

Code: Select all

$_FILES['txtlistingimage']['size']

Thanks feyd - nice catch.

Unfortunatley didn't work - I still must be missing something here.
Dave9666
Forum Newbie
Posts: 16
Joined: Sun Mar 12, 2006 9:56 pm

Post by Dave9666 »

Am i correct in assuming the php image validation has to occur after an image has been uploaded to the server - in the temp image folder?

Also, found a few mistakes which i've fixed in the above posted code.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

yes, the file must be on the server, readable by php so it can determine the image type by interrogating the binary data.
Dave9666
Forum Newbie
Posts: 16
Joined: Sun Mar 12, 2006 9:56 pm

Post by Dave9666 »

Thanks. I'm pretty stumpt then. the way its written now (in original post) it should be working.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

hint: look at $file
Dave9666
Forum Newbie
Posts: 16
Joined: Sun Mar 12, 2006 9:56 pm

Post by Dave9666 »

feyd wrote:hint: look at $file
You mean this line

Code: Select all

$file = $_FILES['$frmpg']; // file from form
to

Code: Select all

$file = $_FILES['$listing_image']; // file from form
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

no I am certain he ment for you to do

Code: Select all

$file = $_FILES[$frmpg]; // file from form
lets take a qick look at why:

Code: Select all

$frmpg = 'PageIt!';
echo $frmpg;// PageIt!
echo '$frmpg';// $frmpg
echo "$frmpg"; // PageIt!
see the difference between putting a variable without any quotes or in double quotes compaired to single quotes? Putting it in double quotes is essentially the same as without quotes at all but some people still put it in double for whatever reason.
Dave9666
Forum Newbie
Posts: 16
Joined: Sun Mar 12, 2006 9:56 pm

Post by Dave9666 »

doesn't seem to make a difference - its coded now as

Code: Select all

$file = $_FILES['$frmpg']; // file from form

and its still not validating
Last edited by Dave9666 on Tue Mar 14, 2006 5:33 pm, edited 1 time in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

*sigh*

Code: Select all

$file = $_FILES['txtlistingimage'];
Dave9666
Forum Newbie
Posts: 16
Joined: Sun Mar 12, 2006 9:56 pm

Post by Dave9666 »

feyd wrote:*sigh*

Code: Select all

$file = $_FILES['txtlistingimage'];

i tried that already - no go
Dave9666
Forum Newbie
Posts: 16
Joined: Sun Mar 12, 2006 9:56 pm

Post by Dave9666 »

The entire 'mode' ADD script is in the original post now
Last edited by Dave9666 on Wed Mar 15, 2006 3:56 pm, edited 1 time in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

var_dump($_FILES) does it even exist?
Dave9666
Forum Newbie
Posts: 16
Joined: Sun Mar 12, 2006 9:56 pm

Post by Dave9666 »

feyd wrote:var_dump($_FILES) does it even exist?

Code: Select all

$frmpg = $HTTP_POST_VARS['txtfrmpg'];
Post Reply