Page 1 of 2

File upload with validation issue

Posted: Sun Mar 12, 2006 9:57 pm
by Dave9666
Im using the following to upload a single image file. The form works to limit the size of the file (If the file is over 500k it won't be uploaded). However - my error handling doesn't seem to be working correctly. I've left out the code thats not associated with the image upload below for the most part.

Anyone have any ideas?

Code: Select all

<script language=javascript>
extArray = new Array(".jpg", ".jpeg",".gif");  //".png", , ".gif"
function callSave()
{
    if(!isCurrency(document.frmlisting.txtlistingprice.value)){
        alert("Price: Incorrect data");
        document.frmlisting.txtlistingprice.select();
		return;
    }
	if(isBlank(document.frmlisting.txtlistingtitle.value)){
    	alert("Title is Required");
        document.frmlisting.txtlistingtitle.focus();
    	return;
    }
	if(!isBlank(document.frmlisting.txtlistingimage.value)){
	    if(!isValidFile(document.frmlisting.txtlistingimage.value)){
	        alert("Selected file is not a vaild image type. \nPlease select "+ (extArray.join("  ").toUpperCase())+ " files. ");
	        document.frmlisting.txtlistingimage.select();
	        return;
	    }
    }
	if(isBlank(document.frmlisting.txtlistingemail.value)){
        alert("Email is Required");
        document.frmlisting.txtlistingemail.select();
		return;

    }
    if(!isEmail(document.frmlisting.txtlistingemail.value)){
        alert("Email: Incorrect data");
        document.frmlisting.txtlistingemail.select();
        return;
    }

	document.frmlisting.action="listingsubmit.php";
    document.frmlisting.submit();
}
</script>
<FORM name="frmlisting" method="post" enctype="multipart/form-data">
<input type="hidden" name="MAX_FILE_SIZE" value="500000">
<Input type="file" name="txtlistingimage" style="WIDTH: 275px; HEIGHT: 20px" size="39" maxlength="100">
	             <Input type=hidden name="mode" value="<?=$mode?>">
	             <input type=hidden name="l_id" value="<?=$l_id?>">
	             <input type=hidden name="c_id" value="<?=$c_id?>">
                    <input type=hidden name="cboCity" value="<?=$intcityid?>">
                    <input type=hidden name="txtpreviousimage" value="<?=$listingimage?>">
                    <input type=hidden name="txtfrmpg" value='<?=$frmpg?>'>
<input type="button" class="btn_text" value="Preview" onclick="javascript:callSave();" style="border:solid-1px; color: #333333 ">
The processor "listingsubmit.php"

Code: Select all

<?
include("connection.php");
$c_id = $_POST['c_id'];
$city  = $_POST['cboCity'];
$l_id = $_POST['l_id'];
$listing_title  = $_POST['txtlistingtitle'];
$listing_location  = $_POST['txtlistinglocation'];

if(isset($_POST['txtlistingprice'])){
    $listing_price  = $_POST['txtlistingprice'];
}else{
    $listing_price =0;
}
$listing_text  = $_POST['txtlistingtext'];
$listing_address  = $_POST['txtlistingaddress'];
$listing_city  = $_POST['txtlistingcity'];
$listing_email  = $_POST['txtlistingemail'];
$listing_emailoption  = $_POST['rademailoption'];
$listing_contactinfo  = $_POST['txtlistingcontactinfo'];
$listing_date  = $_POST['txtlistingdate'];
$listing_show  = "N";
$listing_buysell  = $_POST['radfor'];
$listing_premier  = $_POST['chkpremier'];
if($listing_premier=="on"){
    $listing_premier = "Y";
}else{
    $listing_premier = "N";
}
$listing_date = date("Y-m-d");

if(isset($_GET['mode']))
{
    $mode =$_GET['mode'];
}
if(isset($_POST['mode']))
{
    $mode =$_POST['mode'];
}

$frmpg = $_POST['txtfrmpg']; //form vars
$dirupload = "images/listing/"; // path to the image directory

switch ($mode){  //defined on the form and above add or edit
case "Add":

        if($_FILES['txtlistingimage']['name'] == ""){
            $listing_image = "";
        }else{
            $listing_image = getfilename($_FILES['txtlistingimage']['name'],1);
            copy ( $_FILES['txtlistingimage']['tmp_name'],$dirupload.$listing_image)
            or $msgid=2;
        }

//-- GET SIZE OF UPLOADED IMAGE
var_dump($_FILES);
$file = $_FILES['txtlistingimage']; //file from form
$max_size = 500000; // roughly 500K
if(filesize($file['tmp_name']) > $max_size)
  die('File size is too great.');

//$img_info = getimagesize($file['tmp_name']);

$img_info = getimagesize($_FILES['txtlistingimage']['tmp_name']);
if(($img_info[0] > 600) || ($img_info[1] > 600))
  die('Image dimensions are greater than 600px x 600px.');

if(is_uploaded_file($file['tmp_name'])){
if(move_uploaded_file($file['tmp_name'], $dirupload.$file['name'])){
   echo 'w00t!  The file was uploaded and is in '.$dirupload;
}
} else {
echo 'No file uploaded to be moved.';
} 

            $strInsert="Insert into listing_master(city_id,category_id,listing_title,listing_location,listing_price,listing_text,listing_address,listing_city,listing_image,listing_email,listing_email_option,listing_contact_information,listing_date,listing_show,listing_buysell,listing_premier) values (";
        if($listing_date == ""){
            $strInsert=$strInsert . "$city,$c_id,'$listing_title','$listing_location',$listing_price,'$listing_text','$listing_address','$listing_city','$listing_image','$listing_email','$listing_emailoption','$listing_contactinfo',NULL,'$listing_show','$listing_buysell','$listing_premier')";
        }else{
               $strInsert=$strInsert . "$city,$c_id,'$listing_title','$listing_location',$listing_price,'$listing_text','$listing_address','$listing_city','$listing_image','$listing_email','$listing_emailoption','$listing_contactinfo','$listing_date','$listing_show','$listing_buysell','$listing_premier')";
        }
        $MsgId=1;
        if(!($dbResult = mysql_query($strInsert, $dbLink)))
        {
            $success = "false";
            $MsgId=2;
        }

//        $ssql = "SELECT max(listing_id) as listing_id FROM listing_master";


//        $dbResultid = mysql_query($ssql,$dbLink);
//        $rowlistid = mysql_fetch_array($dbResultid, MYSQL_ASSOC);
//        $listingid = $rowlistid['listing_id'];
        $listingid = mysql_insert_id();
          header("Location:listingpreview.php?l_id=$listingid&cityid=".$city."&c_id=$c_id&catid=$c_id&msgid=".$MsgId);
        return;
           break; 

//Begin Edit

case "Edit":
		if($_FILES['txtlistingimage']['name'] != ""){
     		if ($_POST['txtpreviousimage'] != ""){
          		if(file_exists(realpath($dirupload.$_POST['txtpreviousimage']))){
         		unlink(realpath($dirupload.$_POST['txtpreviousimage']));
                }
          	}
	        $listing_image = getfilename($_FILES['txtlistingimage']['name'],1);
	        copy ( $_FILES['txtlistingimage']['tmp_name'],$dirupload.$listing_image)
	        or $msgid=2;
       	}else{
	        if ($_POST['txtpreviousimage'] != ""){
	           $listing_image=$_POST['txtpreviousimage'];
	        }else{
	        	$listing_image="";
	        }
        }
        $strEdit="Update listing_master Set ";
        $strEdit=$strEdit . "city_id  = " . $city . ",";
        $strEdit=$strEdit . "category_id  = " . $c_id . ",";
        $strEdit=$strEdit . "listing_title  = '" . $listing_title . "',";
        $strEdit=$strEdit . "listing_location  = '" . $listing_location . "',";
        $strEdit=$strEdit . "listing_price = ". $listing_price .",";
		$strEdit=$strEdit . "listing_text  = '" . $listing_text . "',";
        $strEdit=$strEdit . "listing_address  = '" . $listing_address . "',";
        $strEdit=$strEdit . "listing_city  = '" . $listing_city . "',";
        $strEdit=$strEdit . "listing_image  = '" . $listing_image . "',";
        $strEdit=$strEdit . "listing_email  = '" . $listing_email . "',";
        $strEdit=$strEdit . "listing_email_option  = '" . $listing_emailoption . "',";
        $strEdit=$strEdit . "listing_contact_information  = '" . $listing_contactinfo . "',";
		if($listing_date == ""){
			$strEdit=$strEdit . "listing_date = NULL,";
        }else{
        	$strEdit=$strEdit . "listing_date  = '" . $listing_date . "',";
        }
        $strEdit=$strEdit . "listing_show  = '" . $listing_show . "',";
        $strEdit=$strEdit . "listing_buysell  = '" . $listing_buysell . "',";
        $strEdit=$strEdit . "listing_premier  = '" . $listing_premier . "'";
        $strEdit=$strEdit . " where listing_id = ". $_POST['l_id'];
//echo $strEdit;
//return;
		$MsgId=1;
  		if(!($dbResult = mysql_query($strEdit, $dbLink)))
		{
            $success = "false";
            $MsgId=2;
		}
//	  	header("Location:listing_list.php?cityid=".$city."&c_id=$c_id&msgid=".$MsgId);
		if($frmpg==""){
	  		header("Location:listingpreview.php?l_id=$l_id&cityid=".$city."&c_id=$c_id&catid=$c_id&msgid=".$MsgId);
		}else{
	  		header("Location:listing_publish.php?l_id=$l_id&cityid=".$city."&c_id=$c_id&catid=$c_id");
        }
        return;
       break;

//Begin Delete

 case "Delete":

?>

Posted: Sun Mar 12, 2006 10:06 pm
by feyd

Code: Select all

$_FILES['$listingimage']['size'][$i]
:arrow:

Code: Select all

$_FILES['txtlistingimage']['size']

Posted: Sun Mar 12, 2006 10:52 pm
by Dave9666
feyd wrote:

Code: Select all

$_FILES['$listingimage']['size'][$i]
:arrow:

Code: Select all

$_FILES['txtlistingimage']['size']

Thanks feyd - nice catch.

Unfortunatley didn't work - I still must be missing something here.

Posted: Tue Mar 14, 2006 2:32 pm
by Dave9666
Am i correct in assuming the php image validation has to occur after an image has been uploaded to the server - in the temp image folder?

Also, found a few mistakes which i've fixed in the above posted code.

Posted: Tue Mar 14, 2006 3:23 pm
by feyd
yes, the file must be on the server, readable by php so it can determine the image type by interrogating the binary data.

Posted: Tue Mar 14, 2006 3:47 pm
by Dave9666
Thanks. I'm pretty stumpt then. the way its written now (in original post) it should be working.

Posted: Tue Mar 14, 2006 4:05 pm
by feyd
hint: look at $file

Posted: Tue Mar 14, 2006 4:58 pm
by Dave9666
feyd wrote:hint: look at $file
You mean this line

Code: Select all

$file = $_FILES['$frmpg']; // file from form
to

Code: Select all

$file = $_FILES['$listing_image']; // file from form

Posted: Tue Mar 14, 2006 5:04 pm
by shiznatix
no I am certain he ment for you to do

Code: Select all

$file = $_FILES[$frmpg]; // file from form
lets take a qick look at why:

Code: Select all

$frmpg = 'PageIt!';
echo $frmpg;// PageIt!
echo '$frmpg';// $frmpg
echo "$frmpg"; // PageIt!
see the difference between putting a variable without any quotes or in double quotes compaired to single quotes? Putting it in double quotes is essentially the same as without quotes at all but some people still put it in double for whatever reason.

Posted: Tue Mar 14, 2006 5:19 pm
by Dave9666
doesn't seem to make a difference - its coded now as

Code: Select all

$file = $_FILES['$frmpg']; // file from form

and its still not validating

Posted: Tue Mar 14, 2006 5:25 pm
by feyd
*sigh*

Code: Select all

$file = $_FILES['txtlistingimage'];

Posted: Tue Mar 14, 2006 5:35 pm
by Dave9666
feyd wrote:*sigh*

Code: Select all

$file = $_FILES['txtlistingimage'];

i tried that already - no go

Posted: Tue Mar 14, 2006 5:45 pm
by Dave9666
The entire 'mode' ADD script is in the original post now

Posted: Tue Mar 14, 2006 6:02 pm
by feyd
var_dump($_FILES) does it even exist?

Posted: Tue Mar 14, 2006 6:05 pm
by Dave9666
feyd wrote:var_dump($_FILES) does it even exist?

Code: Select all

$frmpg = $HTTP_POST_VARS['txtfrmpg'];