PHP image upload and text upload script

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
AaronJ
Forum Newbie
Posts: 1
Joined: Thu Aug 31, 2006 10:42 am

PHP image upload and text upload script

Post by AaronJ »

Hi all,

I'm fairly new to php and am currently developing a website for a small business venture for myself. On the site we want to be able to take orders from our small client base.

In order to achieve this we need a few things from the user: a name, a valid email address, an image file (locally stored on their computer to be uploaded to our servers) and a comment.

I have created a simple form to handle all of this. The php that i have written checks to see if the "name" and "comment" fields are empty and if the "email" field is filled correctly (using eregi method). The php also check the filetype of the image and rejects anything that is of the wrong format or is too large in size.

The file is uploaded to a directory (currently in the web tree, but eventually won't be) and the text is written to a text file with the same name as the same name as the image.

So far in my code i have:

Code: Select all

<?PHP
	if (isset($_REQUEST['form_submitted'])) {
	$fname = ($_POST['fname']);
	$email = ($_POST['email']);
	$comment = ($_POST['comment']);
	$filesize = ($HTTP_POST_FILES['userfile']['size']);
	$tmpfile = ($HTTP_POST_FILES['userfile']['tmp_name']);
	
	function check_form_filled() {
  
	$fname = ($_POST['fname']);
	$email = ($_POST['email']);
	$comment = ($_POST['comment']);	
	$filesize = ($HTTP_POST_FILES['userfile']['size']);
	$tmpfile = ($HTTP_POST_FILES['userfile']['tmp_name']);
	
  //empty name 
  if (empty($fname)) {
	echo '<p style="color:red">* name is required</p>';
	return FALSE;
	}
  //valid and regular email
  if (!eregi("^[a-z0-9~!#$%&_-]([.]?[a-z0-9~!#$%&_-]+)*@[a-z0-9~!#$%&_-]+([.]?[a-z0-9~!#$%&_-]+)*(\.[a-z]{2,6})$", $email)){
	echo '<p style="color:red">* invalid email</p>';
	return FALSE;
	}
  //empty comment
  if (empty($comment)) {
	echo '<p style="color:red">* empty comment</p>';
	return FALSE;
	}
	return TRUE;
	}
			
	//check outcomes
	if (check_form_filled()) {
	
	$path = "uploads/";
	$max_size = 1000000;
	
	$filename = ($HTTP_POST_FILES['userfile']['name']);
	$filetype = ($HTTP_POST_FILES['userfile']['type']);
	$filesize = ($HTTP_POST_FILES['userfile']['size']);
	$tmpfile = ($HTTP_POST_FILES['userfile']['tmp_name']);
	
	//check upload
  if (is_uploaded_file($tmpfile)) {
	//check file size
	if ($filesize>$max_size) {
	echo '<p style="color:red">* file exceeds max file size</p>';
	}
	//check file type
	if (($filetype=="image/gif") || ($filetype=="image/png") || ($filetype=="image/jpeg") || ($filetype=="image/bmp")) {
	//check duplicate
	if (file_exists($path . $filename)) {
	echo '<p style="color:red">* the file already exists, please rename and retry</p>';
	}
	//write file to directory
	$res = copy($tmpfile, $path .
	$filename);
	//check for errors
	if (!$res) {
	echo '<p style="color:red">* error uploading, please retry</p>';
	}

	//all good, print file info to screen
	echo '<p style="color:green">';
	echo "* file Name: $filename<br/>\n";
	echo "* file Size: $filesize bytes<br/>\n";
	echo "* file Type: $filetype<br/>\n";
	echo '</p>';
	
	echo '<h3 style="color:green">Success</h3>';
	echo '<p style="color:green">you\'ll be hearing from us soon!</p>';

		//write the text file
		$textfile = ($path . $filename . '.txt');
		$fh = fopen($textfile, 'w');
	
		$stringData = "Name: $fname \r";
		fwrite($fh, $stringData);
	
		$stringData = "Email: $email \r";
		fwrite($fh, $stringData);
	
		$stringData = "--------------------------------------------------------- \r";
		fwrite($fh, $stringData);
	
		$stringData = "$comment \r";
		fwrite($fh, $stringData);
	
		$stringData = "--------------------------------------------------------- \r";
		fwrite($fh, $stringData);
		
		$stringData = "File: $filename \r";
		fwrite($fh, $stringData);
		
		$stringData = "--------------------------------------------------------- \r";
		fwrite($fh, $stringData);
	
		fclose($fh);
	}
	 else {
	 echo '<p style="color:red">* wrong file type</p>';
	 }
	}
	else {
	echo '<p style="color:red">* no file uploaded</p>';
    }
  }
	 echo '<h3 style="color:red">FAILED</h3>';
	 echo '<p style="color:red">please correct the above errors and re-submit</p>';
	}
 ?>

whilst this works, essentially, in the way i intended, the errors it produces are wrong. I want the php to output all the errors as well as leaving the correct info intact when the form is presented again.

Also, from reading up today, i've found out that the filetype could be faked at the user end, is there any way to check a file for it's true filetype?

Sorry for the obscenely long post :oops: (and general newbishness)
-Aaron
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

When you output the form after a failed validation you will need to add the values you received in post from the initial submission back into the form.

Say you have a single field

Code: Select all

<input type="text" id="txt" name="txt" />
you will need to add this for repopulation

Code: Select all

?><input type="text" id="txt" name="txt" value="<?php echo htmlspecialchars($_POST['text'], ENT_QUOTES); ?>" />
. Notice I'm using htmlspecialchars here, this is very important and prevent people modifing the HTML itself with their submission.
Post Reply