script will not process image/pjpeg

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
mantis_61
Forum Newbie
Posts: 6
Joined: Sun Jan 14, 2007 12:56 pm

script will not process image/pjpeg

Post by mantis_61 »

This is weird. I have written this script and it will go through just fine until I have to upload a jpeg image. Why is this? I have spent 2 hours backtracking by cut n' paste and it seems to handle jpeg fine however I need it to handle jpeg in this script. I have no idea what might be interfering. When I make the upload I get "your request did not go through" as I have instructed it to do. Anyone have any suggestions? Here's my code:

Code: Select all

<html>
<head>
<title>Catalog Setup</title>
<script language="JavaScript">
function goToURL() {window.location = "/lp/catsu.html";}
</script>
</head>

<body>
<body bgcolor=#ddddaa>
<center>
<h1>CATALOG SETUP</h1>
<hr height=8>
</center>


<?php

if ($_SERVER['REQUEST_METHOD'] =='POST') {

   $input = $_FILES['userfile']['name'];
   $input = EscapeShellCmd($input);

   if (is_uploaded_file($_FILES['userfile']['tmp_name'])) {
	


	$type = strtolower($_FILES['userfile']['type']);
	switch ($type) {
	case "image/bmp";
	$mimeType = "bmp";
	break;
	case "image/jpg";
	$mimeType = "jpg";
	break;
	case "image/jpeg";
	$mimeType = "jpeg";
	break;
	case "image/pjpeg";
        $mimeType = "jpg";
        break;
        case "image/gif";
	$mimeType = "gif";
	break;
	default:
	$mimeType = "unknown";
        }
     
        $file = fopen($_FILES['userfile']['tmp_name'], "r");
        $file = fread($file, filesize($_FILES['userfile']['tmp_name']));
        $file = addslashes($file);




       $link = mysql_connect('localhost', 'root');
       if (!$link) {
	  die('could not connect to catalog' . mysql_error());
       }
       echo "<center><font color=#aa0000><i>you have connected to the catalog.</i></font></center>";
       echo "<a href='/lp/catsu.html'>MAIN MENU</a>";
       mysql_select_db('prototad', $link);


      $tmp = $_FILES['userfile']['tmp_name'];
      $id = mysql_insert_id() + 1;

      if ($_POST['seasonal'] == "y") {
          $sql = "INSERT into seasonal values ($id, '{$_POST[name]}', {$_POST[quantity]}, '{$_POST[description]}', {$_POST[price]}, '$mimeType')";
          $result = mysql_query($sql);
          
      }
      $sql = "insert into {$_POST['type']} (id, name, seasonal, quantity, description, price, ext, pic_id) values (0, '{$_POST[name]}', default, {$_POST['quantity']}, '{$_POST[description]}', {$_POST['price']}, '$mimeType', LAST_INSERT_ID())";
      $result = mysql_query($sql);
      
      
      if (mysql_affected_rows($link)) {
      $sql = "select * from necklaces";
      $result = mysql_query($sql);
      $id = mysql_num_rows($result);
    
      
      
      $folder = $_POST['type'];
      $destination = "uploads\\" . $folder . "\\" . $id . "." . $mimeType;
     
      }

      if (move_uploaded_file($tmp, $destination)) {
       
         echo "<p><center>your merchandise was submitted succesfully</center><br><hr>";
      
      }
}
else
{
   $file = NULL;
   echo "<center>Your request was not successful.</center>";
}
}

?>

<html>
<form action=<?=$_SERVER['PHP_SELF']?> method="POST" enctype="multipart/form-data">
<font color=#aa0000 style=bold> Fields that are in red are required or else your submission will not go through.</font>
<p>
<font color=#aa0000 style=bold>What type of merchandise are you submiting?</font><p>
<select name=type>
<option value=necklaces>Necklaces</option>
<option value=earrings>Earrings</option>
<option value=bracelets>Bracelets</option>
<option value=anklets>Anklets</option>
<option value=watches>Watches</option>
</select>
<p>
Give this item a label for easy lookup if wanted:<p>
<input type=text name=name></text><p>
Give a short description of this item:<p>
<textarea name="description" width=400 height=250></textarea><p>
Would you like to mark this item as seasonal?<p>
<input type="radio" name="seasonal" value="y">
Seasonal<p>
<font color=#aa0000 style=bold>How many are you holding in inventory?<p> 
<input type=text name="quantity"><p>
What would you like to set the price to?&nbsp;(please show your answer in the format such as: 1.25 or 10.50)<p>
<input type=text name="price"><p>
<p>
Upload your picture:<p>
<input type="hidden" name='max_file_size' value='30000'>
<input name='userfile' type="file">
</font><p>
<center>
<input type="submit"><p>

<input type=button value="MAIN MENU" onClick="goToURL()">
</script>
</form>
<p>

</center>
</html>
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Do not rely on the type information, ever. It is very easy to spoof and PHP does no verification whatsoever.

Use getimagesize() and/or mime_content_type() to verify the types of files based on their internals.

Your script is vulnerable to SQL injection. $_POST et al must be validated, verified and escaped before being incorporated into queries.
mantis_61
Forum Newbie
Posts: 6
Joined: Sun Jan 14, 2007 12:56 pm

Post by mantis_61 »

I knew the SQL queries weren't secured yet. I've been trying to get the script to function before I complicated it first by filtering out data. This is actually my first website using any kind of dynamic content. Right now this script isn't on a server available to public. I think I understand what you are suggesting.
The file shouldn't need to be stored in the destination to use these functions though? Should it? I tried doing something of this sort and it would not echo back for me:

Code: Select all

$file = $_FILES['userfile']['tmp_name'];
echo mime_content_type($file);
which didn't work.
Do I have to use the file name after it has been placed in the directory?
I haven't tried the file size function yet.

I'm doing this blind and with reason, just to see what I come up with to compare to other people's methods. I have already realized there are quicker avenues to get this to do the same thing however, I'm still learning the language and trying to figure out why mine is not working.
Thanks for the help.
I'll continue to work on this.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

PHP may not be able to locate the data required for mime_content_type(). getimagesize() doesn't need any external data.
Post Reply