Need help with uploading images and MySQL

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Bogey
Forum Commoner
Posts: 34
Joined: Sat Nov 10, 2007 5:51 pm

Need help with uploading images and MySQL

Post by Bogey »

What I want to do is have a form that uploads an image to a file (that works perfectly) and submits the URL and the Name into the database (that doesn't work) and than the script would create an individual page for the image (that works).

I chose to take the MySQL route on this one... why does the following NOT submit the $imageUrl into the database?

Code: Select all

<?php
  //setting the values
  $name = $_POST['file-name'];

  //The uploading code
  if (($_FILES["file"]["type"] == "image/gif")
  || ($_FILES["file"]["type"] == "image/jpeg")
  || ($_FILES["file"]["type"] == "image/pjpeg")
  || ($_FILES["file"]["type"] == "image/bmp")
  || ($_FILES["file"]["type"] == "image/png")
  && ($_FILES["file"]["size"] < 20000))
  {
  if ($_FILES["file"]["error"] > 0)
    {
    echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
    }
  else
    {
    echo "<p>Upload: " . $_FILES["file"]["name"] . "<br />";
    echo "Type: " . $_FILES["file"]["type"] . "<br />";
    echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb</p>";

    if (file_exists("images/" . $_FILES["file"]["name"]))
      {
      echo $_FILES["file"]["name"] . " already exists. ";
      $error = true;
      }
    else
      {
      move_uploaded_file($_FILES["file"]["tmp_name"],
      "images/" . $_FILES["file"]["name"]);
      echo 'Stored in: ' . 'images/' . $_FILES["file"]["name"];
      $imageUrl = 'images/' . $_FILES["file"]["name"];
      $error = false;
      }
    }
  }
else
  {
  echo "<p>Invalid file</p>";
  $error = true;
  }

//Creating the file
if($error === false)
 {
  //MySQL connection
  mysql_connect($dbhost, $dbuser, $dbpass) or die(mysql_error());
  //Database connection
  mysql_select_db($dbtable) or die(mysql_error());
  mysql_query('INSERT INTO imageSharing (`url`,`url`) VALUES ('$imageUrl','$name')');

//Creating the image file
$filename2 = 'pages/'. $_FILES["file"]["name"] .'.php';
$fp2 = fopen('"$filename2", "w");
fwrite($fp2, "
<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">
<html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\" lang=\"en\">
<head>
<title>". $name ."</title>
<meta name=\"keywords\" content=\"". $keywords .">\" />
<meta name=\"description\" content=\"". $name ."\" />
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />
<link rel=\"stylesheet\" href=\"../". $cssScript ."\" title=\"". $siteName .">\" media=\"screen\" type=\"text/css\" />
</head>
<body>
<div id=\"wrap\">
<div id=\"header\">". $header ."</div>
<div id=\"container\">
<div id=\"navigation\">
<a href=\"../Index.php\">Home</a>
<a href=\"../Submit.php\">Submit</a>
<a href=\"../Images.php\">Images</a>
<a href=\"../Search.php\">Search</a>
</div>
<div id=\"content\">
<img src=\"../". $imageUrl ."\" alt=\"". $name ."\" /><br /><p class=\"alt\">". $name ."</p>
</div>
</div>
<div id=\"footer\">". $footer ."</div>
</div>
</body>
</html>");
chmod("$filename2", 0755);
fclose($fp2);

//MySQL log off
mysql_close();
 }
else
 {
  print "There was an error.";
 }
?>
By the way... the values for $dbhost, $dbuser, $dbpass, and $dbtable are in a config file so you know up front :)
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

When you're inserting into imageSharing, you're trying to enter in 2 values for the `url` field. I'd guess you actually want 1 of them to be `name`.

Also, don't rely on $_FILES['type'] to be sure the file is an image - that stuff can be spoofed. Use getimagesize() instead.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Bogey
Forum Commoner
Posts: 34
Joined: Sat Nov 10, 2007 5:51 pm

Post by Bogey »

So, how do I check it's image type and size with that code?

like this?

Code: Select all

$image = getimagesize($file);
Bogey
Forum Commoner
Posts: 34
Joined: Sat Nov 10, 2007 5:51 pm

Post by Bogey »

Anyone?
User avatar
markusn00b
Forum Contributor
Posts: 298
Joined: Sat Oct 20, 2007 2:16 pm
Location: York, England

Re: Need help with uploading images and MySQL

Post by markusn00b »

I would move things around a bit.

Code: Select all

<?php
  //setting the values
  $name = $_POST['file-name'];

  //The uploading code
  if (($_FILES["file"]["type"] == "image/gif")
  || ($_FILES["file"]["type"] == "image/jpeg")
  || ($_FILES["file"]["type"] == "image/pjpeg")
  || ($_FILES["file"]["type"] == "image/bmp")
  || ($_FILES["file"]["type"] == "image/png")
  && ($_FILES["file"]["size"] < 20000))
  {
  if ($_FILES["file"]["error"] > 0)
    {
    echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
    }
  else
    {
    echo "<p>Upload: " . $_FILES["file"]["name"] . "<br />";
    echo "Type: " . $_FILES["file"]["type"] . "<br />";
    echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb</p>";

    if (file_exists("images/" . $_FILES["file"]["name"]))
      {
      echo $_FILES["file"]["name"] . " already exists. ";
      $error = true;
      }
    else
      {
      move_uploaded_file($_FILES["file"]["tmp_name"],
      "images/" . $_FILES["file"]["name"]);
      echo 'Stored in: ' . 'images/' . $_FILES["file"]["name"];
      $imageUrl = 'images/' . $_FILES["file"]["name"];
      $error = false;
          
      /************** put the database stuff and file creation here! *****************/
  //MySQL connection
  mysql_connect($dbhost, $dbuser, $dbpass) or die(mysql_error());
  //Database connection
  mysql_select_db($dbtable) or die(mysql_error());
  mysql_query('INSERT INTO imageSharing (`url`,`url`) VALUES ('$imageUrl','$name')');

//Creating the image file
$filename2 = 'pages/'. $_FILES["file"]["name"] .'.php';
$fp2 = fopen('"$filename2", "w");
fwrite($fp2, "
<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">
<html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\" lang=\"en\">
<head>
<title>". $name ."</title>
<meta name=\"keywords\" content=\"". $keywords .">\" />
<meta name=\"description\" content=\"". $name ."\" />
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />
<link rel=\"stylesheet\" href=\"../". $cssScript ."\" title=\"". $siteName .">\" media=\"screen\" type=\"text/css\" />
</head>
<body>
<div id=\"wrap\">
<div id=\"header\">". $header ."</div>
<div id=\"container\">
<div id=\"navigation\">
<a href=\"../Index.php\">Home</a>
<a href=\"../Submit.php\">Submit</a>
<a href=\"../Images.php\">Images</a>
<a href=\"../Search.php\">Search</a>
</div>
<div id=\"content\">
<img src=\"../". $imageUrl ."\" alt=\"". $name ."\" /><br /><p class=\"alt\">". $name ."</p>
</div>
</div>
<div id=\"footer\">". $footer ."</div>
</div>
</body>
</html>");
chmod("$filename2", 0755);
fclose($fp2);

//MySQL log off
mysql_close();

/****************** end db stuff and file creation ****************/
      }
    }
  }
else
  {
  echo "<p>Invalid file</p>";
  }



/* you dont need this !!!
if($error === false)
 {

 }
*/



else
 {
  print "There was an error.";
 }
?>
Got rid of the $error = TRUE - unnecessary. Just stick it in where and when the file is validated and saved.

In your INSERT INTO you have two `url` columns selected. Change this. What else i saw is that in the mysql_select_db() you have entered $dbtable. From the looks of this you're selecting a table and not the database. Next, have you done any checks? i.e. testing with your mysql to make sure your connections are correct?

Further more, i'm oblivious as to why you are creating a new page for each image? That's just going to take up extra room!

This might suit you better:
create a dynamic php page that will pull the name of the image from the url and display it. eg.
url = http://yoursite.com/index.php?url=thisimage.jpg

Code: Select all

$filename = $_GET['url'];
echo "<img src='uploads/$filename' />";
See where i'm going with that?

Let me know!
echo
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

You have serious problems by using the user-supplied file name in your code. An attacker can thus upload a PHP script, or an arbitrary file in - generally - a directory of his choosing. This is bad. Also, your MySQL code allows sql injection.
Post Reply