Able to upload certain files and reload of form action

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
CoolAsCarlito
Forum Contributor
Posts: 192
Joined: Sat May 31, 2008 3:27 pm
Contact:

Able to upload certain files and reload of form action

Post by CoolAsCarlito »

What I'm wanting to do with this code is make it to where the only type of files that can ONLY be uploaded are files that have the extention .jpg. I would also like to make it to where upon submission of the form the page reloads and automattically adds it to the table below.

Code: Select all

<?php
 
/* addshowname.php */
 
/* This form after submission takes the results of the form and inserts the values into the database as a new show name is created. */
 
require ('database.php');
 
// Where the file is going to be placed
$target_path = "../defiant/images/";
 
/* Add the original filename to our target path. 
Result is "images/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
 
//This code runs if the form has been submitted
if (isset($_POST['submit'])) {
 
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ".basename( $_FILES['uploadedfile']['name'])." has been uploaded";
} else{
 echo "There was an error uploading the file, please try again!";
 
}
 
 
 
// checks if the username is in use
if (!get_magic_quotes_gpc()) {
$_POST['showname'] = addslashes($_POST['showname']);
}
$showname = $_POST['showname'];
$check = mysql_query("SELECT showname FROM shows WHERE showname = '$showname'")
or die(mysql_error());
$check2 = mysql_num_rows($check);
 
//if the name exists it gives an error
if ($check2 != 0) {
die('Sorry, the show name '.$_POST['showname'].' is already in use.');
}
 
// now we insert it into the database
$insert = "INSERT INTO shows (showname, type, showimage, showlabel) VALUES ('".$_POST['showname']."','".$_POST['type']."','$target_path','1')";
 
$add_show = mysql_query($insert) or die(mysql_error());
 
}
 
echo '<form enctype="multipart/form-data" action="addshowname.php" method="post">';
echo '<input name="MAX_FILE_SIZE" type="hidden" value="100000">';
echo '<fieldset>';
echo '<legend>Enter the following information to add a show name:</legend>';
echo '<p>Enter Show Name:<input name="showname" type="text"></p>';
echo '<p>Show Type:<select name="type"><option></option><option>Weekly Show</option><option>Pay Per View</option></select></p>';
echo '<p>Upload Show Image:<input name="uploadedfile" type="file"></p>';
echo '<div align="center"><input name="submit" type="submit"><input name="sumbitted" type="hidden" value="TRUE"></div>';
echo '</fieldset>';
echo '</form>';
 
 
 
print '<center><h2><span style="color: #CC0000">Edit/Delete A Show</span></h2></center>';
print '<center><table width="50%" border="1">';
 
if(!isset($_GET['action']) && !isset($_POST['name'])) {
//Define the query
$query = "SELECT * FROM shows";
 
if ($r = mysql_query ($query)){ // Run the query.
    if (mysql_num_rows($r) > 0)
    {
 
 // Retrieve and print every record
        while ($row = mysql_fetch_array ($r)){
  print '<tr><td>'.$row['showname'].'</td><td><a href="addshowname.php?action=edit&id='.$row['id'].'">Edit</a></td><td><a href="addshowname.php?action=delete&id='.$row['id'].'">Delete</a></td></tr>';
}
}
    else
    {
        print "No Shows\n";
    }
} else {
die ('<p>Could not retrieve the data because <b>' . mysql_error() . '</b>. The query was '."$query.".'</p>');
} //End of query IF
 
print '</table></center>';
}
 
if($_GET['action'] == 'edit') {
 $query = "SELECT * FROM shows WHERE id = '".$_GET['id']."'";
 $res = mysql_fetch_array(mysql_query($query));
 print('<form action="'.$_SERVER['PHP_SELF'].'" method="post" name="form1">');
 print('<table border=1 cellpadding=5 cellspacing=0 width=350>');
 print('<tr><td>Name of show:</td><td><input type="text" name="name" value="'.$res['showname'].'"/></td></tr>');
 print('<tr><td>Show Type Type:</td><td><select name="type">');
 $types = array('Weekly Show','Pay Per View');
 foreach($types as $type) {
  if($type == $res['type']) {
   print('<option value="'.$type.'" selected="selected">'.$type.'</option>');
  }
  else {
   print('<option value="'.$type.'">'.$type.'</option>');
  }
 }
 print('</select></td></tr>');
 print('<tr><th colspan=2><input type="hidden" name="id" value="'.$_GET['id'].'" /><input type="submit" value="Edit Show" /></th></tr></table></form></center>');
} 
if(isset($_POST['name'])) {
$query = "UPDATE shows SET showname = '".mysql_real_escape_string($_POST['name'])."', location = '".mysql_real_escape_string($_POST['loc'])."', date = '".mysql_real_escape_string($_POST['date'])."' WHERE id = '".$_POST['id']."'"; if(mysql_query($query)) {
  echo "Show updated.";
 }
 else {
  die('<p>The show could not update because <b>' . mysql_error() . '</b>. The query was '."$query.".'</p>');
 }
}
 
if($_GET['action'] == 'delete') {
 $query = "DELETE FROM shows WHERE id = '".$_GET['id']."'";
if(mysql_query($query)) {
 
echo "Deletion successful.";
}
else {
die ('<p>Could not delete post because ' . mysql_error() . '. The query was '."$query.".'</p>');
}
}
 
?>
 
User avatar
The_Anomaly
Forum Contributor
Posts: 196
Joined: Fri Aug 08, 2008 4:56 pm
Location: Tirana, Albania

Re: Able to upload certain files and reload of form action

Post by The_Anomaly »

I assume you're asking how to validate that the user is uploading a JPEG file. If so, the easiest way by far is to just use the MIME types, with $_FILE['fieldName']['type']. However, as I learned on these forums, this MIME type can be easily changed--so your user could easily upload a .exe just as well. Same thing with using explode() to check the extension.

The best thing to do is to use an image function, perhaps something from GD, to check to see if it recognizes it as a jpg.
CoolAsCarlito
Forum Contributor
Posts: 192
Joined: Sat May 31, 2008 3:27 pm
Contact:

Re: Able to upload certain files and reload of form action

Post by CoolAsCarlito »

What do you mean GD?
The_Anomaly wrote: The best thing to do is to use an image function, perhaps something from GD, to check to see if it recognizes it as a jpg.
User avatar
The_Anomaly
Forum Contributor
Posts: 196
Joined: Fri Aug 08, 2008 4:56 pm
Location: Tirana, Albania

Re: Able to upload certain files and reload of form action

Post by The_Anomaly »

CoolAsCarlito
Forum Contributor
Posts: 192
Joined: Sat May 31, 2008 3:27 pm
Contact:

Re: Able to upload certain files and reload of form action

Post by CoolAsCarlito »

Here is my updated code I changed a few things around. I found this bit of code and don't know how add it to my script but I still want it to refresh the bottom table with the added show info upon submission:

Code: Select all

// Validate the type. Should be jpeg, jpg, or gif.
        $allowed = array ('image/gif', 'image/jpeg', 'image/jpg', 'image/pjpeg');  

Code: Select all

 
<?php
 
/* addshowname.php */
 
/* This form after submission takes the results of the form and inserts the values into the database as a new show name is created. */
 
require ('database.php');
require ('style.css');
 
// Where the file is going to be placed
$target_path = "../defiant/images/";
 
/* Add the original filename to our target path. 
Result is "images/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
 
//This code runs if the form has been submitted
if (isset($_POST['submit'])) {
 
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ".basename( $_FILES['uploadedfile']['name'])." has been uploaded";
} else{
 echo "There was an error uploading the file, please try again!";
 
}
 
 
 
// checks if the username is in use
if (!get_magic_quotes_gpc()) {
$_POST['showname'] = addslashes($_POST['showname']);
}
$showname = $_POST['showname'];
$check = mysql_query("SELECT showname FROM shows WHERE showname = '$showname'")
or die(mysql_error());
$check2 = mysql_num_rows($check);
 
//if the name exists it gives an error
if ($check2 != 0) {
die('Sorry, the show name '.$_POST['showname'].' is already in use.');
}
 
// now we insert it into the database
$insert = "INSERT INTO shows (showname, type, showimage, showlabel) VALUES ('".$_POST['showname']."','".$_POST['type']."','$target_path','1')";
 
$add_show = mysql_query($insert) or die(mysql_error());
 
}
 
echo '<form enctype="multipart/form-data" action="addshowname.php" method="post">';
echo '<input name="MAX_FILE_SIZE" type="hidden" value="100000">';
echo '<fieldset>';
echo '<legend>Enter the following information to add a show name:</legend>';
echo '<p>Enter Show Name:<input name="showname" type="text"></p>';
echo '<p>Show Type:<select name="type"><option></option><option>Weekly Show</option><option>Pay Per View</option></select></p>';
echo '<p>Upload Show Image:<input name="uploadedfile" type="file"></p>';
echo '<div align="center"><input name="submit" type="submit" value="Submit"><input name="sumbitted" type="hidden" value="TRUE"></div>';
echo '</fieldset>';
echo '</form>';
 
print '<center><table width="50%">';
print '<tr><td><center><u>ID</u></center></td><td><center><u>Show Type</u></center></td><td><center><u>Show Name</u></center></td><td><center><u>Show Image</u></center></td><td><center><u>Edit</u></center></td><td><center><u>Delete</u></center></td></tr>';
 
if(!isset($_GET['action']) && !isset($_POST['name'])) {
//Define the query
$query = "SELECT * FROM shows";
 
if ($r = mysql_query ($query)){ // Run the query.
    if (mysql_num_rows($r) > 0)
    {
 
 // Retrieve and print every record
        while ($row = mysql_fetch_array ($r)){
  print '<tr><td><center>'.$row['id'].'</center></td><td><center>'.$row['type'].'</center></td><td><center>'.$row['showname'].'</center></td><td><center>'.$row['showimage'].'</center></td><td><center><a href="addshowname.php?action=edit&id='.$row['id'].'">Edit</a></center></td><td><center><a href="addshowname.php?action=delete&id='.$row['id'].'">Delete</a></center></td></tr>';
}
}
    else
    {
        print "No Shows\n";
    }
} else {
die ('<p>Could not retrieve the data because <b>' . mysql_error() . '</b>. The query was '."$query.".'</p>');
} //End of query IF
 
print '</table></center>';
}
 
if($_GET['action'] == 'edit') {
 $query = "SELECT * FROM shows WHERE id = '".$_GET['id']."'";
 $res = mysql_fetch_array(mysql_query($query));
 print('<form action="'.$_SERVER['PHP_SELF'].'" method="post" name="form1">');
 print('<table border=1 cellpadding=5 cellspacing=0 width=350>');
 print('<tr><td>Name of show:</td><td><input type="text" name="name" value="'.$res['showname'].'"/></td></tr>');
 print('<tr><td>Show Type Type:</td><td><select name="type">');
 $types = array('Weekly Show','Pay Per View');
 foreach($types as $type) {
  if($type == $res['type']) {
   print('<option value="'.$type.'" selected="selected">'.$type.'</option>');
  }
  else {
   print('<option value="'.$type.'">'.$type.'</option>');
  }
 }
 print('</select></td></tr>');
 print('<tr><th colspan=2><input type="hidden" name="id" value="'.$_GET['id'].'" /><input type="submit" value="Edit Show" /></th></tr></table></form></center>');
} 
if(isset($_POST['name'])) {
$query = "UPDATE shows SET showname = '".mysql_real_escape_string($_POST['name'])."', location = '".mysql_real_escape_string($_POST['loc'])."', date = '".mysql_real_escape_string($_POST['date'])."' WHERE id = '".$_POST['id']."'"; if(mysql_query($query)) {
  echo "Show updated.";
 }
 else {
  die('<p>The show could not update because <b>' . mysql_error() . '</b>. The query was '."$query.".'</p>');
 }
}
 
if($_GET['action'] == 'delete') {
 $query = "DELETE FROM shows WHERE id = '".$_GET['id']."'";
if(mysql_query($query)) {
 
echo "Deletion successful.";
}
else {
die ('<p>Could not delete post because ' . mysql_error() . '. The query was '."$query.".'</p>');
}
}
 
?>
 
 
 
User avatar
The_Anomaly
Forum Contributor
Posts: 196
Joined: Fri Aug 08, 2008 4:56 pm
Location: Tirana, Albania

Re: Able to upload certain files and reload of form action

Post by The_Anomaly »

If you're validating for security purposes, the "code you found," is easily circumventable. Anything that comes from the user (like the MIME types that you have in that array), are easily manipulated. They'll stop the average person from accidentally uploading a PNG for example, but any half-way decent cracker could get through it easily.
CoolAsCarlito
Forum Contributor
Posts: 192
Joined: Sat May 31, 2008 3:27 pm
Contact:

Re: Able to upload certain files and reload of form action

Post by CoolAsCarlito »

When I submit the form it isn't putting the file into the directory also it still adds a record in the database regardless if the submitted file wasn't a jpg file.

Code: Select all

<?php
 
/* addshowname.php */
 
/* This form after submission takes the results of the form and inserts the values into the database as a new show name is created. */
 
require ('database.php');
require ('style.css');
 
// Where the file is going to be placed
$target_path = "../defiant/images/";
 
/* Add the original filename to our target path. 
Result is "images/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
 
//This code runs if the form has been submitted
if (isset($_POST['submit'])) {
 
$extension = explode(".", $image);
$extension = $extension[count($extension)-1];
 
if(strtolower($extension) == "jpg"){
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ".basename( $_FILES['uploadedfile']['name'])." has been uploaded";
} else{
 echo "There was an error uploading the file, please try again!";
}
}else {
echo "The file you chose to upload wasn't a valid jpg file, please try again!";
}
 
 
// checks if the show name is in use
if (!get_magic_quotes_gpc()) {
$_POST['showname'] = addslashes($_POST['showname']);
}
$showname = $_POST['showname'];
$check = mysql_query("SELECT showname FROM shows WHERE showname = '$showname'")
or die(mysql_error());
$check2 = mysql_num_rows($check);
 
//if the name exists it gives an error
if ($check2 != 0) {
die('Sorry, the show name '.$_POST['showname'].' is already in use.');
}
 
// now we insert it into the database
$insert = "INSERT INTO shows (showname, type, showimage, showlabel) VALUES ('".$_POST['showname']."','".$_POST['type']."','$target_path','1')";
 
$add_show = mysql_query($insert) or die(mysql_error());
 
}
 
 
echo '<form enctype="multipart/form-data" action="addshowname.php" method="post">';
echo '<input name="MAX_FILE_SIZE" type="hidden" value="100000">';
echo '<fieldset>';
echo '<legend>Enter the following information to add a show name:</legend>';
echo '<p>Enter Show Name:<input name="showname" type="text"></p>';
echo '<p>Show Type:<select name="type"><option></option><option>Weekly Show</option><option>Pay Per View</option></select></p>';
echo '<p>Upload Show Image:<input name="uploadedfile" type="file"></p>';
echo '<div align="center"><input name="submit" type="submit"><input name="sumbitted" type="hidden" value="TRUE"></div>';
echo '</fieldset>';
echo '</form>';
 
 
print '<center><table width="60%">';
print '<tr><td><u><center>ID</center></u></td><td><u><center>Type</center></u></td><td><u><center>Show Name</center></u></td><td><u><center>Show Image</center></u></td><td><u><center>Edit</center></u></td><td><u><center>Delete</center></u></td></tr>';
 
if(!isset($_GET['action']) && !isset($_POST['name'])) {
//Define the query
$query = "SELECT * FROM shows";
 
if ($r = mysql_query ($query)){ // Run the query.
    if (mysql_num_rows($r) > 0)
    {
 
 // Retrieve and print every record
        while ($row = mysql_fetch_array ($r)){
  print '<tr><td><center>'.$row['id'].'</center></td><td><center>'.$row['type'].'</center></td><td><center>'.$row['showname'].'</center></td><td><center>'.$row['showimage'].'</center></td><td><a href="addshowname.php?action=edit&id='.$row['id'].'"<center>Edit</center></a></td><td><a href="addshowname.php?action=delete&id='.$row['id'].'"><center>Delete</center></a></td></tr>';
}
}
    else
    {
        print "No Shows\n";
    }
} else {
die ('<p>Could not retrieve the data because <b>' . mysql_error() . '</b>. The query was '."$query.".'</p>');
} //End of query IF
 
print '</table></center>';
}
 
if($_GET['action'] == 'edit') {
 $query = "SELECT * FROM shows WHERE id = '".$_GET['id']."'";
 $res = mysql_fetch_array(mysql_query($query));
 print('<form action="'.$_SERVER['PHP_SELF'].'" method="post" name="form1">');
 print('<table border=1 cellpadding=5 cellspacing=0 width=350>');
 print('<tr><td>Name of show:</td><td><input type="text" name="name" value="'.$res['showname'].'"/></td></tr>');
 print('<tr><td>Show Type Type:</td><td><select name="type">');
 $types = array('Weekly Show','Pay Per View');
 foreach($types as $type) {
  if($type == $res['type']) {
   print('<option value="'.$type.'" selected="selected">'.$type.'</option>');
  }
  else {
   print('<option value="'.$type.'">'.$type.'</option>');
  }
 }
 print('</select></td></tr>');
 print('<tr><th colspan=2><input type="hidden" name="id" value="'.$_GET['id'].'" /><input type="submit" value="Edit Show" /></th></tr></table></form></center>');
} 
if(isset($_POST['name'])) {
$query = "UPDATE shows SET showname = '".mysql_real_escape_string($_POST['name'])."', location = '".mysql_real_escape_string($_POST['loc'])."', date = '".mysql_real_escape_string($_POST['date'])."' WHERE id = '".$_POST['id']."'"; if(mysql_query($query)) {
  echo "Show updated.";
 }
 else {
  die('<p>The show could not update because <b>' . mysql_error() . '</b>. The query was '."$query.".'</p>');
 }
}
 
if($_GET['action'] == 'delete') {
 $query = "DELETE FROM shows WHERE id = '".$_GET['id']."'";
if(mysql_query($query)) {
 
echo "Deletion successful.";
}
else {
die ('<p>Could not delete post because ' . mysql_error() . '. The query was '."$query.".'</p>');
}
}
 
?>
Post Reply