PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
What I'm wanting to do with this code is make it to where the only type of files that can ONLY be uploaded are files that have the extention .jpg. I would also like to make it to where upon submission of the form the page reloads and automattically adds it to the table below.
<?php
/* addshowname.php */
/* This form after submission takes the results of the form and inserts the values into the database as a new show name is created. */
require ('database.php');
// Where the file is going to be placed
$target_path = "../defiant/images/";
/* Add the original filename to our target path.
Result is "images/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
//This code runs if the form has been submitted
if (isset($_POST['submit'])) {
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ".basename( $_FILES['uploadedfile']['name'])." has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}
// checks if the username is in use
if (!get_magic_quotes_gpc()) {
$_POST['showname'] = addslashes($_POST['showname']);
}
$showname = $_POST['showname'];
$check = mysql_query("SELECT showname FROM shows WHERE showname = '$showname'")
or die(mysql_error());
$check2 = mysql_num_rows($check);
//if the name exists it gives an error
if ($check2 != 0) {
die('Sorry, the show name '.$_POST['showname'].' is already in use.');
}
// now we insert it into the database
$insert = "INSERT INTO shows (showname, type, showimage, showlabel) VALUES ('".$_POST['showname']."','".$_POST['type']."','$target_path','1')";
$add_show = mysql_query($insert) or die(mysql_error());
}
echo '<form enctype="multipart/form-data" action="addshowname.php" method="post">';
echo '<input name="MAX_FILE_SIZE" type="hidden" value="100000">';
echo '<fieldset>';
echo '<legend>Enter the following information to add a show name:</legend>';
echo '<p>Enter Show Name:<input name="showname" type="text"></p>';
echo '<p>Show Type:<select name="type"><option></option><option>Weekly Show</option><option>Pay Per View</option></select></p>';
echo '<p>Upload Show Image:<input name="uploadedfile" type="file"></p>';
echo '<div align="center"><input name="submit" type="submit"><input name="sumbitted" type="hidden" value="TRUE"></div>';
echo '</fieldset>';
echo '</form>';
print '<center><h2><span style="color: #CC0000">Edit/Delete A Show</span></h2></center>';
print '<center><table width="50%" border="1">';
if(!isset($_GET['action']) && !isset($_POST['name'])) {
//Define the query
$query = "SELECT * FROM shows";
if ($r = mysql_query ($query)){ // Run the query.
if (mysql_num_rows($r) > 0)
{
// Retrieve and print every record
while ($row = mysql_fetch_array ($r)){
print '<tr><td>'.$row['showname'].'</td><td><a href="addshowname.php?action=edit&id='.$row['id'].'">Edit</a></td><td><a href="addshowname.php?action=delete&id='.$row['id'].'">Delete</a></td></tr>';
}
}
else
{
print "No Shows\n";
}
} else {
die ('<p>Could not retrieve the data because <b>' . mysql_error() . '</b>. The query was '."$query.".'</p>');
} //End of query IF
print '</table></center>';
}
if($_GET['action'] == 'edit') {
$query = "SELECT * FROM shows WHERE id = '".$_GET['id']."'";
$res = mysql_fetch_array(mysql_query($query));
print('<form action="'.$_SERVER['PHP_SELF'].'" method="post" name="form1">');
print('<table border=1 cellpadding=5 cellspacing=0 width=350>');
print('<tr><td>Name of show:</td><td><input type="text" name="name" value="'.$res['showname'].'"/></td></tr>');
print('<tr><td>Show Type Type:</td><td><select name="type">');
$types = array('Weekly Show','Pay Per View');
foreach($types as $type) {
if($type == $res['type']) {
print('<option value="'.$type.'" selected="selected">'.$type.'</option>');
}
else {
print('<option value="'.$type.'">'.$type.'</option>');
}
}
print('</select></td></tr>');
print('<tr><th colspan=2><input type="hidden" name="id" value="'.$_GET['id'].'" /><input type="submit" value="Edit Show" /></th></tr></table></form></center>');
}
if(isset($_POST['name'])) {
$query = "UPDATE shows SET showname = '".mysql_real_escape_string($_POST['name'])."', location = '".mysql_real_escape_string($_POST['loc'])."', date = '".mysql_real_escape_string($_POST['date'])."' WHERE id = '".$_POST['id']."'"; if(mysql_query($query)) {
echo "Show updated.";
}
else {
die('<p>The show could not update because <b>' . mysql_error() . '</b>. The query was '."$query.".'</p>');
}
}
if($_GET['action'] == 'delete') {
$query = "DELETE FROM shows WHERE id = '".$_GET['id']."'";
if(mysql_query($query)) {
echo "Deletion successful.";
}
else {
die ('<p>Could not delete post because ' . mysql_error() . '. The query was '."$query.".'</p>');
}
}
?>
I assume you're asking how to validate that the user is uploading a JPEG file. If so, the easiest way by far is to just use the MIME types, with $_FILE['fieldName']['type']. However, as I learned on these forums, this MIME type can be easily changed--so your user could easily upload a .exe just as well. Same thing with using explode() to check the extension.
The best thing to do is to use an image function, perhaps something from GD, to check to see if it recognizes it as a jpg.
Here is my updated code I changed a few things around. I found this bit of code and don't know how add it to my script but I still want it to refresh the bottom table with the added show info upon submission:
<?php
/* addshowname.php */
/* This form after submission takes the results of the form and inserts the values into the database as a new show name is created. */
require ('database.php');
require ('style.css');
// Where the file is going to be placed
$target_path = "../defiant/images/";
/* Add the original filename to our target path.
Result is "images/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
//This code runs if the form has been submitted
if (isset($_POST['submit'])) {
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ".basename( $_FILES['uploadedfile']['name'])." has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}
// checks if the username is in use
if (!get_magic_quotes_gpc()) {
$_POST['showname'] = addslashes($_POST['showname']);
}
$showname = $_POST['showname'];
$check = mysql_query("SELECT showname FROM shows WHERE showname = '$showname'")
or die(mysql_error());
$check2 = mysql_num_rows($check);
//if the name exists it gives an error
if ($check2 != 0) {
die('Sorry, the show name '.$_POST['showname'].' is already in use.');
}
// now we insert it into the database
$insert = "INSERT INTO shows (showname, type, showimage, showlabel) VALUES ('".$_POST['showname']."','".$_POST['type']."','$target_path','1')";
$add_show = mysql_query($insert) or die(mysql_error());
}
echo '<form enctype="multipart/form-data" action="addshowname.php" method="post">';
echo '<input name="MAX_FILE_SIZE" type="hidden" value="100000">';
echo '<fieldset>';
echo '<legend>Enter the following information to add a show name:</legend>';
echo '<p>Enter Show Name:<input name="showname" type="text"></p>';
echo '<p>Show Type:<select name="type"><option></option><option>Weekly Show</option><option>Pay Per View</option></select></p>';
echo '<p>Upload Show Image:<input name="uploadedfile" type="file"></p>';
echo '<div align="center"><input name="submit" type="submit" value="Submit"><input name="sumbitted" type="hidden" value="TRUE"></div>';
echo '</fieldset>';
echo '</form>';
print '<center><table width="50%">';
print '<tr><td><center><u>ID</u></center></td><td><center><u>Show Type</u></center></td><td><center><u>Show Name</u></center></td><td><center><u>Show Image</u></center></td><td><center><u>Edit</u></center></td><td><center><u>Delete</u></center></td></tr>';
if(!isset($_GET['action']) && !isset($_POST['name'])) {
//Define the query
$query = "SELECT * FROM shows";
if ($r = mysql_query ($query)){ // Run the query.
if (mysql_num_rows($r) > 0)
{
// Retrieve and print every record
while ($row = mysql_fetch_array ($r)){
print '<tr><td><center>'.$row['id'].'</center></td><td><center>'.$row['type'].'</center></td><td><center>'.$row['showname'].'</center></td><td><center>'.$row['showimage'].'</center></td><td><center><a href="addshowname.php?action=edit&id='.$row['id'].'">Edit</a></center></td><td><center><a href="addshowname.php?action=delete&id='.$row['id'].'">Delete</a></center></td></tr>';
}
}
else
{
print "No Shows\n";
}
} else {
die ('<p>Could not retrieve the data because <b>' . mysql_error() . '</b>. The query was '."$query.".'</p>');
} //End of query IF
print '</table></center>';
}
if($_GET['action'] == 'edit') {
$query = "SELECT * FROM shows WHERE id = '".$_GET['id']."'";
$res = mysql_fetch_array(mysql_query($query));
print('<form action="'.$_SERVER['PHP_SELF'].'" method="post" name="form1">');
print('<table border=1 cellpadding=5 cellspacing=0 width=350>');
print('<tr><td>Name of show:</td><td><input type="text" name="name" value="'.$res['showname'].'"/></td></tr>');
print('<tr><td>Show Type Type:</td><td><select name="type">');
$types = array('Weekly Show','Pay Per View');
foreach($types as $type) {
if($type == $res['type']) {
print('<option value="'.$type.'" selected="selected">'.$type.'</option>');
}
else {
print('<option value="'.$type.'">'.$type.'</option>');
}
}
print('</select></td></tr>');
print('<tr><th colspan=2><input type="hidden" name="id" value="'.$_GET['id'].'" /><input type="submit" value="Edit Show" /></th></tr></table></form></center>');
}
if(isset($_POST['name'])) {
$query = "UPDATE shows SET showname = '".mysql_real_escape_string($_POST['name'])."', location = '".mysql_real_escape_string($_POST['loc'])."', date = '".mysql_real_escape_string($_POST['date'])."' WHERE id = '".$_POST['id']."'"; if(mysql_query($query)) {
echo "Show updated.";
}
else {
die('<p>The show could not update because <b>' . mysql_error() . '</b>. The query was '."$query.".'</p>');
}
}
if($_GET['action'] == 'delete') {
$query = "DELETE FROM shows WHERE id = '".$_GET['id']."'";
if(mysql_query($query)) {
echo "Deletion successful.";
}
else {
die ('<p>Could not delete post because ' . mysql_error() . '. The query was '."$query.".'</p>');
}
}
?>
If you're validating for security purposes, the "code you found," is easily circumventable. Anything that comes from the user (like the MIME types that you have in that array), are easily manipulated. They'll stop the average person from accidentally uploading a PNG for example, but any half-way decent cracker could get through it easily.
When I submit the form it isn't putting the file into the directory also it still adds a record in the database regardless if the submitted file wasn't a jpg file.
<?php
/* addshowname.php */
/* This form after submission takes the results of the form and inserts the values into the database as a new show name is created. */
require ('database.php');
require ('style.css');
// Where the file is going to be placed
$target_path = "../defiant/images/";
/* Add the original filename to our target path.
Result is "images/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
//This code runs if the form has been submitted
if (isset($_POST['submit'])) {
$extension = explode(".", $image);
$extension = $extension[count($extension)-1];
if(strtolower($extension) == "jpg"){
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ".basename( $_FILES['uploadedfile']['name'])." has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}
}else {
echo "The file you chose to upload wasn't a valid jpg file, please try again!";
}
// checks if the show name is in use
if (!get_magic_quotes_gpc()) {
$_POST['showname'] = addslashes($_POST['showname']);
}
$showname = $_POST['showname'];
$check = mysql_query("SELECT showname FROM shows WHERE showname = '$showname'")
or die(mysql_error());
$check2 = mysql_num_rows($check);
//if the name exists it gives an error
if ($check2 != 0) {
die('Sorry, the show name '.$_POST['showname'].' is already in use.');
}
// now we insert it into the database
$insert = "INSERT INTO shows (showname, type, showimage, showlabel) VALUES ('".$_POST['showname']."','".$_POST['type']."','$target_path','1')";
$add_show = mysql_query($insert) or die(mysql_error());
}
echo '<form enctype="multipart/form-data" action="addshowname.php" method="post">';
echo '<input name="MAX_FILE_SIZE" type="hidden" value="100000">';
echo '<fieldset>';
echo '<legend>Enter the following information to add a show name:</legend>';
echo '<p>Enter Show Name:<input name="showname" type="text"></p>';
echo '<p>Show Type:<select name="type"><option></option><option>Weekly Show</option><option>Pay Per View</option></select></p>';
echo '<p>Upload Show Image:<input name="uploadedfile" type="file"></p>';
echo '<div align="center"><input name="submit" type="submit"><input name="sumbitted" type="hidden" value="TRUE"></div>';
echo '</fieldset>';
echo '</form>';
print '<center><table width="60%">';
print '<tr><td><u><center>ID</center></u></td><td><u><center>Type</center></u></td><td><u><center>Show Name</center></u></td><td><u><center>Show Image</center></u></td><td><u><center>Edit</center></u></td><td><u><center>Delete</center></u></td></tr>';
if(!isset($_GET['action']) && !isset($_POST['name'])) {
//Define the query
$query = "SELECT * FROM shows";
if ($r = mysql_query ($query)){ // Run the query.
if (mysql_num_rows($r) > 0)
{
// Retrieve and print every record
while ($row = mysql_fetch_array ($r)){
print '<tr><td><center>'.$row['id'].'</center></td><td><center>'.$row['type'].'</center></td><td><center>'.$row['showname'].'</center></td><td><center>'.$row['showimage'].'</center></td><td><a href="addshowname.php?action=edit&id='.$row['id'].'"<center>Edit</center></a></td><td><a href="addshowname.php?action=delete&id='.$row['id'].'"><center>Delete</center></a></td></tr>';
}
}
else
{
print "No Shows\n";
}
} else {
die ('<p>Could not retrieve the data because <b>' . mysql_error() . '</b>. The query was '."$query.".'</p>');
} //End of query IF
print '</table></center>';
}
if($_GET['action'] == 'edit') {
$query = "SELECT * FROM shows WHERE id = '".$_GET['id']."'";
$res = mysql_fetch_array(mysql_query($query));
print('<form action="'.$_SERVER['PHP_SELF'].'" method="post" name="form1">');
print('<table border=1 cellpadding=5 cellspacing=0 width=350>');
print('<tr><td>Name of show:</td><td><input type="text" name="name" value="'.$res['showname'].'"/></td></tr>');
print('<tr><td>Show Type Type:</td><td><select name="type">');
$types = array('Weekly Show','Pay Per View');
foreach($types as $type) {
if($type == $res['type']) {
print('<option value="'.$type.'" selected="selected">'.$type.'</option>');
}
else {
print('<option value="'.$type.'">'.$type.'</option>');
}
}
print('</select></td></tr>');
print('<tr><th colspan=2><input type="hidden" name="id" value="'.$_GET['id'].'" /><input type="submit" value="Edit Show" /></th></tr></table></form></center>');
}
if(isset($_POST['name'])) {
$query = "UPDATE shows SET showname = '".mysql_real_escape_string($_POST['name'])."', location = '".mysql_real_escape_string($_POST['loc'])."', date = '".mysql_real_escape_string($_POST['date'])."' WHERE id = '".$_POST['id']."'"; if(mysql_query($query)) {
echo "Show updated.";
}
else {
die('<p>The show could not update because <b>' . mysql_error() . '</b>. The query was '."$query.".'</p>');
}
}
if($_GET['action'] == 'delete') {
$query = "DELETE FROM shows WHERE id = '".$_GET['id']."'";
if(mysql_query($query)) {
echo "Deletion successful.";
}
else {
die ('<p>Could not delete post because ' . mysql_error() . '. The query was '."$query.".'</p>');
}
}
?>