tags:

views:

48

answers:

5

I have this script for uploading a image and content from a form, it works in one project but not the other. I have spent a good few hours trying to debug it, I am hoping someone could point out the issue I might be having. Where there are comments is where I have tried to debug. The first error I got was the "echo invalid file" at the beginning of the last comment. With these specific areas commented out the upload name and type that I am supposed to be grabbing from the form is not being echoed, I am thinking this is where the error is occurring, but can't quite seem to find it. Thanks.

    <?php
include("../includes/connect.php");
/*
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/pjpeg"))
&& ($_FILES["file"]["size"] < 2000000))
  {
    */
  if ($_FILES["file"]["error"] > 0) 
    {
    echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
    }
  else
    {
    echo "Upload: " . $_FILES["file"]["name"] . "<br />";
    echo "Type: " . $_FILES["file"]["type"] . "<br />";
    echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
    echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";

        /* GRAB FORM DATA */
    $title = $_POST['title'];
    $date = $_POST['date'];
    $content = $_POST['content'];
    $imageName1 = $_FILES["file"]["name"];

    echo $title;
    echo "<br/>";
    echo $date;
    echo "<br/>";
    echo $content;
    echo "<br/>";
    echo $imageName1;

    $sql = "INSERT INTO blog (title,date,content,image)VALUES(
    \"$title\",
    \"$date\",
    \"$content\",
    \"$imageName1\"
    )";

    $results = mysql_query($sql)or die(mysql_error());

    echo "<br/>";


    if (file_exists("../images/blog/" . $_FILES["file"]["name"]))
      {
      echo $_FILES["file"]["name"] . " already exists. ";
      }
    else
      {
      move_uploaded_file($_FILES["file"]["tmp_name"],
      "../images/blog/" . $_FILES["file"]["name"]);
      echo "Stored in: " . "../images/blog/" . $_FILES["file"]["name"];
      }
    }

  /*
  }
else
  {
  echo "Invalid file" . "<br/>";
  echo "Type: " . $_FILES["file"]["type"] . "<br />";
  }
  */

  //lets create a thumbnail of this uploaded image.
  /*
    $fileName = $_FILES["file"]["name"];
    createThumb($fileName,310,"../images/blog/thumbs/");
    function createThumb($thisFileName, $thisThumbWidth, $thisThumbDest){
    $thisOriginalFilePath = "../images/blog/". $thisFileName;
    list($width, $height) = getimagesize($thisOriginalFilePath);
    $imgRatio =$width/$height;
    $thisThumbHeight = $thisThumbWidth/$imgRatio;
    $thumb = imagecreatetruecolor($thisThumbWidth,$thisThumbHeight);
    $source = imagecreatefromjpeg($thisOriginalFilePath);
    imagecopyresampled($thumb, $source, 0, 0, 0, 0, $thisThumbWidth,$thisThumbHeight, $width, $height);
    $newFileName = $thisThumbDest.$thisFileName;
    imagejpeg($thumb,$newFileName, 80);
    echo "<p><img src=\"$newFileName\" /></p>";

    //header("location: http://www.google.ca");

    }

    */





?>
A: 

$_FILES["file"]["error"] is not just a flag.
It has error codes.
Explained in the manual

Col. Shrapnel
Who the hell downvotes this? This is entirely correct.
Pekka
+2  A: 

Perhaps you forgot to add enctype="multipart/form-data" method="post" to your HTML form, or have no <input type="file" name="file" id="file" value=""/> in your HTML.

RC
Good guess. Especially tor the file field
Col. Shrapnel
I figured out what was wrong and posted my answer below, thanks for the help, it was in my html form.
Anders Kitson
A: 

try to use any upload class some thing like http://bit.ly/cvjVSM | http://bit.ly/cTXQ75 | http://bit.ly/auxGqy | http://bit.ly/aEopoV

moustafa
A: 

The error was in the html form file, I had added a name="something" beside the method="post" and enctype="multi/form-data" obviously this was not liked. Thanks RC for pointing me in the right direction. I am not quite sure why I did this.

Anders Kitson
A: 

Here's some problems with your script:

  1. The 'error' value in the $_FILES array is not just a boolean, it will tell you if an upload succeeded, or why it failed. The error codes are defined here.

  2. The 'type' value is supplied by the remote client. It's NOT determined by the web server or PHP. As such, doing mime-type verification based on that value is a major hole: it's trivial to forge the supplied type value. Best to use a server-side method, like fileinfo, to determine the actual mime type.

  3. You blindly insert the form data into your insertion query, which leaves you wide open to SQL injection attacks. At least pass the data through mysql_real_escape_string() before building your query, or better yet, use PDO and parameterized queries

  4. You're storing the files with the original client-provided name. You at least check if the filename's already in use, preventing upload collisions/overwriting, but there's also the case where the client's operating system/file system allows characters in filenames that the server's OS/FS do not, which could lead to subtle file "vanished" bugs, or overwriting entirely different files because the invalid characters were filtered out or translated to something else. Since you're using a database to store information about the upload, you can store the original filename in that table, and use the table's primary key (an auto_increment int, right?) as the filename.

  5. Not really a problem, but in terms of efficiency, there's no need to use getimagesize() in your thumb creation function. GD has imagesx() and imagesy() which get the pixel size from a GD image handle. getimagesize() is independent of GD, so you're opening and parsing the source image twice. Again, it's not really a problem, but on a busy site, opening the image only once could be a decent cpu time and memory usage savings.

Marc B
this script I got from a php instructor I have now passed the data through a mysql_real_escape_string() but as far as the rest of what you suggest is still above my understanding. I think I am going to stick to a wordpress or a drupal like solution after this.
Anders Kitson
I am actually interested in figuring this stuff out however, but even your first suggestion I am not sure what you are suggesting i change in my code.
Anders Kitson