Jump to content

uploading files to my host


elexion

Recommended Posts

hello everyone, I'm working on a uploading script but for some reason it doesn't work properly. It's been a while since i've written PHP code so i was hoping someone could look into this with me. When i upload a file through the form it does create the directory however it does not move the file there. also something to mention is that the uploaded file get the "productnaam" and "screenshot" value in it's name i believe this is the source of the failing to move properly.

<html><head><title>uploading please wait...</title></head><body><?phpinclude("connect.php");  //Secure the values to prevent sql injection  //$bericht = mysql_real_escape_string($_POST['bericht']);  //$vaksite = mysql_real_escape_string($_POST['vaksite']);$query="INSERT INTO `producten`( 		`productID`,										`productnaam`,										`console`,										`beschrijving`,										`prijs`,										`genre`,										`levertijd`,										`screenshot`)																				VALUES ( NULL,										'".$_POST["productnaam"]."',										'".$_POST["console"]."',										'".$_POST["beschrijving"]."',										'".$_POST["prijs"]."',										'".$_POST["genre"]."',										'".$_POST["levertijd"]."',										'".$_POST["screenshot"]."');";										mysql_query($query,$db) or die("er is een fout met het invoeren van de data error");if ($_FILES["screenshot"]["error"] > 0)  {  echo "Error: " . $_FILES["screenshot"]["error"] . "<br />";  }else  {  echo "Upload: " . $_FILES["screenshot"]["name"] . "<br />";  echo "Type: " . $_FILES["screenshot"]["type"] . "<br />";  echo "Size: " . ($_FILES["screenshot"]["size"]) . " Kb <br />";  }$uploadfolder = "producten/";$subject = $_POST["productnaam"];$temp = $_FILES["screenshot"]["tmp_name"];$name = $_FILES["screenshot"]["name"];if (!file_exists("$uploadfolder$subject"))mkdir("$uploadfolder$subject");move_uploaded_file($temp, "$uploadfolder$subject$name");echo "Stored in: $uploadfolder$subject";if(file_exists("producten/" . $_POST["productnaam"])){move_uploaded_file($_FILES["screenshot"]["tmp_name"],"producten/" . $_POST["productnaam"] . "/" . $_FILES["screenshot"]["name"]);	  echo "Stored in: " . "producten/" . $_POST["productnaam"];}		  else{mkdir("producten/" .$_POST["productnaam"]);move_uploaded_file($_FILES["screenshot"]["tmp_name"],"producten/" . $_POST["productnaam"] . "/" . $_FILES["screenshot"]["name"]);echo "Stored in: " . "producten/" . $_POST["productnaam"];}//this code checks if the directory exists and if so moves the file into it  	  if(file_exists("producten/" . $_POST["productnaam"]))	  {	  move_uploaded_file($_FILES["screenshot"]["tmp_name"],	  "producten/" . $_POST["productnaam"] . $_FILES["screenshot"]["name"]);	  echo "Stored in: " . "producten/" . $_POST["productnaam"];	  }	  elseif ($_FILES["screenshot"]["tmp_name"] != "")	  {	  mkdir("producten/" .$_POST["productnaam"]);	  move_uploaded_file($_FILES["screenshot"]["tmp_name"],	  "producten/" . $_POST["productnaam"] . $_FILES["screenshot"]["name"]);	  echo "Stored in: " . "producten/" . $_POST["productnaam"];	  }?><meta http-equiv="Refresh" content="10;url= index.php" /></body></html>

i probably made a silly mistake but i hope someone could point me in the right direction. Thanks in advance

Link to comment
Share on other sites

I'm sort of confused by this code. For example:

if (!file_exists("$uploadfolder$subject"))mkdir("$uploadfolder$subject");move_uploaded_file($temp, "$uploadfolder$subject$name");echo "Stored in: $uploadfolder$subject";

At this point, the move directory is "producten/subjectfilename". Is that supposed to be like that or was it supposed to be "producten/subject/filename"?

Link to comment
Share on other sites

I'm sort of confused by this code. For example:
if (!file_exists("$uploadfolder$subject"))mkdir("$uploadfolder$subject");move_uploaded_file($temp, "$uploadfolder$subject$name");echo "Stored in: $uploadfolder$subject";

At this point, the move directory is "producten/subjectfilename". Is that supposed to be like that or was it supposed to be "producten/subject/filename"?

Yes your right, i fixed this by changing it to; thanks a lot for the sharp eye :)
move_uploaded_file($temp, "$uploadfolder/$subject/$name");

And yes the file is moved to the created directory all perfectly and well. However oddly enough i don't see the file in my database. Any thoughts about that one?

Link to comment
Share on other sites

There are a couple problems I see immediately. One is that you're not escaping any database inputs, so if any of those values has a single quote the query will fail. Another is that you're not validating the path, so if there are any invalid characters in the folder or file names it's not going to move the file. I don't see any reason why it would copy the file without adding a record to the database, the insert query runs before anything else. If it copies the file or shows an error with the file it will already have added the database record.

Link to comment
Share on other sites

There are a couple problems I see immediately. One is that you're not escaping any database inputs, so if any of those values has a single quote the query will fail. Another is that you're not validating the path, so if there are any invalid characters in the folder or file names it's not going to move the file. I don't see any reason why it would copy the file without adding a record to the database, the insert query runs before anything else. If it copies the file or shows an error with the file it will already have added the database record.
Yes after carefull investigation i've discoverd the error in my query. I accidently used a $_POST to insert the file into the database. To fix this i changed it to $_FILES and now the file is in fact in my database as i intended. Thanks everyone for the help.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...