Moving Forward

[businessman332211@hotmail.com]

Ok well I have finished my entire script so far, and this is what it does.It takes the form information on http://www.funnyemailforwards.com and does the following(the form with the attachment).I did full custom error handling and think I covered everything.It checks for blank spaces in form, it checks to see if the file was uploaded, it checks the extensions. It checks to see if the file already is in the directory, if not then it moves it there. After that it connects to the database, checks for the existence of the data and if it's not there it entersThe name of the funny, The type, the keywords, I have it set to get the url, and the date. All 100% functional, fast, and working. Now I have some questions and advice, first here is what I have now, as a finished script(what I have so far anyway).

<?php$management = true;$errorhandler = "";$filemanager = true;$dateinfo = strtotime("now");$dateformatted = date("n-d-y", $dateinfo);if ($_POST['name'] == "") {	$errorhandler .= "The Name field has been left blank<br />";	}if ($_POST['keywords'] == "") {	$errorhandler .= "The Keywords were left blank<br />";	}if(!is_uploaded_file($_FILES['file']['tmp_name'])){	$errorhandler .= "No file has been uploaded<br />";	$filemanager = false;	}  if ($filemanager === true) {$_accepted_extensions = array('.mpeg', '.mpg', '.wav', '.avi', '.mid', '.jpg', '.jpeg', '.jfif', '.pdf', '.txt', '.wav', '.gif', '.mp2', '.mp3', '.bmp');   if ($filemanager == true) {  $tmp = pathinfo($_FILES['file']['name']);  if (in_array('.' . $tmp['extension'],$_accepted_extensions)) { 	 $filemanager = true; 	 $management = true; 	 }else { 	 $filemanager = false; 	 $management = false; 	 $errorhandler .= "You have attempted to upload the wrong file type<br />"; 	 $errorhandler .= "We only accept mpeg, mpg, wav, avi, mid, jpg<br />"; 	 $errorhandler .= "jpeg, jfif, pdf, txt, wav, gif, qt, mp2, mp3 bmp formats<br />"; 	 $errorhandler .= "To request new file types email<br />"; 	 $errorhandler .= "information@theyellowpagesnetwork.com"; 	 }  }	}    // Relative URL with desired folder name and the name of the file on the user's machineif ($management === true && $filemanager === true) {	$newfile = "uploads/".basename($_FILES['file']['name']);	$newfiletemp = "{$_FILES[file][tmp_name]}";	if (file_exists($newfile)) {  $errorhandler .= "The file already exists";  $filemanager = false;	}	if($filemanager === true) {  if (!move_uploaded_file($newfiletemp, $newfile)) { 	 $errorhandler .= "The file was not moved properly"; 	 $filemanager = false; 	 $manager = false;  }	} }if ($filemanager === true || $manager === true) {	$connect = mysql_connect("#####", "#####", "#####");	$select = mysql_select_db("funnyemailforwards"); if (!$connect && !$select) {  $errorhandler .= "The database could not connect, or selected";  $management = false;  $filemanager = false;	}  }if ($filemanager === true && $management === true) {$query = "SELECT * from fileinfo WHERE type = '" . implode("", $_POST['type']) . "' AND nameoffunny = '" . mysql_real_escape_string($_POST['name']) . "' AND keywords = '" . mysql_real_escape_string($_POST['keywords']) . "' AND funnyurl = '" . mysql_real_escape_string($newfile) . "' AND entrydate = '" . mysql_real_escape_string($dateinfo) . "'";$result = mysql_query($query);$matches = mysql_num_rows($result); 	if ($matches == 0) {$inserter = "INSERT INTO fileinfo (type, nameoffunny, keywords, funnyurl, entrydate) VALUES ('" . implode("", $_POST['type']) . "', '" . mysql_real_escape_string($_POST['name']) . "', '" . mysql_real_escape_string($_POST['keywords']) . "', '" . mysql_real_escape_string($newfile) . "', '" . mysql_real_escape_string($dateinfo) . "')";	if(mysql_query($inserter)){  	 $management = true; 	 $filemanager = true; 	 }else { 	 $management = false; 	 $filemanager = false; 	 $errorhandler .= "The information was not inserted into the database properly"; 	 echo mysql_error(); 	 }	} else {  $filemanager = false;  $managment = false;  $errorhandler .= "The information was already in the database, could not complete";	}	}if ($management === false || $filemanager === false) {	echo "{$errorhandler}";	}		?>

Ok and here is my database information for this specifically.I have the table name and fields listed in the script.Here are the questions I wanted to ask before I move on, I have learnt a lot from doing what I have so far, more than I would have ever imagined, but as I look forward into the rest of the project, I am at a standstill and need some enlightenment.1. Is there anything else I can do to the file handling aspect of my script to make it more secure?2. Is saving the url like that going to work right later when I do other things with the files.3. How do I go about using my stored information to send an email to my client with each entry so he can accept/decline, I don't understand how to make the email be related to each specific entry, I can send an email but not make the email and current entry attached, how do I do this?4. I need to decide what to do with the files, should I embed them in the pages, or make them links5. Also on top of that I have no idea how to do either, any advice might give me something to think about when I start all of this on monday?6. What do I do when I get ready to call this data on the homepage with the three most recent entries, I won't do this until the other part is done, but how do i get the file url to be a url where someone can use, or either embed each file individual into a page as it is downloaded, or make it a link, I don't understand specifically how to make each file do it, everytime someone uploads one.ANY other advice, opinions, or theories relating to anything like this would help a lot and give me more to think about when it's time for me to do the hardest part on monday.Thanks for all of the help.

[justsomeguy]

1. You might want to change the permissions on the file to only allow anonymous users to read and execute the file, not write it. The function is called chmod, and you probably want the mode to be 0755.2. All you need to do is link to the file or delete it, so that's probably fine. I typically don't save the path in the database though, only the actual filename.3. It's probably easier to give your client a link to a page online that shows all of the new entries instead of linking to each one in an email. That way he doesn't have to download attachments, he just goes to the page and sees everything new.4. That's your choice. Since you can't embed everything, I would probably make them links, and I would create a download page to get the filename out of the database, send the headers that will force a download, and read the file and send it as binary data. That way you can keep track of how many times each file has been viewed, and by which IP or whatever you want to track.5. Look into the HTTP headers called content-type, content-disposition, and content-size. content-type will probably be "application/octet-stream", content-disposition will be "attachment" and will include the file name, and content-size will be the result of the filesize function. Once you send the headers, you echo or print the result of file_get_contents to send the actual file.6. The url will be a link to your download page with the file ID in the querystring. I'm not sure exactly what you're asking, but you get information from the database and use it however you want to make the links.