Today's Posts Follow Us On Twitter! TFL Members on Twitter  
Forum search: Advanced Search  
Navigation
Marketplace
  Members Login:
Lost password?
  Forum Statistics:
Forum Members: 34,082
Total Threads: 106,559
Total Posts: 592,632
There are 128 users currently browsing (tf).
 
  Our Partners:
 
  TalkFreelance     Design and Development     Programming     PHP and MySQL :

File Upload Script Only Working Occasionally

Thread title: File Upload Script Only Working Occasionally
Reply    
    Thread tools Search this thread Display Modes  
09-24-2012, 06:30 PM
#1
j-leist is offline j-leist
Status: I'm new around here
Join date: Sep 2012
Location: Leicester, England
Expertise: PHP, MySQL, HTML5, CSS3
Software: Dreamweaver!
 
Posts: 1
iTrader: 0 / 0%
 

j-leist is on a distinguished road

  Old  File Upload Script Only Working Occasionally

Hi,

Basically I have written a script to allow the user in the back end to upload pictures for the gallery. The script is supposed to upload the file to the server and then post the file name and info into the database.

It always uploads the file to the server without fail, however for some reason it only posts it to the database occasionally. Sometimes it works fine but 8 times out of 10 it uploads the file and thats it, the script is as follows.


PHP Code:
<?php 
 
 
//This is the directory where images will be saved 
 
$target "images/"
 
$target $target basename$_FILES['photo']['name']); 
 
 
//This gets all the other information from the form 
 
$name=$_POST['name']; 
 
$caption=$_POST['caption']; 
 
$pic=($_FILES['photo']['name']); 
 
$live=$_POST['live'];
 
 
//Connecting to the database
 
require_once('../Connections/tim.php'); 
 
 
 
//Writes the information to the database 
 
mysql_query("INSERT INTO `gallery` VALUES ('$name', '$caption', '$pic', '$live')") ; 
 
 
//Writes the photo to the server 
 
if(move_uploaded_file($_FILES['photo']['tmp_name'], $target)) 
 { 
 
 
//Tells you if its all ok 
 
echo "The file "basename$_FILES['uploadedfile']['name']). " has been uploaded successfully, press back to upload more"
 } 
 else { 
 
 
//Gives and error if its not 
 
echo "Sorry, there was a problem uploading your file."
 } 
 
?> 
 <a href="admin-gallery.php"> Back </a>

01-02-2013, 12:32 PM
#2
unikorndesigns is offline unikorndesigns
unikorndesigns's Avatar
Status: Junior Member
Join date: May 2011
Location:
Expertise: Web Designing and Development
Software: Photoshop, Dreamweaver and etc
 
Posts: 41
iTrader: 0 / 0%
 

unikorndesigns is on a distinguished road

  Old

i dont know if this would help checkout my upload script

PHP Code:
<?php
 
function get_mime_type($file) {
     
// our list of mime types
     
$mime_types = array( 
        
"pdf"=>"application/pdf",
        
"exe"=>"application/octet-stream",
        
"zip"=>"application/zip",
        
"docx"=>"application/msword",
        
"doc"=>"application/msword",
        
"xls"=>"application/vnd.ms-excel",
        
"ppt"=>"application/vnd.ms-powerpoint",
        
"gif"=>"image/gif",
        
"png"=>"image/png",
        
"jpeg"=>"image/jpg",
        
"jpg"=>"image/jpg",
        
"mp3"=>"audio/mpeg",
        
"wav"=>"audio/x-wav",
        
"mpeg"=>"video/mpeg",
        
"mpg"=>"video/mpeg",
        
"mpe"=>"video/mpeg",
        
"mov"=>"video/quicktime",
        
"avi"=>"video/x-msvideo",
        
"3gp"=>"video/3gpp",
        
"css"=>"text/css",
        
"jsc"=>"application/javascript",
        
"js"=>"application/javascript",
        
"php"=>"text/html",
        
"htm"=>"text/html",
        
"html"=>"text/html"
    
); 
    
$extension strtolower(end(explode('.',$file)));
    
$type=explode("/",$mime_types[$extension]);
    return 
$type[0];
}
 
if(
$_SERVER['REQUEST_METHOD'] == "POST"){
    if(
move_uploaded_file($_FILES['file']['tmp_name'], "../../uploads/".$_FILES['file']['name'])){
        
// connect to the mysql server 
        
$link mysql_connect("localhost""root"""
        or die (
'Could not connect to mysql because '.mysql_error()); 
        
        
// select the database 
        
mysql_select_db("mis_revamp"
        or die (
'Could not select database because '.mysql_error());
        
        
$media_type=get_mime_type("../../uploads/".$_FILES['file']['name']);
        
        
$query1="SELECT * FROM media WHERE media_filename='".$_FILES['file']['name']."'";
        
$result1=mysql_query($query1);
        
$numrows1=mysql_num_rows($result1);
            
mysql_query("INSERT INTO media VALUES ('','".$_FILES['file']['name']."','".filesize("../../uploads/".$_FILES['file']['name'])."','../uploads/','".$media_type."',CURDATE())");    
            
        
$query1="SELECT * FROM media WHERE media_filename='".$_FILES['file']['name']."'";
        
$result1=mysql_query($query1);
        
$numrows1=mysql_num_rows($result1);
        while(
$row=mysql_fetch_array($result1))
        {
            
$id=$row['media_id'];
        }
                
    }
    
$extnsn=strtolower(end(explode('.',$_FILES['file']['name'])));
    
$filename=str_replace(".".$extnsn,"",$_FILES['file']['name']);
echo 
'<div class="dfiles"><img src="../../uploads/'.$_FILES['file']['name'].'" style="float: left; padding-top: 3px;" height="30" width="30"/><h5><b>'.$filename.'</b> </h5>
<div class="progress" style="font-size: 11px"><a href="media/edit_media/'
.$id.'">Edit Media</a></div></div>';
}
?>

Reply With Quote
01-02-2013, 06:06 PM
#3
Village Genius is offline Village Genius
Village Genius's Avatar
Status: Geek
Join date: Apr 2006
Location: Denver, CO
Expertise: Software
Software: Chrome, Notepad++
 
Posts: 6,892
iTrader: 18 / 100%
 

Village Genius will become famous soon enough

  Old

You are inserting stuff into your database without escaping it, making it vulnerable to SQL injection. Things like the file name are passed along like any other input string would be so an attacker could easily exploit that.

Reply With Quote
Reply    


Thread Tools
Display Modes

  Posting Rules  
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump:
 
  Contains New Posts Forum Contains New Posts   Contains No New Posts Forum Contains No New Posts   A Closed Forum Forum is Closed