1

I'm working on a small, user-maintained online store, and am trying to allow my end user (the store administrator) to upload graphics for products. When I run this script, however, it doesn't actually store the image. I built this script from various tips here and a tutorial, and have gotten everything but the image upload portion to work.

// Set the image target directory here
$target = "itemImages/";
$target = $target . basename($_FILES["image"]["name"]);

// Variables get POSTed here - just tack new ones on at the end.
// Various POSTs omitted for brevity

$pic=($_FILES["image"]["name"]);

// Places the picture in the folder
if(move_uploaded_file($_FILES["image"]['tmp_name'], "itemImages/")) 
{
echo "The file " . basename($_FILES['uploadedfile']["name"]) . " has been         uploaded.<br />";
}else {
    echo "There was an issue adding this item. Please try again.<br />";
}

// Writes variables to the database
mysql_query("INSERT INTO tbl_item   (itemNAME,itemDESC,itemCOST,itemHCOL,itemHSIZ,itemIMG)
VALUES ('$itemName','$itemDesc','$itemCost','$hasColor','$hasSize','$pic')");

mysql_close($con);
?>

Any help, tips, advice, insight, etc. would be very much appreciated.

Improve this question
3
  • is the mysql update and success message OK? Commented Aug 10, 2012 at 14:35
  • 1
    do you have the right enctype on your form tag? Commented Aug 10, 2012 at 14:35
  • can you show us the <form> tag? Commented Aug 10, 2012 at 14:37

3 Answers 3

Reset to default
3

move_uploaded_files requires a filename as its target. It does not blindly move to a directory, so

move_uploaded_files($_FILES..., 'somedir/somefile.txt');

works, but

move_uploaded_file($_FILES..., 'somedir/');

will not.

Plus, note that your database operation is vulnerable to SQL injection attacks. You're blindly inserting the uploaded file's remote name (['name'] via $pic), and that name is fully under the remote user's control.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks, with your help, I've gotten this working. I also appreciate your input on the SQL injection, and will be doing some research to rectify it. I wasn't too worried, since the whole thing is internal for company employees, but it's always good to use best practice.
Even if it's internal use and not likely to be attacked, someone at some point WILL upload a file that has a ' or other SQL metacharacter in it and mess things up.
Improper escaping is a bug, and often a bug that can get you fired if there's a security breach.
0

Make sure the itemImages folder has write permission by the user your web server (e.g. Apache) is running as (e.g. www-data)

Improve this answer

Comments

0

make sure the .php file and the folder you are writing to have the same "owner". Or try setting permissions on the itemImages folder to 777 (This is not recommended, just a debug tactic)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.