0

I have been assigned the task of fixing an older php site since it has been moved to a newer server. The server it is on now doesn't allow globalized variables and that's pretty much all this site was running off of. When trying to upload an image, my sql statement is showing everything but the id for the listing I am adding the image to. I was hoping someone could help me figure this out.

This is my upload function:

function upload(){
global $imagefolder, $id;
global $tbl_units;

include "globalizePOSTGET.php";

// $uid = uuid();
$minsize = 5000;            // 5kb
$maxsize = 3000000;     // 3mb
$ext = explode('.',basename($_FILES['userfile']['name']));
$ext = $ext[count($ext)-1];
$ext = strtolower($ext);

if ($ext != "jpg" && $ext != "jpeg" && $ext != "png") {
    echo "<script> alert('Image is not a png or jpeg format'); </script>";
    return false;
}

$imagename = $_POST['id']."_img".$_FILES['img'].".$ext";
$imagename2 = "X_".$imagename;
$uploadfile = $imagefolder . $imagename;
$uploadfile2 = $imagefolder . $imagename2;
$uploadthumb = $imagefolder . "tn_" . $imagename;

if (file_exists($uploadfile)) unlink($uploadfile);
if (file_exists($uploadthumb)) unlink($uploadthumb);

if (file_exists($uploadfile)) { 
    echo "<script> alert('Image already exists!'); </script>";
}
else
{
    if(is_uploaded_file($_FILES['userfile']['tmp_name'])) {
        // check the file is less than the maximum file size
        if($_FILES['userfile']['size'] < $maxsize) {
            $imgData = addslashes(file_get_contents($_FILES['userfile']['tmp_name']));      // prepare the image for insertion
            $size = getimagesize($_FILES['userfile']['tmp_name']);          // get the image info..
            if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile2)) {
                $Image = @imagecreatefromjpeg($uploadfile2);
                if ($Image) {
                 $img_height = imagesy($Image);
                 $img_width = imagesx($Image);
                 imagedestroy($Image);
                }

                if ($img_height > $img_width) {         // portrait  
                    $tempMultiplier = 150 / $img_height;
                    $tempMultiplierFull = 600 / $img_height;
                } else {
                    $tempMultiplier = 150 / $img_width;
                    $tempMultiplierFull = 600 / $img_width;
                }

                $imageHeight = $img_height * $tempMultiplier;
                $imageWidth = $img_width * $tempMultiplier;
                $fullimageHeight = $img_height * $tempMultiplierFull;
                $fullimageWidth = $img_width * $tempMultiplierFull;
                createthumb($imagename2,"tn_".$imagename,$imageWidth,$imageHeight);

                if($_FILES['userfile']['size'] > $minsize) {
                    createthumb($imagename2,$imagename,$fullimageWidth,$fullimageHeight);
                    if (file_exists($uploadfile2)) unlink($uploadfile2);
                } else {
                    rename($uploadfile2, $uploadfile);
                }

                $sql = "UPDATE $tbl_units SET photo".$_FILES['img']." = \"" . $imagename . "\" WHERE id = " . $_POST['id'];
                echo $sql;
                if(!mysql_query($sql)) {
                    echo "<script> alert('Unable to upload file'); </script>";
                } else {
                    ?> <script>location.replace('memonly.php?action=edit_record&id=<?php echo $id; ?>');</script> <?php
                }
            }
        }   else {
            // if the file is not less than the maximum allowed, print an error
            $file_n = basename($_FILES['userfile']['name']);
            $file_s = $_FILES['userfile']['size'];
            ?>
            <script> alert("File exceeds the maximum limit of <?php echo $maxsize; ?>\nFile <?php echo $file_n; ?> is <?php echo $file_s; ?>");</script>
            <?php
        }
    }
}
}

I am echoing the sql statement on the line that is giving me the error, I think. After clicking on submit, the page tells me Unable to upload file'. Which is why I echoed the sql there. I end up with a sql statement looking like this:UPDATE member_units SET photo = "_img.jpg" WHERE id = `

Someone please help me! I am very inexperienced in PHP and I have no idea what to do here.

Here is the form that is doing the uploading:

<form enctype="multipart/form-data" action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<input type="hidden" name="_submit_check" value="1" /> 
<input type="hidden" name="id" value="<?php echo $id; ?>" />
<input type="hidden" name="img" value="<?php echo $img; ?>" />
Image URL: <input type="file" name="userfile" value=""  style="font-size: 10px; width: 100%;">
<input type="submit" value="Submit" onClick="return validate();">&nbsp;
<input type="button" value="Cancel" onClick="location.href='/memonly.php?action=edit_record<?php echo "&id=$id&memberid=$memberid"; ?>';">
</form>
Improve this question
2
  • 1
    what is this : $_FILES['img'] ? Commented Feb 27, 2013 at 23:30
  • You got me! It used to get a $_POST but another programmer told me I need to change it to $_FILES so I did. Commented Feb 28, 2013 at 14:06

2 Answers 2

Reset to default
2

The first thing you need to do with this kind of problem is work through where the issues seem to be happening. So take your echoed statement...

UPDATE member_units SET photo = "_img.jpg" WHERE id = `

This corresponds to...

UPDATE $tbl_units SET photo".$_FILES['img']." = \"" . $imagename . "\" WHERE id = " . $_POST['id'];

We can see by comparison that it is clear that $_FILES['img'] is and empty variable as far as converting it to a string goes. The same is said for $_POST['id'], while $imagename gives a short _img.jpg file name.

Tracking back you can then see that $imagename comes from...

$_POST['id']."_img".$_FILES['img'].".$ext";

This is where your photo = "_img.jpg" comes from. Again, $_FILES['img'] and $_POST['id']

The fact that you're reaching the echo statement means that something is uploading, but it is through the $_FILES['userfile'] array, with all of it's associated variables, for example $_FILES['userfile']['name'] which would give you the filename of the image being uploaded.

What you need to ask yourself next is where you are expecting $_POST['id'] to come from, since it is missing or empty, and what field in your HTML form delivers that variable. Then you need to ask yourself what you are trying to achieve with your naming system. For example if you want an image file to look like: 1_imgLolCat.jpg then your variable will need to look more like 

$imagename = $_POST['id']."_img".$_FILES['userfile']['name'];

However the final part of my answer below makes me think that instead of the file name, what you're looking for is actually a POST variable that denotes a category or type of image, in which case you may want to work from...

$imagename = $_POST['id']."_img".$_POST['img'].".$ext";

...if a HTML field exists with the name "img"!

Finally take a look at your SQL statement...

SET photo".$_FILES['img']." = \"" . $imagename . "\"

And double check your tables, since what you appear to be trying to do is set a unique variable in your table that would depend on something passed from the form. I may be wrong here but I assume (as I said above) you want $_POST['img'] in there.

Word of warning, you need...NEED to sanitise these variables before you input them in to a SQL statement like this. Someone could easily take 

SET photo".$_POST['img']

and delete your whole table if permissions were set up for your database use to do so. There are plenty of other answers around as to how to do this properly. :)

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I just found out that it was because of the global variables. Because the purpose of this site is just to hang out until the client gets the new one, I had to make a quick fix type thing. Thanks for all your help!
0

It seems like 'id' field is not sent in the HTML form. I guess it should be a hidden input ?

Be careful, your script can be the target of an SQL injection : you use a user input ($_POST['id']) directly in an SQL query. You should check if this input is actually set and numeric.

Improve this answer

1 Comment

Thanks for the tip and not for making fun of the code! This site is actually in the middle of a redesign, but they just want it to work properly until they get the new site done. :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.