1

This code was designed to upload files from a flash javascript uploader plugin. It doesn't give me an error but sometimes it does not insert the mysql query. P.s: every posted variable is cleaned up via javascript (just alphanumeric text)

<?php
include 'a/inc/db.php';

if (!empty($_FILES)) 
{
    $tempFile = $_FILES['Filedata']['tmp_name'];

    if (substr($_FILES['Filedata']['name'],-3)!='mp3')
    {
        echo 'ERROR: your file was not an mp3';
        die();
    }

    $targetPath = $_SERVER['DOCUMENT_ROOT'] . $_POST['folder'] . '/';
    $titlepost = $_POST['title']; 
    $tagspost = $_POST['tag'];    
    $artist= $_POST['artist'];
    $i= $_POST['i'];
    $targetFile = str_replace('//','/',$targetPath) .time().".mp3";
    $targetFilea = $targetFile; 
    $targetFilea = substr($targetFilea , strrpos($targetFilea , 'music') -1);
    move_uploaded_file($tempFile,$targetFile);
    mysql_query('set names utf8');
    $sql = mysql_query("INSERT INTO `Music` (`filename`, `title`, `tags`, `rating`, `click`, `rand`, `album`, `i`, `artist`) 
                        VALUES ('".$targetFilea."', '".$titlepost."', '".$tagspost."', '0', '1', '".$ras."', '1', '".$i."', '".$artist."');") 
    or die(mysql_error());   
    $sqli = mysql_query("INSERT INTO `activity` (`from`, `what`, `text`) 
                         VALUES ('".$i."', 'upload', '".$titlepost."');") 
    or die(mysql_error());
    $click =  mysql_query("SELECT * 
                           FROM `Music` 
                           WHERE `filename`='".$targetFilea."' ;");  

    while($row = mysql_fetch_array( $click ))
    {
        $mid=$row['id'];
        echo "<id>".$row['id']."</id>";
    }
    mysql_close($connection);
}
echo "1";
?>
Improve this question
4
  • 2
    @Nicolo, you can never trust input from the clients computer. Always sanitize on the server. Commented Jan 20, 2010 at 8:27
  • which one of the 2 doesn't get executed? Commented Jan 20, 2010 at 8:29
  • 1
    If you need to ensure that multiple queries are getting executed completely or not at all then you should be using transactions, regardless of any other problems in the code. Commented Jan 20, 2010 at 8:33
  • You shouldn't be relying on JavaScript to convert your input data as alpha-numeric. This should always be done server-side just before processing. Commented Jan 20, 2010 at 12:51

3 Answers 3

Reset to default
2 
$sqli = mysql_query("INSERT INTO `activity` (`from`, `what`, `text`) 
                         VALUES ('".$i."', upload', '".$titlepost."');")

there is a ' missing before upload

try this instead (also added mysql_real_escape_string for security):

$sqli = mysql_query("INSERT INTO `activity` (`from`, `what`, `text`) 
                         VALUES ('".mysql_real_escape_string($i)."', 'upload', '".mysql_real_escape_string($titlepost)."');")
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Looking at the edit history of the question, the missing ' was introduced by tharkun. Nicolo didn't have this issue so my answer won't help him, sorry.
If you're double-quoting strings in MySQL queries, I prefer to just write the variables without breaking out. For example, compare: $sql = "INSERT INTO table (field) VALUES ('$data')"; (back-ticks from table and field names omitted due to breaking Stack Overflow's code view rendering). Makes it much cleaner and keeps the syntax colour-coding consistent in IDEs.
1

What really wrong is: your code is totally insecure. You sanitize POST-Data only using javascript and place it into your SQL query? Anybody can EASILY inject some custom SQL-Code and to really bad things to your database. Never ever rely on any HTTP-Data (be it GET, POST or anything else) to be secure.

I know you are new to PHP, so I honestly encourage you, for the sake of your customer, your project or anyone using your code, before you do anything else, sanitize your POST-Data with PHP before using it within SQL-Querys. Please.

There is even an article on Wikipedia on it, and it is a huge mistake newbies make with huge consequences which is quite easy to prevent.

http://en.wikipedia.org/wiki/SQL_injection

http://www.smashingmagazine.com/2009/03/24/10-useful-php-tips-revisited/ (Tip 1)

Improve this answer

Comments

0

If the record is not getting inserted, this means most likely that there is some error. Possibly you have not set the proper error reporting that is why you don't see any error. Put below two lines on top of your script so that all errors are shown.

ini_set('display_errors', true);
error_reporting(E_ALL);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.