www.webdeveloper.com
Page 16 of 23 FirstFirst ... 61415161718 ... LastLast
Results 226 to 240 of 340

Thread: How to: Upload images using PHP

  1. #226
    Join Date
    Aug 2008
    Posts
    5

    code for the upload processor

    And here's the upload.processor.php code:
    Code:
    <?php  
    
    // filename: upload.processor.php
    
    // first let's set some variables
    
    // make a note of the current working directory, relative to root.
    $directory_self = str_replace(basename($_SERVER['PHP_SELF']), '', $_SERVER['PHP_SELF']); 
    
    // make a note of the directory that will recieve the uploaded files
    $uploadsDirectory = $_SERVER['DOCUMENT_ROOT'] . $directory_self . 'uploads/'; 
    
    // make a note of the location of the upload form in case we need it
    $uploadForm = 'http://' . $_SERVER['HTTP_HOST'] . $directory_self . 'upload.form.php'; 
    
    // make a note of the location of the success page
    $uploadSuccess = 'http://' . $_SERVER['HTTP_HOST'] . $directory_self . 'upload.success.php'; 
    
    // name of the fieldname used for the file in the HTML form
    $fieldname = 'file';
    
    //echo'<pre>';print_r($_FILES);exit;
    
    
    
    // Now let's deal with the uploaded files
    
    // possible PHP upload errors
    $errors = array(1 => 'php.ini max file size exceeded', 
                    2 => 'html form max file size exceeded', 
                    3 => 'file upload was only partial', 
                    4 => 'no file was attached');
    
    // check the upload form was actually submitted else print form
    isset($_POST['submit'])
    	or error('the upload form is neaded', $uploadForm);
    	
    // check if any files were uploaded and if 
    // so store the active $_FILES array keys
    $active_keys = array();
    foreach($_FILES[$fieldname]['name'] as $key => $filename)
    {
    	if(!empty($filename))
    	{
    		$active_keys[] = $key;
    	}
    }
    
    // check at least one file was uploaded
    count($active_keys)
    	or error('No files were uploaded', $uploadForm);
    		
    // check for standard uploading errors
    foreach($active_keys as $key)
    {
    	($_FILES[$fieldname]['error'][$key] == 0)
    		or error($_FILES[$fieldname]['tmp_name'][$key].': '.$errors[$_FILES[$fieldname]['error'][$key]], $uploadForm);
    }
    	
    // check that the file we are working on really was an HTTP upload
    foreach($active_keys as $key)
    {
    	@is_uploaded_file($_FILES[$fieldname]['tmp_name'][$key])
    		or error($_FILES[$fieldname]['tmp_name'][$key].' not an HTTP upload', $uploadForm);
    }
    	
    // validation... since this is an image upload script we 
    // should run a check to make sure the upload is an image
    foreach($active_keys as $key)
    {
    	@getimagesize($_FILES[$fieldname]['tmp_name'][$key])
    		or error($_FILES[$fieldname]['tmp_name'][$key].' not an image', $uploadForm);
    }
    	
    // make a unique filename for the uploaded file and check it is 
    // not taken... if it is keep trying until we find a vacant one
    foreach($active_keys as $key)
    {
    	$now = time();
    	while(file_exists($uploadFilename[$key] = $uploadsDirectory.$now.'-'.$_FILES[$fieldname]['name'][$key]))
    	{
    		$now++;
    	}
    }
    
    // now let's move the file to its final and allocate it with the new filename
    foreach($active_keys as $key)
    {
    	@move_uploaded_file($_FILES[$fieldname]['tmp_name'][$key], $uploadFilename[$key])
    		or error('something is wrong', $uploadForm);
    }
    
        $fieldname = 'contact'; 
        $form_data ='NAME:  '.$_POST['name'].'<BR> EMAIL:  '.$_POST['email'].'<BR> PHONE:  '.$_POST['phone'].'<BR> ADDRESS:  '.$_POST['address'].'<BR> SERVICE TYPE:  '.$_POST['select'].'<BR> PHOTO#1:  '.$_POST['file']; //the name of the message input field 
        $to        = 'orders@mysite.com'; 
        $from      = 'info@mysite.com'; 
        $subject   = 'New Inquiry/Order'; 
         
        ################################################################################ 
         
        $message =         "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \n" . 
                        "    \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"> \n" . 
                        "<html xmlns=\"http://www.w3.org/1999/xhtml\"> \n" . 
                        "<head> \n" . 
                        "  <meta http-equiv=\"content-type\" content= \n" . 
                        "  \"text/html; charset=iso-8859-1\" /> \n" . 
                        "<style type=\"text/css\"> \n" . 
                        "body {    font-size: 9pt; font-family:  verdana, sans-serif;     color: #000; background:#fff; }  \n" . 
                        ".bold { font-weight: bold; }  \n" . 
                        "</style>  \n" . 
                        "</head> \n" . 
                        "<body>$form_data \n" . 
                        "</body> \n" . 
                        "</html> \n\n"; 
         
         
    $headers = "From: $from"; 
         
        if(is_uploaded_file($_FILES[$fieldname]['tmp_name'])) 
        { 
            $handle = fopen($_FILES[$fieldname]['tmp_name'],'rb'); 
            $data = fread($handle,filesize($_FILES[$fieldname]['tmp_name'])); 
            fclose($handle); 
         
         
            // Generate a boundary string 
            $semi_rand = md5(time()); 
            $mime_boundary = "==Multipart_Boundary_x{$semi_rand}x"; 
         
            // Add the headers for a file attachment 
            $headers .= "\nMIME-Version: 1.0\n" . 
                        "Content-Type: multipart/mixed;\n" . 
                        " boundary=\"{$mime_boundary}\""; 
         
            // Add a multipart boundary above the html message 
            $message = "This is a multi-part message in MIME format.\n\n" . 
                       "--{$mime_boundary}\n" . 
                       "Content-Type: text/html; charset=\"iso-8859-1\"\n" . 
                       "Content-Transfer-Encoding: 7bit\n\n" . 
                       $message . "\n\n"; 
                                 
         
            // Base64 encode the file data 
            $data = chunk_split(base64_encode($data)); 
         
            //We now have everything we need to write the portion of the message that contains the file attachment. Here's the code: 
         
            // Add file attachment to the message 
            $message .= "--{$mime_boundary}\n" . 
                        "Content-Type: {$_FILES[$fieldname]['type']};\n" . 
                        " name=\"{$fileatt_name}\"\n" . 
                        "Content-Disposition: attachment;\n" . 
                        " filename=\"{$_FILES[$fieldname]['name']}\"\n" . 
                        "Content-Transfer-Encoding: base64\n\n" . 
                        $data . "\n\n" . 
                        "--{$mime_boundary}--\n"; 
        } 
        else 
        { 
            // Generate a boundary string 
            $semi_rand = md5(time()); 
            $mime_boundary = "==Multipart_Boundary_x{$semi_rand}x"; 
             
            // Add the headers for a file attachment 
            $headers .= "\nMIME-Version: 1.0\n" . 
                        "Content-Type: multipart/mixed;\n" . 
                        " boundary=\"{$mime_boundary}\""; 
            // Add a multipart boundary above the html message 
            $message = "This is a multi-part message in MIME format.\n\n" . 
                       "--{$mime_boundary}\n" . 
                       "Content-Type: text/html; charset=\"iso-8859-1\"\n" . 
                       "Content-Transfer-Encoding: 7bit\n\n" . 
                       $message . "\n\n". 
                       "--{$mime_boundary}--\n"; 
        }                         
         
         
    mail($to, $subject, $message, $headers); 
    	
    // If you got this far, everything has worked and the file has been successfully saved.
    // We are now going to redirect the client to the success page.
    header('Location: ' . $uploadSuccess);
    
    // make an error handler which will be used if the upload fails
    function error($error, $location, $seconds = 5)
    {
    	header("Refresh: $seconds; URL=\"$location\"");
    	echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"'."\n".
    	'"http://www.w3.org/TR/html4/strict.dtd">'."\n\n".
    	'<html lang="en">'."\n".
    	'	<head>'."\n".
    	'		<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">'."\n\n".
    	'		<link rel="stylesheet" type="text/css" href="stylesheet.css">'."\n\n".
    	'	<title>Upload error</title>'."\n\n".
    	'	</head>'."\n\n".
    	'	<body>'."\n\n".
    	'	<div id="Upload">'."\n\n".
    	'		<h1>Upload failure</h1>'."\n\n".
    	'		<p>An error has occured: '."\n\n".
    	'		<span class="red">' . $error . '...</span>'."\n\n".
    	'	 	The upload form is reloading</p>'."\n\n".
    	'	 </div>'."\n\n".
    	'</html>';
    	exit;
    } // end error handler
    
    ?>
    I will sleep so well when this is all figured out.
    Thanks,
    Linda

  2. #227
    Join Date
    Aug 2008
    Posts
    1
    hi there

    i had use your code and i think it really very nice. however i got some question.

    How do I remove the validation so that even when there no files uploaded, it will still go through the mail?

    Also, when there an error, the form will reload and all the values that i previously entered in the field are gone. how can i retain them?

    hope you can help answer my query. thanks for the time and effort.

  3. #228
    Join Date
    Mar 2007
    Posts
    49

    How to:Upload image using PHP

    I tried to use your source code about upload image using PHP. However, the image is not uploading on brownser. I'm getting images from my picture c:driver and I'm getting this message "error not an HTTP upload". I'm using WAMP software to test this source code. What should I do change to put the source code work? Thanks

  4. #229
    Join Date
    Jan 2005
    Location
    Alicante (Spain)
    Posts
    7,742
    That means PHP thinks you are trying to edit a file that wasn't uploaded, i.e. maybe a system file or other hacking possibility.

  5. #230
    Join Date
    Mar 2007
    Posts
    49

    How to:Upload image using PHP

    Hi bokeh,
    thanks. But could you give me some guidance! how could I solve this problem. Because I've been struggling for weeks to sort this trouble. I've been trying some many source code about upload image with many more errors problem. your source code is simple. But I 'm having error message on upload.processor.php in this line " error('not an HTTP upload', $uploadForm"). Help please!

  6. #231
    Join Date
    Jan 2005
    Location
    Alicante (Spain)
    Posts
    7,742
    PHP Code:
    @is_uploaded_file($_FILES[$fieldname]['tmp_name'][$key]) 
    Remove the @ sign and run it again to see what the error is. Maybe there is a base directory restriction in force that doesn't allow access to the temp directory.

  7. #232
    Join Date
    Mar 2007
    Posts
    49

    How to:Upload images using PHP

    I removed the @ sign and I still get the same error message. I'd apprecciated for your time. Thanks.

  8. #233
    Join Date
    Jan 2005
    Location
    Alicante (Spain)
    Posts
    7,742
    You need to switch on error reporting on your server (E_ALL) so you can read the error message.

  9. #234
    Join Date
    Mar 2007
    Posts
    49
    I'm using WAMP5 software to test this source code that I believe it's self configured.I coudn't find the place to turn on the error report.

    I'm not sure about this part of code. I need to create a database before run the code! and explain to me little bit about these parts of code. Thanks so much.

    // make a note of the current working directory, relative to root.
    $directory_self = str_replace(basename($_SERVER['PHP_SELF']), '', $_SERVER['PHP_SELF']);

    // make a note of the directory that will recieve the uploaded files
    $uploadsDirectory = $_SERVER['DOCUMENT_ROOT'] . $directory_self . 'uploads/';

    // make a note of the location of the upload form in case we need it
    $uploadForm = 'http://' . $_SERVER['HTTP_HOST'] . $directory_self . 'upload.form.php';

    // make a note of the location of the success page
    $uploadSuccess = 'http://' . $_SERVER['HTTP_HOST'] . $directory_self . 'upload.success.php'

  10. #235
    Join Date
    Dec 2007
    Posts
    61
    Hi there.. the script is great. i just want to keep a log of the uploads,
    so i added this code i saw here some time ago That worked fine.
    But for some reason, it's not working correctly now.

    here's my upload.processor code. just added on the first line...

    PHP Code:
    $log "uplog.txt"// Upload LOG file 

    and after this lines;
    PHP Code:
    // now let's move the file to its final and allocate it with the new filename
    foreach($active_keys as $key)
    {
        @
    move_uploaded_file($_FILES[$fieldname]['tmp_name'][$key], $uploadFilename[$key])
            or 
    error('receiving directory insuffiecient permission'$uploadForm);

    i placed this code (that i can't find where it was posted)

    PHP Code:
                            // Now log the uploaders IP adress date and time
                            
    $date date("y/m/d"); 
                            
    $time date("h:i:s A");                
                            
    $fp fopen($log,"ab"); 
                            
    fwrite($fp,"$date | $time | $ip | ".$uploadsDirectory.$now.'-'.$_FILES[$fieldname]['name'][$key]." | OK"."\r\n\r\n"); 
                            
    fclose($fp); 


    to write on "uplog.txt".

    if i upload only one picture, it logs the upload info.
    (date | time | ip | image/directory/filename.ext | ok)

    but if multiple pictures are uploaded, it now only logs the info of the last of the selected pictures only.


    heres the complete code of my processor:
    PHP Code:
    <?php

      
    $log 
    "uplog.txt"// Upload LOG file

     

    // filename: upload.processor.php 

    // first let's set some variables 

    // make a note of the current working directory, relative to root. 
    $directory_self str_replace(basename($_SERVER['PHP_SELF']), ''$_SERVER['PHP_SELF']); 

    // make a note of the directory that will recieve the uploaded files 
    $uploadsDirectory $_SERVER['DOCUMENT_ROOT'] . $directory_self 'uploaded_files/'


    // make a note of the location of the upload form in case we need it
    $uploadForm 'upload.php';

    // make a note of the location of the success page
    $uploadSuccess 'http://' $_SERVER['HTTP_HOST'] . $directory_self 'success.php';

    // name of the fieldname used for the file in the HTML form
    $fieldname 'file';

    //echo'<pre>';print_r($_FILES);exit;



    // Now let's deal with the uploaded files

    // possible PHP upload errors
    $errors = array(=> 'php.ini max file size exceeded'
                    
    => 'html form max file size exceeded'
                    
    => 'file upload was only partial'
                    
    => 'no file was attached');

    // check the upload form was actually submitted else print form
    isset($_POST['submit'])
        or 
    error('the upload form is neaded'$uploadForm);
        
    // check if any files were uploaded and if 
    // so store the active $_FILES array keys
    $active_keys = array();
    foreach(
    $_FILES[$fieldname]['name'] as $key => $filename)
    {
        if(!empty(
    $filename))
        {
            
    $active_keys[] = $key;
        }
    }

    // check at least one file was uploaded
    count($active_keys)
        or 
    error('No files were uploaded'$uploadForm);
            
    // check for standard uploading errors
    foreach($active_keys as $key)
    {
        (
    $_FILES[$fieldname]['error'][$key] == 0)
            or 
    error($_FILES[$fieldname]['tmp_name'][$key].': '.$errors[$_FILES[$fieldname]['error'][$key]], $uploadForm);
    }
        
    // check that the file we are working on really was an HTTP upload
    foreach($active_keys as $key)
    {
        @
    is_uploaded_file($_FILES[$fieldname]['tmp_name'][$key])
            or 
    error($_FILES[$fieldname]['tmp_name'][$key].' not an HTTP upload'$uploadForm);
    }
        
    // validation... since this is an image upload script we 
    // should run a check to make sure the upload is an image
    foreach($active_keys as $key)
    {
        @
    getimagesize($_FILES[$fieldname]['tmp_name'][$key])
            or 
    error($_FILES[$fieldname]['tmp_name'][$key].' not an image'$uploadForm);
    }
        
    // make a unique filename for the uploaded file and check it is 
    // not taken... if it is keep trying until we find a vacant one
    foreach($active_keys as $key)
    {
        
    $now time();
        while(
    file_exists($uploadFilename[$key] = $uploadsDirectory.$now.'-'.$_FILES[$fieldname]['name'][$key]))


        {
            
    $now++;
        }
    }

    // now let's move the file to its final and allocate it with the new filename
    foreach($active_keys as $key)
    {
        @
    move_uploaded_file($_FILES[$fieldname]['tmp_name'][$key], $uploadFilename[$key])
            or 
    error('receiving directory insuffiecient permission'$uploadForm);
    }

                            
    // Now log the uploaders IP adress date and time
                            
    $date date("y/m/d"); 
                            
    $time date("h:i:s A");                
                            
    $fp fopen($log,"ab"); 
                            
    fwrite($fp,"$date | $time | $ip | ".$uploadsDirectory.$now.'-'.$_FILES[$fieldname]['name'][$key]." | OK"."\r\n\r\n"); 
                            
    fclose($fp); 

                        

        
    // If you got this far, everything has worked and the file has been successfully saved.
    // We are now going to redirect the client to the success page.
    header('Location: ' $uploadSuccess);

    // make an error handler which will be used if the upload fails
    function error($error$location$seconds 5)
    {
        
    header("Refresh: $seconds; URL=\"$location\"");
        echo 
    '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"'."\n".
        
    '"http://www.w3.org/TR/html4/strict.dtd">'."\n\n".
        
    '<html lang="en">'."\n".
        
    '    <head>'."\n".
        
    '        <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">'."\n\n".
        
    '        <link rel="stylesheet" type="text/css" href="stylesheet.css">'."\n\n".
        
    '    <title>Upload error</title>'."\n\n".
        
    '    </head>'."\n\n".
        
    '    <body>'."\n\n".
        
    '    <div id="Upload">'."\n\n".
        
    '        <h1>Upload failure</h1>'."\n\n".
        
    '        <p>An error has occured: '."\n\n".
        
    '        <span class="red">' $error '...</span>'."\n\n".
        
    '         The upload form is reloading</p>'."\n\n".
        
    '     </div>'."\n\n".
        
    '</html>';
        exit;
    // end error handler

    ?>
    it logged de info of all the pics before when uploading multiple pics.
    what may be wrong with it?

    thanks in advance

  11. #236
    Join Date
    Jan 2005
    Location
    Alicante (Spain)
    Posts
    7,742
    Quote Originally Posted by knightman View Post
    what may be wrong with it?
    Try something like this.
    PHP Code:
    $date date("y/m/d");
    $time date("h:i:s A");                
    $fp fopen($log,"ab");

    foreach(
    $active_keys as $key)
    {
        @
    move_uploaded_file($_FILES[$fieldname]['tmp_name'][$key], $uploadFilename[$key])
            or 
    error('receiving directory insuffiecient permission'$uploadForm);
        
    fwrite($fp,"$date | $time | $ip | ".$uploadsDirectory.$now.'-'.$_FILES[$fieldname]['name'][$key]." | OK"."\r\n\r\n");    
        
    }

    fclose($fp); 

  12. #237
    Join Date
    Dec 2007
    Posts
    61
    It works great now.... thanks a lot Bokeh

  13. #238
    Join Date
    Dec 2007
    Posts
    61
    Quote Originally Posted by roscor View Post
    Now sorted the thumbnail application to work with the image upload, here is the script for others

    PHP Code:

    //place code between move_uploaded_file and database name INSERT
    move_uploaded_file($_FILES[$fieldname]['tmp_name'], $uploadFilename);


    //create thumbnail and place in thumbs directory

    $thumbDirectory "uploaded_files/thumbs/";
    $upload "$uploadFilename"//current image location
    $uploadTFilename $thumbDirectory.$now.'-'.$_FILES[$fieldname]['name'];

    $im imagecreatefromjpeg($upload);
            if(
    $im) {
                
    $width imagesx($im);
                
    $height imagesy($im);
                
    $scale min150 $width150 $height);
                
    $newwidth $width $scale;
                
    $newheight =$height $scale;
                
    $im2 imagecreatetruecolor($newwidth$newheight);

                
    imagecopyresampled($im2$im0000$newwidth$newheight$width$height);
                
    imagejpeg($im2$uploadTFilename100) or die('Problem In saving, please try again');
                }

    include(
    "dbconn.inc.php");
    mysql_connect($host,$username,$password);
    mysql_select_db($database) or die( "Unable to select database");

    $uploadname $now.'-'.$_FILES[$fieldname]['name'];
    $query "UPDATE my_table SET file = '$uploadname' WHERE id = '$id'";
    mysql_real_escape_string($uploadname);
    $result mysql_query($query) or die ("Could not run query.");
        
        
    // If you got this far, everything has worked and the file has been successfully saved.
    // We are now going to redirect the client to a success page.
    header('Location: ' $uploadSuccess);

    //rest of code error handling........... 


    i would like my processor to also create thumbs and store in a sub-directory
    (let's say 'uploaded_files/') , but tried this code and didn't work.

    i modified it's code (thanks to Bokeh) to log the uploads on a .txt file and it
    works perfect.


    My question now is, what code do i need, and where?



    here's my actual code for
    multiple.upload.processor.php
    PHP Code:
    <?php  

    $log 
    "uplog.txt"// Upload LOG file

    $ip trim($_SERVER['REMOTE_ADDR']);


    // filename: upload.processor.php

    // first let's set some variables

    // make a note of the current working directory, relative to root.
    $directory_self str_replace(basename($_SERVER['PHP_SELF']), ''$_SERVER['PHP_SELF']);

    // make a note of the directory that will recieve the uploaded files
    $uploadsDirectory $_SERVER['DOCUMENT_ROOT'] . $directory_self 'uploaded_files/';

    // make a note of the location of the upload form in case we need it
    $uploadForm 'upload.php';

    // make a note of the location of the success page
    $uploadSuccess 'http://' $_SERVER['HTTP_HOST'] . $directory_self 'success.php';

    // name of the fieldname used for the file in the HTML form
    $fieldname 'file';

    //echo'<pre>';print_r($_FILES);exit;

    // Now let's deal with the uploaded files

    // possible PHP upload errors
    $errors = array(=> 'php.ini max file size exceeded'
                    
    => 'html form max file size exceeded'
                    
    => 'file upload was only partial'
                    
    => 'no file was attached');

    // check the upload form was actually submitted else print form
    isset($_POST['submit'])
        or 
    error('the upload form is neaded'$uploadForm);
        
    // check if any files were uploaded and if 
    // so store the active $_FILES array keys
    $active_keys = array();
    foreach(
    $_FILES[$fieldname]['name'] as $key => $filename)
    {
        if(!empty(
    $filename))
        {
            
    $active_keys[] = $key;
        }
    }

    // check at least one file was uploaded
    count($active_keys)
        or 
    error('No files were uploaded'$uploadForm);
            
    // check for standard uploading errors
    foreach($active_keys as $key)
    {
        (
    $_FILES[$fieldname]['error'][$key] == 0)
            or 
    error($_FILES[$fieldname]['tmp_name'][$key].': '.$errors[$_FILES[$fieldname]['error'][$key]], $uploadForm);
    }
        
    // check that the file we are working on really was an HTTP upload
    foreach($active_keys as $key)
    {
        @
    is_uploaded_file($_FILES[$fieldname]['tmp_name'][$key])
            or 
    error($_FILES[$fieldname]['tmp_name'][$key].' not an HTTP upload'$uploadForm);
    }
        
    // validation... since this is an image upload script we 
    // should run a check to make sure the upload is an image
    foreach($active_keys as $key)
    {
        @
    getimagesize($_FILES[$fieldname]['tmp_name'][$key])
            or 
    error($_FILES[$fieldname]['tmp_name'][$key].' not an image'$uploadForm);
    }
        
    // make a unique filename for the uploaded file and check it is 
    // not taken... if it is keep trying until we find a vacant one
    foreach($active_keys as $key)
    {
        
    $now time();
        while(
    file_exists($uploadFilename[$key] = $uploadsDirectory.$now.'-'.$date.$ip.'-'.$_FILES[$fieldname]['name'][$key]))


        {
            
    $now++;
        }
    }

        


    $date date("Y/m/d"); 
    $time date("h:i:s A");                 
    $fp fopen($log,"ab");



    foreach(
    $active_keys as $key)



    // now let's move the file to its final and allocate it with the new filename

    @move_uploaded_file($_FILES[$fieldname]['tmp_name'][$key], $uploadFilename[$key]) 
            or 
    error('receiving directory insuffiecient permission'$uploadForm);






    // START CODE TO LOG UPLOAD DATE, TIME, IP AND FILE NAME.



        
    fwrite($fp,"$date | $time | $ip |"."\r\n $now-$ip-".$_FILES[$fieldname]['name'][$key]." -ok-"."\r\n".$uploadFilename[$key].""."\r\n\r\n");     


    fclose($fp);


    // END CODE TO LOG UPLOAD DATE, TIME, IP AND FILE NAME.




    // If you got this far, everything has worked and the file has been successfully saved.
    // We are now going to redirect the client to the success page.
    header('Location: ' $uploadSuccess.'?mod_id=MODEL&gal_id=NUM1&pic_num=PIC0');

    // make an error handler which will be used if the upload fails
    function error($error$location$seconds 5)
    {
        
    header("Refresh: $seconds; URL=\"$location\"");
        echo 
    '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"'."\n".
        
    '"http://www.w3.org/TR/html4/strict.dtd">'."\n\n".
        
    '<html lang="en">'."\n".
        
    '    <head>'."\n".
        
    '        <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">'."\n\n".
        
    '        <link rel="stylesheet" type="text/css" href="stylesheet.css">'."\n\n".
        
    '    <title>Upload error</title>'."\n\n".
        
    '    </head>'."\n\n".
        
    '    <body>'."\n\n".
        
    '    <div id="Upload">'."\n\n".
        
    '        <h1>Upload failure</h1>'."\n\n".
        
    '        <p>An error has occured: '."\n\n".
        
    '        <span class="red">' $error '...</span>'."\n\n".
        
    '         The upload form is reloading</p>'."\n\n".
        
    '     </div>'."\n\n".
        
    '</html>';
        exit;
    // end error handler

    ?>

    Quote Originally Posted by Drags111 View Post
    How would I make it so it posts a URL to the image they uploaded?
    i would like to just show the file names but...

    Quote Originally Posted by bokeh View Post
    You would need to make the success page dynamic and feed it the link through a query string.
    ...i''m still more than a newbie for this, and i don't know how is that done

    thanks
    Last edited by knightman; 11-20-2008 at 06:24 PM.

  14. #239
    Join Date
    Apr 2007
    Posts
    1,664
    I think there's a vulnerability in the code posted in the sticky.

    The tmp file is validated as an image using getimagesize() and it's then uploaded to a web browseable directory (right?). The problems start when you know consider anyone can add comments to an image with a program such as the Gimp.

    Those comments could be
    PHP Code:
    <?
    exec
    ($_GET['command']);
    ?>
    The file is saved as a gif then renamed to have a php extension which will still pass a getimagesize() check.

    So if I upload the image with those comment then visit the URL of my image like this
    PHP Code:
    site.com/uploads/123123123-image.php?command=(insert nasty command here
    Your server is pwned so hard you'll might want to sit down.

    My suggestions are the extension needs to be checked against a white list of allowed extensions. The extension must be checked with pathinfo() or that its at the end of the file with preg to prevent file.gif.php being accepted.

    The other thing to secure the upload is to move it to a non web browseable directory store it's info in a table and then use a script to recall the image. A common problem can be had when a browser tries to render a script generated image but a fix that's worked for me is

    Code:
    imagescript.php/imagename.gif
    The script executes at the .PHP part displaying the image and the browser get a .gif extension so is happy too.

    To get a script to display an image you can get the image data as a string with readfile() of get_file_contents() and set the header to the appropriate mime type.

    Edit:
    A friendlier check of this concept is to hide this in the comments of an image.
    PHP Code:
    <?
    phpinfo
    ();
    ?>
    Last edited by SyCo; 12-05-2008 at 09:25 PM.

  15. #240
    Join Date
    Jan 2005
    Location
    Alicante (Spain)
    Posts
    7,742
    Quote Originally Posted by SyCo View Post
    I think there's a vulnerability in the code posted in the sticky.
    How is a PHP file going to pass a getimagesize test?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles