Inspiring

Question

Upload PHP Script Validation

Forum|Forum|14 years ago
October 18, 2011
1 reply
1163 views

Hi All,

I'm using the script at the bottom of this post to upload a file and store data in a database.

I am trying to validate it as it should be more secure by the looks of things.

I'm used spry validation on the form on the previous page, however, I know this does not stop injection - is that right?

I've tried using this code and have wrapped it around but it doesn't work properly and if all details are correct it doesn't post the data or the file.

<?php

$error = array();

//Check length of Book title

$_POST['name'] = trim($_POST['name']);

if (strlen($_POST['name']) < 1) {

$error['nameEmpty'] = 'Please insert a title for your Book';

}

$_POST['publication'] = trim($_POST['publication']);

if (strlen($_POST['publication']) < 1) {

$error['publicationEmpty'] = 'You must enter a publication';

}

$_POST['year'] = trim($_POST['year']);

if (strlen($_POST['year']) != 4) {

$error['yearLength'] = 'Years can only have 4 digits';

}

$_POST['description'] = trim($_POST['description']);

if (strlen($_POST['description']) < 1) {

$error['descriptionLength'] = 'Please enter a description';

}

$_POST['description'] = trim($_POST['description']);

if (strlen($_POST['description']) > 500) {

$error['descriptionLength2'] = 'The description can only have up to 500 characters';

}

$_POST['linkToBuy'] = trim($_POST['linkToBuy']);

if (strlen($_POST['linkToBuy']) < 6) {

$error['linkToBuyLength'] = 'Please make sure the format is as follows - www.example.co.uk';

}

$_POST['price'] = trim($_POST['price']);

if (strlen($_POST['price']) < 2) {

$error['priceLength'] = 'The price must be more than 1 Character long and contain a pound sign';

}

if (!error) {

UPLOAD CODE

}

?>

Upload Code:

<?php

//this is the directory where the images images will be saved

$target = "../IMAGES/books/";

$target = $target . basename( $_FILES['imageURL']['name']);

// this gets all the other info from the form

$name=$_POST['name'];

$publication=$_POST['publication'];

$year=$_POST['year'];

$desc=$_POST['description'];

$link=$_POST['linkToBuy'];

$price=$_POST['price'];

$pic=($_FILES['imageURL']['name']);

// Connects to your Database

mysql_connect("host", "username", "password") or die(mysql_error()) ;

mysql_select_db("Database Name") or die(mysql_error()) ;

//Writes the information to the database

mysql_query("INSERT INTO tableName (name,publication,year,description,linkToBuy,price,imageURL)

VALUES ('$name', '$publication', '$year', '$desc', '$link', '$price', '$pic')") ;

//Writes the photo to the server

if(move_uploaded_file($_FILES['imageURL']['tmp_name'], $target))

{

$note['success'] = 'The file '. basename( $_FILES['imageURL']['name']). ' has been uploaded, and your information has been added to the directory';

}

else {

//Give an error if it's not

$note['error'] = 'Sorry, there was a problem uploading your file.';

}

?>

Server side applications

This topic has been closed for replies.

UteFanJason

Inspiring

I am guessing that either you changed the values or that those are actually the values in you test environment for the "mysql_connect(..." line. If not, I would start there. Similarly the "mysql_query" line references "tableName" as the name of the table, when I would guess that you probably are actually calling it 'books' or 'publications' or something similar. That likely is why nothing is getting updated in your database.

Let me know if this is any help. If it wasn't please explain more about your errors/troubles with this code.

S

sellador315Author

Inspiring

No sorry, I always rename my tables etc when I post code here (paranoid android!). That is all working as expected.

The script itself works fine. The photo is upload to a folder and then the values are posted into my table on the database.

The thing I was trying to do was validate the upload script. So if, for instance, someone enters a title of no more than 5 characters then it posts an error. The validation script above doesn't seem to work with the upload script.

Am I making any sense?

UteFanJason

Inspiring

I think I understand you now.

I would put all the upload code into a conditional statement. The condition has to be that the validation code doesn't pass any errors along. I didn't see anything that looks for the length of the image file title though either.

You could try something similar to the following:

-----Part of your validation code-----

// this checks the length of the file name

if(strlen($_FILES['imageURL']['name']) < 5) {

$error['imageURL'] = 'The file name was incorrect. Make sure it has at least 5 characters';

}

----Then, you wrap your upload code in a conditional statement-----

// make sure there were no errors before uploading content

if(!$errors) {

// all upload code goes here

}

It looks like your validation code and upload code are possibly in different files with how you separated them above. You would need them to run together, either as actually being part of the same file, or using the inlcude() command. If you go the include() route you could simply put the conditional statement in the validation file and just put the include() command, referring to the upload code, inside the conditional statement. EX:

if(!$errors) {

include('path/to/uploadCode.php');

}

Hope that helps.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded