Upload PHP Script Validation

Report · Oct 18, 2011

Hi All,

I'm using the script at the bottom of this post to upload a file and store data in a database.

I am trying to validate it as it should be more secure by the looks of things.

I'm used spry validation on the form on the previous page, however, I know this does not stop injection - is that right?

I've tried using this code and have wrapped it around but it doesn't work properly and if all details are correct it doesn't post the data or the file.

<?php

$error = array();

//Check length of Book title

$_POST['name'] = trim($_POST['name']);

if (strlen($_POST['name']) < 1) {

$error['nameEmpty'] = 'Please insert a title for your Book';

}

$_POST['publication'] = trim($_POST['publication']);

if (strlen($_POST['publication']) < 1) {

$error['publicationEmpty'] = 'You must enter a publication';

}

$_POST['year'] = trim($_POST['year']);

if (strlen($_POST['year']) != 4) {

$error['yearLength'] = 'Years can only have 4 digits';

}

$_POST['description'] = trim($_POST['description']);

if (strlen($_POST['description']) < 1) {

$error['descriptionLength'] = 'Please enter a description';

}

$_POST['description'] = trim($_POST['description']);

if (strlen($_POST['description']) > 500) {

$error['descriptionLength2'] = 'The description can only have up to 500 characters';

}

$_POST['linkToBuy'] = trim($_POST['linkToBuy']);

if (strlen($_POST['linkToBuy']) < 6) {

$error['linkToBuyLength'] = 'Please make sure the format is as follows - www.example.co.uk';

}

$_POST['price'] = trim($_POST['price']);

if (strlen($_POST['price']) < 2) {

$error['priceLength'] = 'The price must be more than 1 Character long and contain a pound sign';

}

if (!error) {

UPLOAD CODE

}

?>

Upload Code:

<?php

//this is the directory where the images images will be saved

$target = "../IMAGES/books/";

$target = $target . basename( $_FILES['imageURL']['name']);

// this gets all the other info from the form

$name=$_POST['name'];

$publication=$_POST['publication'];

$year=$_POST['year'];

$desc=$_POST['description'];

$link=$_POST['linkToBuy'];

$price=$_POST['price'];

$pic=($_FILES['imageURL']['name']);

// Connects to your Database

mysql_connect("host", "username", "password") or die(mysql_error()) ;

mysql_select_db("Database Name") or die(mysql_error()) ;

//Writes the information to the database

mysql_query("INSERT INTO tableName (name,publication,year,description,linkToBuy,price,imageURL)

VALUES ('$name', '$publication', '$year', '$desc', '$link', '$price', '$pic')") ;

//Writes the photo to the server

if(move_uploaded_file($_FILES['imageURL']['tmp_name'], $target))

{

$note['success'] = 'The file '. basename( $_FILES['imageURL']['name']). ' has been uploaded, and your information has been added to the directory';

}

else {

//Give an error if it's not

$note['error'] = 'Sorry, there was a problem uploading your file.';

}

?>

Report · Oct 20, 2011

I am guessing that either you changed the values or that those are actually the values in you test environment for the "mysql_connect(..." line. If not, I would start there. Similarly the "mysql_query" line references "tableName" as the name of the table, when I would guess that you probably are actually calling it 'books' or 'publications' or something similar. That likely is why nothing is getting updated in your database.

Let me know if this is any help. If it wasn't please explain more about your errors/troubles with this code.

Report · Oct 21, 2011

No sorry, I always rename my tables etc when I post code here (paranoid android!). That is all working as expected.

The script itself works fine. The photo is upload to a folder and then the values are posted into my table on the database.

The thing I was trying to do was validate the upload script. So if, for instance, someone enters a title of no more than 5 characters then it posts an error. The validation script above doesn't seem to work with the upload script.

Am I making any sense?

Report · Oct 23, 2011

I think I understand you now.

I would put all the upload code into a conditional statement. The condition has to be that the validation code doesn't pass any errors along. I didn't see anything that looks for the length of the image file title though either.

You could try something similar to the following:

-----Part of your validation code-----

// this checks the length of the file name

if(strlen($_FILES['imageURL']['name']) < 5) {

$error['imageURL'] = 'The file name was incorrect. Make sure it has at least 5 characters';

}

----Then, you wrap your upload code in a conditional statement-----

// make sure there were no errors before uploading content

if(!$errors) {

// all upload code goes here

}

It looks like your validation code and upload code are possibly in different files with how you separated them above. You would need them to run together, either as actually being part of the same file, or using the inlcude() command. If you go the include() route you could simply put the conditional statement in the validation file and just put the include() command, referring to the upload code, inside the conditional statement. EX:

if(!$errors) {

include('path/to/uploadCode.php');

}

Hope that helps.

Report · Oct 26, 2011

Hi,

Thanks.

I did try wrapping the upload code in a conditional statement similar to the one you have provided. Which was basiclally my initial problem, it just didn't work.

But I'll try again.

Thanks for your help.

Report · Oct 26, 2011

Would you mind showing me the code as you have it now? Please include both the validation code and the upload code. If they are in separate files please notify that somehow.

Report · Oct 31, 2011

Hi, thanks for your help so far. I have moved away from the above and played around with another script which is giving me more joy.

Although have opened a new thread as having trouble with duplicate file names: http://forums.adobe.com/thread/919626

Cheers

Tom