BioRUST Forums - View Single Post

sancho · 02-17-2006

This should do what you want

PHP Code:


			
<?php

session_start();

if (!$_SESSION['admin'])

{

    header("Location:../index.php");

} else {

include("../../connect.php");



$id=$_SESSION["rank"];

$step = $_POST[step];



if ($id <= 3){

if ($step == "") $step=1;

?>

<link href="../../main.css" rel="stylesheet" type="text/css">

<?php

switch ($step){

    case 1:

    ?>

        <form action="add.php" method="post" enctype="multipart/form-data">

            <table width="95%" border="0" cellspacing="0" align="center">

              <tr>

                <td>Artist:</td>

                <td><select name="artist">

                  <?php

                      $sql="SELECT artist_id, artist_name FROM sean_grind_artist ORDER BY artist_name";

                      $res_sql=mysql_query($sql);

                    while ($result=mysql_fetch_array($res_sql)){

                          echo "<option value=".$result['artist_id'].">".$result['artist_name']."</option>";

                      }

                  ?>

                </select></td>

              </tr>

              <tr>

                <td>Name:</td>

                <td><input type="text" name="name"></td>

              </tr>

              <tr>

                <td>Label:</td>

                <td><input type="text" name="label"></td>

              </tr>

              <tr>

                  <td>Image:</td>

                <td><input type="file" name="file"></td>

              </tr>

              <tr>

                <td>year:</td>

                <td><input name="year" type="text" size="4" maxlength="4"></td>

              </tr>

              <tr>

                <td colspan="2"><input type="hidden" name="step" value="2">

                <input type="submit" name="Submit" value="Continue"></td>

              </tr>

            </table>



        </form>

    <?php

        break;

    case 2:

        $name=$_POST[name];

        $artist=$_POST[artist];

        $label=$_POST[label];

        $year=$_POST[year];

        $sw_ok=1;

        //$image=$_POST[file];

        

        // $userfile is where file went on webserver

        $userfile = $HTTP_POST_FILES['file']['tmp_name'];

        // $userfile_name is original file name

        $userfile_name = $HTTP_POST_FILES['file']['name'];

        // $userfile_size is size in bytes

        $userfile_size = $HTTP_POST_FILES['file']['size'];

        // $userfile_type is mime type e.g. image/gif

        $userfile_type = $HTTP_POST_FILES['file']['type'];

        // $userfile_error is any error encountered

        $userfile_error = $HTTP_POST_FILES['file']['error']; 



        // userfile_error was introduced at PHP 4.2.0

        // use this code with newer versions 



        if ($userfile_error > 0) 

        {

            echo 'Problem: ';

            switch ($userfile_error)

            { 

                case 1:

                    echo 'File exceeded upload_max_filesize';

                break;

                case 2:

                    echo 'File exceeded max_file_size';

                break;

                case 3:

                    echo 'File only partially uploaded';

                break;

                case 4:

                    echo 'No file uploaded';

                break;

            }

            exit;

        } 

        if ($userfile_name == "")

        {

             $userfile_name="no.jpg";

        }

        else

        {

            // put the file where we'd like it

            $upfile = "/pathtosave/".$userfile_name;

            // is_uploaded_file and move_uploaded_file

            if (is_uploaded_file($userfile))

            {

                if (!move_uploaded_file($userfile, $upfile))

                {

                    echo 'Problem: Could not move file to destination directory';

                    exit;

                }

            }

            else 

            {

                echo 'Problem: Possible file upload attack. Filename: '.$userfile_name;

                exit;

            }

            echo 'File uploaded successfully';

        }

            

        

        

        $sql="SELECT album_artist, album_name, album_year FROM sean_grind_album";

        $res_sql=mysql_query($sql);

        while ($result=mysql_fetch_array($res_sql)){

            if ($artist == $result['album_artist'] && $name == $result['album_name'] && $year == $result['album_year'])

                $sw_ok=0;

        }

        

        if ($sw_ok == 1) {

            $SQL_update = "INSERT INTO sean_grind_album (album_artist, album_name, album_image, album_label, album_year) VALUES ('$artist','$name','$image','$label','$year')";

            $bool = mysql_query($SQL_update);

            if($bool == 1) echo "<SCRIPT LANGUAGE=JavaScript>window.alert('De gegevens zijn aangepast.')</SCRIPT>";

            if($bool <> 1) echo "<SCRIPT LANGUAGE=JavaScript>window.alert('Er is een fout opgetreden bij het bewerken van de gegevens.')</SCRIPT>";

        } else {

            echo "This cd has already been submitted";

        }

}

} else {

    echo "you don\'t have the permision to view this page";

}

}

?>

I've added this code to the above

PHP Code:


			
//$image=$_POST[file];

        

        // $userfile is where file went on webserver

        $userfile = $HTTP_POST_FILES['file']['tmp_name'];

        // $userfile_name is original file name

        $userfile_name = $HTTP_POST_FILES['file']['name'];

        // $userfile_size is size in bytes

        $userfile_size = $HTTP_POST_FILES['file']['size'];

        // $userfile_type is mime type e.g. image/gif

        $userfile_type = $HTTP_POST_FILES['file']['type'];

        // $userfile_error is any error encountered

        $userfile_error = $HTTP_POST_FILES['file']['error']; 



        // userfile_error was introduced at PHP 4.2.0

        // use this code with newer versions 



        if ($userfile_error > 0) 

        {

            echo 'Problem: ';

            switch ($userfile_error)

            { 

                case 1:

                    echo 'File exceeded upload_max_filesize';

                break;

                case 2:

                    echo 'File exceeded max_file_size';

                break;

                case 3:

                    echo 'File only partially uploaded';

                break;

                case 4:

                    echo 'No file uploaded';

                break;

            }

            exit;

        } 

        if ($userfile_name == "")

        {

             $userfile_name="no.jpg";

        }

        else

        {

            // put the file where we'd like it

            $upfile = "/pathtosave/".$userfile_name;

            // is_uploaded_file and move_uploaded_file

            if (is_uploaded_file($userfile))

            {

                if (!move_uploaded_file($userfile, $upfile))

                {

                    echo 'Problem: Could not move file to destination directory';

                    exit;

                }

            }

            else 

            {

                echo 'Problem: Possible file upload attack. Filename: '.$userfile_name;

                exit;

            }

            echo 'File uploaded successfully';

        }

You can modify the code to only allow certain file types by using the variable $userfile_type which contains the mime type of the file uploaded

02-17-2006	#2 (permalink)
sancho "Enter Random Text Here" Join Date: Jun 2005 Location: Handsacre, UK Posts: 37	This should do what you want PHP Code: <?php session_start(); if (!$_SESSION['admin']) { header("Location:../index.php"); } else { include("../../connect.php"); $id=$_SESSION["rank"]; $step = $_POST[step]; if ($id <= 3){ if ($step == "") $step=1; ?> <link href="../../main.css" rel="stylesheet" type="text/css"> <?php switch ($step){ case 1: ?> <form action="add.php" method="post" enctype="multipart/form-data"> <table width="95%" border="0" cellspacing="0" align="center"> <tr> <td>Artist:</td> <td><select name="artist"> <?php $sql="SELECT artist_id, artist_name FROM sean_grind_artist ORDER BY artist_name"; $res_sql=mysql_query($sql); while ($result=mysql_fetch_array($res_sql)){ echo "<option value=".$result['artist_id'].">".$result['artist_name']."</option>"; } ?> </select></td> </tr> <tr> <td>Name:</td> <td><input type="text" name="name"></td> </tr> <tr> <td>Label:</td> <td><input type="text" name="label"></td> </tr> <tr> <td>Image:</td> <td><input type="file" name="file"></td> </tr> <tr> <td>year:</td> <td><input name="year" type="text" size="4" maxlength="4"></td> </tr> <tr> <td colspan="2"><input type="hidden" name="step" value="2"> <input type="submit" name="Submit" value="Continue"></td> </tr> </table> </form> <?php break; case 2: $name=$_POST[name]; $artist=$_POST[artist]; $label=$_POST[label]; $year=$_POST[year]; $sw_ok=1; //$image=$_POST[file]; // $userfile is where file went on webserver $userfile = $HTTP_POST_FILES['file']['tmp_name']; // $userfile_name is original file name $userfile_name = $HTTP_POST_FILES['file']['name']; // $userfile_size is size in bytes $userfile_size = $HTTP_POST_FILES['file']['size']; // $userfile_type is mime type e.g. image/gif $userfile_type = $HTTP_POST_FILES['file']['type']; // $userfile_error is any error encountered $userfile_error = $HTTP_POST_FILES['file']['error']; // userfile_error was introduced at PHP 4.2.0 // use this code with newer versions if ($userfile_error > 0) { echo 'Problem: '; switch ($userfile_error) { case 1: echo 'File exceeded upload_max_filesize'; break; case 2: echo 'File exceeded max_file_size'; break; case 3: echo 'File only partially uploaded'; break; case 4: echo 'No file uploaded'; break; } exit; } if ($userfile_name == "") { $userfile_name="no.jpg"; } else { // put the file where we'd like it $upfile = "/pathtosave/".$userfile_name; // is_uploaded_file and move_uploaded_file if (is_uploaded_file($userfile)) { if (!move_uploaded_file($userfile, $upfile)) { echo 'Problem: Could not move file to destination directory'; exit; } } else { echo 'Problem: Possible file upload attack. Filename: '.$userfile_name; exit; } echo 'File uploaded successfully'; } $sql="SELECT album_artist, album_name, album_year FROM sean_grind_album"; $res_sql=mysql_query($sql); while ($result=mysql_fetch_array($res_sql)){ if ($artist == $result['album_artist'] && $name == $result['album_name'] && $year == $result['album_year']) $sw_ok=0; } if ($sw_ok == 1) { $SQL_update = "INSERT INTO sean_grind_album (album_artist, album_name, album_image, album_label, album_year) VALUES ('$artist','$name','$image','$label','$year')"; $bool = mysql_query($SQL_update); if($bool == 1) echo "<SCRIPT LANGUAGE=JavaScript>window.alert('De gegevens zijn aangepast.')</SCRIPT>"; if($bool <> 1) echo "<SCRIPT LANGUAGE=JavaScript>window.alert('Er is een fout opgetreden bij het bewerken van de gegevens.')</SCRIPT>"; } else { echo "This cd has already been submitted"; } } } else { echo "you don\'t have the permision to view this page"; } } ?> I've added this code to the above PHP Code: //$image=$_POST[file]; // $userfile is where file went on webserver $userfile = $HTTP_POST_FILES['file']['tmp_name']; // $userfile_name is original file name $userfile_name = $HTTP_POST_FILES['file']['name']; // $userfile_size is size in bytes $userfile_size = $HTTP_POST_FILES['file']['size']; // $userfile_type is mime type e.g. image/gif $userfile_type = $HTTP_POST_FILES['file']['type']; // $userfile_error is any error encountered $userfile_error = $HTTP_POST_FILES['file']['error']; // userfile_error was introduced at PHP 4.2.0 // use this code with newer versions if ($userfile_error > 0) { echo 'Problem: '; switch ($userfile_error) { case 1: echo 'File exceeded upload_max_filesize'; break; case 2: echo 'File exceeded max_file_size'; break; case 3: echo 'File only partially uploaded'; break; case 4: echo 'No file uploaded'; break; } exit; } if ($userfile_name == "") { $userfile_name="no.jpg"; } else { // put the file where we'd like it $upfile = "/pathtosave/".$userfile_name; // is_uploaded_file and move_uploaded_file if (is_uploaded_file($userfile)) { if (!move_uploaded_file($userfile, $upfile)) { echo 'Problem: Could not move file to destination directory'; exit; } } else { echo 'Problem: Possible file upload attack. Filename: '.$userfile_name; exit; } echo 'File uploaded successfully'; } You can modify the code to only allow certain file types by using the variable $userfile_type which contains the mime type of the file uploaded __________________ Portfolio: www.simonmclaughlin.co.uk Cheap UK hosting: www.qubithosting.com