PHP and MySQL file upload, does not always upload file to server

Question

chris_j_haines 0 Light Poster

13 Years Ago

Hi

I have an occasional problem with the following scripts

Here is the file upload form

<?php

	session_start();
	if(isset($_SESSION['username']) ==  false){
	header("Location: login.php");
	exit();
	}

	if(($_SESSION['userlevel']) != 'admin'){
	header("Location: login.php");
	exit();
	}

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>LCAC Administration</title>
<LINK href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="container">
<div id="header">
	<table width="980px">
	<tr>
	<td align="left"><img src="images/lcaclogo.gif" width="100px" height="100px"></td>
	<td><h1>LCAC Administration</h1></td>
	</tr>
	</table>
</div>
<div id="navigation"><ul><li>Add New Contact - Upload Photo</li></ul></div>
<div id="content-container">
<div id="section-navigation">
<ul>
<li><a href="viewcontactlistadmin.php">Contact List Admin</a></li>
<li><a href="logout.php">Log Out</a></li>
</ul>
</div>
<div id="content">
<center><img src="images/newcontactstepone.jpg"></center>
<p>To add a new contact you must first <b><u>upload a photo</u></b>. Once you have added a photo you will be taken to a form to add the information about the contact</p>
<form enctype="multipart/form-data" action="processupload.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
<center>Choose photo to upload: <input name="uploadedfile" type="file" /><br><br>
<input type="submit" value="Go to next step >>" /><center>
</form>
</div>
<div id="footer">Copyright &copy LCAC, 2011</div>
</div>
</body>
</html>

Here is the contact details form:

<?php
	session_start();
	if(isset($_SESSION['username']) ==  false){
	header("Location: login.php");
	exit();
	}

	if(($_SESSION['userlevel']) != 'admin'){
	header("Location: login.php");
	exit();
	}

	require "connect.php";
	$filename = $_GET['file'];


	$query= "SELECT Name FROM diocese";
	$result = mysql_query($query, $connection)
	or die("Unable to perform query<br>$query");



?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>LCAC Administration</title>
<LINK href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="container">
	<div id="header">
	<table width="980px">
	<tr>
	<td align="left"><img src="images/lcaclogo.gif" width="100px" height="100px"></td>
	<td><h1>LCAC Administration</h1></td>
	</tr>
	</table>
	</div>
	<div id="navigation"><ul><li>Add Contact</li></ul></div>
	<div id="content-container">
	<div id="section-navigation">
	<ul>
		<li><a href="index.php">Home</a></li>
		<li><a href="contactlistadmin.php">Contact List Admin</a></li>
		<li><a href="logout.php">Log Out</a></li>
	</ul>
	</div>
	<div id="content">
<center><img src="images/newcontactsteptwo.jpg"></center>
<center>
<form enctype="multipart/form-data" name="addcontact" action="processaddcontact.php" mehtod="POST">
<fieldset>
<legend>Name</legend>
<label class="label">Title</label> <input type="text" name="title"><br>
<label class="label">Firstname</label> <input type="text" name="firstname"><br>
<label class="label">Surname</label> <input type="text" name="surname"><br>
</fieldset>
<fieldset>
<legend>Address</legend>
<label class="label">House No/Name</label> <input type="text" name="house"><br>
<label class="label">Street</label> <input type="text" name="street"><br>
<label class="label">Town/City</label> <input type="text" name="town"><br>
<label class="label">County</label> <input type="text" name="county"><br>
<label class="label">Country</label> <input type="text" name="country"><br>
<label class="label">Zip/Postcode</label> <input type="text" name="postcode">
</fieldset>
<fieldset>
<legend>Internet</legend>
<label class="label">Email</label> <input type="text" name="email"><br>
<label class="label">Website</label> <input type="text" name="website">
</fieldset>
<fieldset>
<legend>Telephone Numbers</legend>
<label class="label">Home</label> <input type="text" name="home"><br>
<label class="label">Mobile</label> <input type="text" name="mobile"><br>
</fieldset>
<fieldset>
<legend>Parish</legend>
<label class="label">Diocese/Order</label>
<select name="diocese">
<?php
while ($row = mysql_fetch_array($result)) {
    echo "<option value='" . $row['Name'] . "'>" . $row['Name'] . "</option>";
}
?>
</select>
<label class="label">Parish</label> <input type="text" name="parish"><br>
<label class="label">Additional Info</label> <input type="text" name="additionalinfo">
</fieldset>
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
<input name="uploadedfile" type="hidden" value="<?php echo "$filename"; ?>" /><br />
</fieldset>
<br>
<input class="submit" name="submit" type="submit" value="Add Contact">
<br>
</form>
</center>
</div>
	<div id="footer">Copyright &copy LCAC, 2011</div>
</div>
</body>
</html>

Here is the proccesaddcontact.php

<?php
	session_start();
	require "connect.php";

	$title= $_GET['title'];
	$firstname= $_GET['firstname'];
	$surname= $_GET['surname'];
	$house= $_GET['house'];
	$street= $_GET['street'];
	$town= $_GET['town'];
	$county= $_GET['county'];
	$country= $_GET['country'];
	$postcode= $_GET['postcode'];
	$email= $_GET['email'];
	$website= $_GET['website'];
	$home= $_GET['home'];
	$mobile= $_GET['mobile'];
	$diocese = $_GET['diocese'];
	$parish= $_GET['parish'];
	$moreinfo= $_GET['additionalinfo'];
	$photo= $_GET['uploadedfile'];

	$query = "insert into contacts values(0,
	'".$title."',
	'".$firstname."',
	'".$surname."',
	'".$house."',
	'".$street."',
	'".$town."',
	'".$county."',
	'".$country."',
	'".$postcode."',
	'".$email."',
	'".$website."',
	'".$home."',
	'".$mobile."',
	'".$diocese."',
	'".$parish."',
	'".$moreinfo."',
	'".$photo."')";

	$result = mysql_query($query, $connection)
 	or die ("Unable to perform query" . mysql_error());

	header("Location: viewcontactlistadmin.php");
?>

I can upload some files but others do not upload to server please can someone help me?

Thanks
Chris

mysql php

4 Contributors
5 Replies
174 Views
10 Hours Discussion Span
Latest Post 13 Years Ago Latest Post by stoopkid

sv3tli0 0 Junior Poster in Training

13 Years Ago

by some files what do you mean ?
some file types?
or its uploads/not upload same file types..
Those files names are latinic or not?

its very possible the problem to come out from the file name..

Edited 13 Years Ago by sv3tli0 because: n/a

diafol

13 Years Ago

Doesn't make sense to me:

<form enctype="multipart/form-data" name="addcontact" action="processaddcontact.php" mehtod="POST">

mehtod -> method
I can't see why "POST" when you're using $_GET to process
Why "multipart/form-data" if no file upload involved?

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

chris_j_haines 0 Light Poster · Answer 1 · 2011-09-06T03:02:12+00:00

I am trying to upload .jpg files but some of them it does not upload but enters the filename to the database. and sometimes it uploads to the server but filename does not go into database. Its really bizarre and I really need help

diafol · Answer 2 · 2011-09-06T03:18:45+00:00

dunno if it will make a diff:

<input name="uploadedfile" type="hidden" value="<?php echo $filename; ?>" />

notice without the x2 quotes.

BUT as I said originally, and you seem to have ignored:

<form enctype="multipart/form-data" name="addcontact" action="processaddcontact.php" mehtod="POST">

WILL NOT WORK
Do this:

<form name="addcontact" action="processaddcontact.php" method="POST">

Equally, this WILL NOT WORK:

$title= $_GET['title'];
	$firstname= $_GET['firstname'];
	$surname= $_GET['surname'];
	$house= $_GET['house'];
	$street= $_GET['street'];
	$town= $_GET['town'];
	$county= $_GET['county'];
	$country= $_GET['country'];
	$postcode= $_GET['postcode'];
	$email= $_GET['email'];
	$website= $_GET['website'];
	$home= $_GET['home'];
	$mobile= $_GET['mobile'];
	$diocese = $_GET['diocese'];
	$parish= $_GET['parish'];
	$moreinfo= $_GET['additionalinfo'];
	$photo= $_GET['uploadedfile'];

You need to use $_POST instead of the $_GET in each case.

You also seem to be adding PK values to the DB. Stipulate the fields explicitly

INSERT INTO table (field1,field2,field3) VALUES ('value1','value2','value3')

Leave out the autoincrement field altogether. It will be assigned automatically.

Also you don't clean (sanitize) any of your data. This will lead to SQL injection. read up on mysql_real_escape_string().

stoopkid 6 Junior Poster in Training · Answer 3 · 2011-09-06T03:42:41+00:00

To follow up with ardav, you should always check to make sure the variables are actually set. With that, make sure the <form method=""> you are using is the same as the php method ($_POST,$_GET,$_REQUEST).

if(isset($_GET['title'])) { $title= mysql_real_escape_string($_GET['title']); }
    if(isset($_GET['firstname'])) { $firstname= mysql_real_escape_string($_GET['firstname']); }
    if(isset($_GET['surname'])) { $surname= mysql_real_escape_string($_GET['surname']);
    if(isset($_GET['house'])) { $house= mysql_real_escape_string($_GET['house']); }

and so on for all of your variables.

As ardav pointed out, you want to use mysql_real_escape_string() to avoid SQL injection. Make sure that your database information (ex: include('config.php') is available on the page, otherwise the function will return an error (can't connect).