Skip navigation
Currently Being Moderated

uploading file

Jul 3, 2012 8:45 PM

I am creating an upload form.  One of the fields is a file.  It does not seem to be working though.  The file is not being uploaded.  here is my code:

 

form:

<input type="file" name="upload" id="upload" size="48" value="<?php if($flag) { echo $_FILES['file']['name']; } ?>" />

 

php:

move_uploaded_file($_FILES["upload"]["tmp_name"], "http:/mysite.com/uploads/");

 

anything that I'm missing?

 
Replies
  • Currently Being Moderated
    Jul 4, 2012 7:30 AM   in reply to future-architect

    You're missing giving the file a name.

     

    move_uploaded_file($_FILES["upload"]["tmp_name"], "http:/mysite.com/uploads/" . $_FILES['upload']['name']);

     

    Also, I'm puzzled by this:

     

    value="<?php if($flag) { echo $_FILES['file']['name']; } ?>"

     

    Why are you trying to insert a value? And shouldn't it be $_FILES['upload']['name'] instead of $_FILES['file']['name']?

     
    |
    Mark as:
  • Currently Being Moderated
    Jul 5, 2012 4:11 AM   in reply to future-architect

    What the host means is that you can't upload text files. I suspect the reason for that is to prevent scripting attacks.

     

    If you allow people to upload files for immediate display, a text file could contain malicious JavaScript that would be executed as soon as the page is displayed.

     

    Try this:

     

    <?php include('script.txt'); ?>

     

    The content of script.txt should look like this:

     

    <script>

    alert('Boo!');

    </script>

     

    When you load the PHP page into a browser, it executes the script, and displays an alert box with "Boo!".

     
    |
    Mark as:
  • Currently Being Moderated
    Jul 9, 2012 12:18 PM   in reply to future-architect

    Instead of uploading the file to a folder for later download, you can insert the text file into the database as blob.  Then you can also spit out the text file using php to reconstruct it all.  Here is my code for doing that.  Please note the following:

     

    1.)  You need to add additional fields to the table for size, type, and name of file.  Finally, you need to create a blob field to hold the actual text file.

    2.)  The upload code does NOT properly sanitize against SQL injection.  This is on a private network and therefore acceptable.  You will need to make sure you santize the input so you are not subject to a SQL injection attack.  The purpose of this is to show you how it all works.

     

    First here is the form section:

     

     

    <form action="upload.php" method="post" enctype="multipart/form-data" id="form1">

                  <p>

                    <label for="fileField"></label>

                    File Name: <span id="sprytextfield1">

                      <label for="friendly_name"></label>

                      <input type="text" name="friendly_name" id="friendly_name" />

                      <span class="textfieldRequiredMsg">A value is required.</span></span></p>

                  <p>

                    <input type="file" name="fileUpload" id="fileField" />

                  </p>

                  <p>

                    <input type="submit" name="button" id="button" value="Submit" />

                  </p>

                </form>

     

    Here is the upload.php section:

     

    <?php
    $friendly_name=$_POST['friendly_name'];
    $name = $_FILES['fileUpload']['name'];
    $tmpName = $_FILES['fileUpload']['tmp_name'];
    $size = $_FILES['fileUpload']['size'];
    $type = $_FILES['fileUpload']['type'];

    $fp = fopen($tmpName, 'r');
    $data = fread($fp, filesize($tmpName));
    $data = addslashes($data);
    fclose($fp);

    if(!get_magic_quotes_gpc())
    {
    $name = addslashes($name);
    }


    ?>

    <?php

      $SQL="INSERT INTO files set message_id='".$messageid."', friendly_name='".$friendly_name."', category='".$category."', name='".$name."', size='".$size."', type='".$type."', data='".$data."'";
                         

      mysql_select_db($database_board, $board);
      mysql_query($SQL, $board) or die(mysql_error());
      header ('Location:new_post2.php');

    ?>

     

    Finally,

    Here is the snippet from the page that puts the file back together again so the user can download:

     

    $colname_Recordset1 = "-1";

    if (isset($_POST['id'])) {

      $colname_Recordset1 = $_POST['id'];

    }

    mysql_select_db($database_board, $board);

    $query_Recordset1 = sprintf("SELECT * FROM files WHERE id = %s", GetSQLValueString($colname_Recordset1, "int"));

    $Recordset1 = mysql_query($query_Recordset1, $board) or die(mysql_error());

    $row_Recordset1 = mysql_fetch_assoc($Recordset1);

    $totalRows_Recordset1 = mysql_num_rows($Recordset1);

    ?>

    <?php header("Content-length: $row_Recordset1[size]");

    header("Content-type: $row_Recordset1[type]");

    header("Content-Disposition: attachment; filename=$row_Recordset1[name]");

    echo $row_Recordset1['data']; ?>

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points