I am using a PHP form POST which puts data (into a Text file) into my SQL database and then the codes create a unique download link to be able to download the Text file from the SQL database. The connection to the SQL database works perfectly.
But all I`m getting is "We couldn't find the file to download."
The Form (index.php) whereby I input the data to be input into the Text File
<form action="index2.php" method="POST">
<input name="field1" type="text" />
<input name="field2" type="text" />
<input type="submit" name="submit" value="Save Data">
</form>
Index2.php (This creates the Text File and inserts the details from the Form. It also creates the unique download link to download the file.)
<?php
if(isset($_POST['field1']) && isset($_POST['field2'])) {
$data = $_POST['field1'] . '-' . $_POST['field2'] . "\n";
$ret = file_put_contents('/tmp/mydata.txt', $data, FILE_APPEND | LOCK_EX);
}
else {
die('no post data to process');
}
?>
<?php
//connect to the DB
$resDB = mysql_connect("xxx", "xxx", "xxx");
mysql_select_db("xxx", $resDB);
function createKey(){
//create a random key
$strKey = md5(microtime());
//check to make sure this key isnt already in use
$resCheck = mysql_query("SELECT count(*) FROM downloads WHERE downloadkey = '{$strKey}' LIMIT 1");
$arrCheck = mysql_fetch_assoc($resCheck);
if($arrCheck['count(*)']){
//key already in use
return createKey();
}else{
//key is OK
return $strKey;
}
}
//get a unique download key
$strKey = createKey();
//insert the download record into the database
mysql_query("INSERT INTO downloads (downloadkey, file, expires) VALUES ('{$strKey}', '{$ret}', '".(time()+(60*60*24*7))."')");
?>
<html>
<head>
<title>One Time Download Example</title>
</head>
<h1>One Time Download Example</h1>
<p>Your unique download URL is:</p>
<strong>download.php?key=<?=$strKey;?></strong>
<p>This link will allow you to download the source code a single time within the next 7 days.</p>
</html>
Finally, download.php that checks everything and downloads the Text File from the database.
<?php
//The directory where the download files are kept - keep outside of the web document root
$strDownloadFolder = "/downloads/";
//If you can download a file more than once
$boolAllowMultipleDownload = 0;
//connect to the DB
$resDB = mysql_connect("xxx", "xxx", "xxx");
mysql_select_db("xxx", $resDB);
if(!empty($_GET['key'])){
//check the DB for the key
$resCheck = mysql_query("SELECT * FROM downloads WHERE downloadkey = '".mysql_real_escape_string($_GET['key'])."' LIMIT 1");
$arrCheck = mysql_fetch_assoc($resCheck);
if(!empty($arrCheck['file'])){
//check that the download time hasnt expired
if($arrCheck['expires']>=time()){
if(!$arrCheck['downloads'] OR $boolAllowMultipleDownload){
//everything is hunky dory - check the file exists and then let the user download it
$strDownload = $strDownloadFolder.$arrCheck['file'];
if(file_exists($strDownload)){
//get the file content
$strFile = file_get_contents($strDownload);
//set the headers to force a download
header("Content-type: application/force-download");
header("Content-Disposition: attachment; filename=\"".str_replace(" ", "_", $arrCheck['file'])."\"");
//echo the file to the user
echo $strFile;
//update the DB to say this file has been downloaded
mysql_query("UPDATE downloads SET downloads = downloads + 1 WHERE downloadkey = '".mysql_real_escape_string($_GET['key'])."' LIMIT 1");
exit;
}else{
echo "We couldn't find the file to download.";
}
}else{
//this file has already been downloaded and multiple downloads are not allowed
echo "This file has already been downloaded.";
}
}else{
//this download has passed its expiry date
echo "This download has expired.";
}
}else{
//the download key given didnt match anything in the DB
echo "No file was found to download.";
}
}else{
//No download key wa provided to this script
echo "No download key was provided. Please return to the previous page and try again.";
}
?>
Related
I am trying to make a PHP form that will only allow the user to update the MySQL Table column photo, if the photo column is blank. Currently, the form will still update the photo column even if there is data other than "blank" data. For example, the photo column contains the data "columbia.jpg" and the user submits the form with the image "Jefferson.jpg" in the first input. The image column's data gets replaced from columbia.jpg to jefferson.jpg when it is not supposed to replace it at all. Instead it should return an error message stating that the user must first delete the old image before adding a new one. The column data should only get replaced when the column data is equal to "blank". (Not the word "blank" but "".)
Here is my full PHP page code:
<?php
if (isset($_GET["id"])) {
$sn = (int)($_GET["id"]);
?>
<!DOCTYPE html>
<head>
<title>MySQL file upload example</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<form action="<?php $_PHP_SELF ?>" method="post" enctype="multipart/form-data">
Photo 1: <input type="file" name="photo"><br>
<input name="add_image" id="add_image" type="submit" value="Upload file">
</form>
<p>
See all files
</p>
</body>
</html>
<?php
if(isset($_POST['add_image']))
{
$dbLink = new mysqli('daom', 'sm', 'aer', 'kabm');
//This is the directory where images will be saved
$target = "images/";
$target = $target . basename( $_FILES['photo']['name']);
$pic=($_FILES['photo']['name']);
$query = "SELECT photo FROM used_trailers WHERE id = $sn";
$result = mysqli_query($dbLink, $query);
$array=mysqli_fetch_assoc($result);
if($query = " "){
//Writes the information to the database
$query1 =
"UPDATE used_trailers ".
"SET photo = '$pic' ".
"WHERE id = $sn" ;
// Execute the query
$results = $dbLink->query($query1);
// Check if it was successfull
if($results) {
echo 'Success! Your file was successfully added!';
}
else {
echo 'Error! Failed to insert the file'
. "<pre>{$dbLink->error}</pre>";
}
//Writes the photo to the server
if(move_uploaded_file($_FILES['photo']['tmp_name'], $target))
{
//Tells you if its all ok
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded to Photo 1, and your information has been added to the directory";
}
else {
//Gives and error if its not
echo "Sorry, there was a problem uploading your image.";
}
} else {
echo '<p>You must first delete the "Photo 1" image, $array, in order to add a new photo. This is to prevent the server from overloading with too many images.</p>';
}
}
}
echo "$query1";
?>
Thank you for any help. All help is appreciated.
There are some errors in your script. First of all if ($query = " ") will always return true, because you are assigning the variable $query the string " ". To correctly check this, you'd need to use if ($query == " ").
However, this won't solve your problem as $query is the query - not the result. This should work
$query = "SELECT photo FROM used_trailers WHERE id = $sn";
$result = mysqli_query($dbLink, $query);
$array = mysqli_fetch_assoc($result);
if (empty($array['photo'])){
//etc.
}
I have a download button and when i click on it, instead of saving to disk it opens it in the browser. I tried a bunch of attempts to make it open in the browser but it doesnt seem to do anything
<?php
// make a connection to the database
require_once("connection/connection.php");
//retrieve the ID from the url to fetch the specific details
if ($_GET['id'] != ""){
$item_id = $_GET['id'];
$bad_id = FALSE;
}
else{
$item_id = "";
$bad_id = TRUE;
}
//select the specific item from the database
// run if statement to ensure valid id was passed
if (is_numeric ($_GET['id'])){
$query = "SELECT name FROM repository WHERE item_id = '$item_id'";
$result = mysql_query($query) or die(mysql_error());
// assign the values to an array
$row = mysql_fetch_assoc($result);
//assign the values from the array to variables
$name = $row['name'];
}
// define path to the xml file
$file = "xml/".$hud_name . "_cfg.xml";
// check to make sure the file exists
if(!file_exists($file)){
die('Error: File not found.');
} else{
// Set headers
header("Content-Type: application/xml");
header("Content-Disposition:attachment; filename=".basename($file)."");
readfile($file);
}
?>
That is download.php and it obviously finds the file because it doesnt give the error about it not existing. It also echos back the correct file path
Then on another page i have:
<img src="images/download.png" alt=""/>
Any ideas whats wrong?
Well the solution turned out to be simple in the end but i didnt see any documentation saying the header must be the very first line. If i placed:
header("Content-Type: application/xml");
as the first line and then the coding below it and the other header info at the end it works. Im not sure if that's the solution or a workaround but it fixed it for me
Back again with another newbie question. I've been working on a document that will allow users to upload their own avatars to a blog that I'm creating to learn some PHP. I've been working on this document for two days now and I've spent over six hours of searching and trying different things to fix it but I just can't get it to get past this:
if(move_uploaded_file($_FILES['avatar']['name'], $target)){
//good message
echo "Your avatar was successfully uploaded.";
}else{
//bad message
echo "Your avatar couldnt be uploaded, please contact an admin.";
}
It does send the "bad message" finally after about an hour of trying different solutions but I'm not quite sure why it is giving me the "bad message", to me everything looks okay.
FULL CODE:
<?php
session_start();
if (isset($_SESSION['username'])){
if (isset($_POST['submit']) && isset($_FILES['avatar'])) {
$con = mysql_connect("localhost","root","");
if (!$con){
die('Could not connect: ' . mysql_error());
}
mysql_select_db('webserver', $con);
$username = $_SESSION['username'];
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_query($query);
$row = mysql_fetch_array($result);
$id = $row['id'];
//Directory to save stuff
$target = "images/useravatars";
$target = $target . basename($_FILES['avatar']['tmp_name']);
//Save the avatar
if(move_uploaded_file($_FILES['avatar']['name'], $target)){
//good message
echo "Your avatar was successfully uploaded.";
}else{
//bad message
echo "Your avatar couldnt be uploaded, please contact an admin.";
}
}else{
echo "38";
}
}
?>
<form enctype="multipart/form-data" action='uploadavatar.php' method='POST'>
<table>
<tr>
<td>
Upload an avatar:
</td>
</tr>
<td>
<input type='file' name='avatar'>
</td>
</tr>
</table>
<p>
<input enctype='multipart/form-data' type='submit' name='submit' value='Submit'>
</p>
</form>
By the way I'm sorry there is probably a bunch of useless code in there, I have spent a bunch of time just getting it far enough to give me an error.
The location where the uploaded file is stored on disk is $_FILES['avatar']['tmp_name']. You want to move that, not $_FILES['avatar']['name'].
The problem here is that, you're using move_uploaded_file() in wrong way.
The first parameter requires a filename with its extension, without base path, like
mypic.jpg. The second requires a destination where that file should be uploaded.
As for your code,
Replace this,
//Directory to save stuff
$target = "images/useravatars";
$target = $target . basename($_FILES['avatar']['tmp_name']);
//Save the avatar
if(move_uploaded_file($_FILES['avatar']['temp'], $target)){
with
// I'd assume that dirname(__FILE__) refers to your root
//Directory to save stuff
$destination = sprintf('%s/images/useravatars/%s', dirname(__FILE__), $_FILES['avatar']['name']);
//Save the avatar
if (move_uploaded_file($_FILES['avatar']['tmp_name'], $destination)) {
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
files get uploaded just before they get cancelled
I have a situation when it comes to cancelling a file upload. What is suppose to happen is that if the user clicks on the "Cancel" button, then it will go to script below and remove the file from the server and delete the file's records from the database:
cancelaudio.php
<?php
session_start();
// connect to the database
include('connect.php');
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
die();
}
unlink("AudioFiles/" . $_SESSION['AudioFile']); //undefined notice
$delete = $mysqli->prepare('DELETE FROM Audio WHERE AudioId = ?');
$delete->bind_param("i",$_SESSION['lastAudioID']);
$delete->execute();
$deleteaud = $mysqli->prepare('DELETE FROM Audio_Question WHERE AudioId = ?');
$deleteaud->bind_param("i",$_SESSION['lastAudioID']);
$deleteaud->execute();
?>
Now this is the situation I am having:
If I clean my cookies, it means obviously I have no files stored my $_SESSION variable. Now if I try to upload a file (first file) but then cancel it, then I get an undefined index notice for "AudioFile". This is fair as obviously I have no file stored in that $_SESSION variable. But the problem is that it does not perfrom the unlink() and DELETE statement in the code above so it will display the record of the file and still uploads it.
So what is happening is that until I have one file in the server and a file stored in the $_SESSION['AudioFile'], it would not remove the file from the server and and it would delete the record from the database.
So what my question is that what do I need to do so that if there is no file in the $_SESSION['AudioFile'] and the user uploads and then cancels a file, how can I stop it from inserting the file into the server and inserting the database record?
Below is the code where it uploads the files and inserts the data into the database:
audioupload.php
<?php
session_start();
ini_set('display_errors',1);
error_reporting(E_ALL);
// connect to the database
include('connect.php');
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
die();
}
$result = 0;
if( file_exists("AudioFiles/".$_FILES['fileAudio']['name'])) {
$parts = explode(".",$_FILES['fileAudio']['name']);
$ext = array_pop($parts);
$base = implode(".",$parts);
$n = 2;
while( file_exists("AudioFiles/".$base."_".$n.".".$ext)) $n++;
$_FILES['fileAudio']['name'] = $base."_".$n.".".$ext;
move_uploaded_file($_FILES["fileAudio"]["tmp_name"],
"AudioFiles/" . $_FILES["fileAudio"]["name"]);
$result = 1;
}
else
{
move_uploaded_file($_FILES["fileAudio"]["tmp_name"],
"AudioFiles/" . $_FILES["fileAudio"]["name"]);
$result = 1;
}
$audiosql = "INSERT INTO Audio (AudioFile)
VALUES (?)";
if (!$insert = $mysqli->prepare($audiosql)) {
// Handle errors with prepare operation here
}
//Dont pass data directly to bind_param store it in a variable
$insert->bind_param("s",$aud);
//Assign the variable
$aud = 'AudioFiles/'.$_FILES['fileAudio']['name'];
$insert->execute();
if ($insert->errno) {
// Handle query error here
}
$insert->close();
$lastAudioID = $mysqli->insert_id;
$_SESSION['lastAudioID'] = $lastAudioID;
$_SESSION['AudioFile'] = $_FILES["fileAudio"]["name"];
$audioquestionsql = "INSERT INTO Audio_Question (AudioId, QuestionId)
VALUES (?, ?)";
if (!$insertaudioquestion = $mysqli->prepare($audioquestionsql)) {
// Handle errors with prepare operation here
echo "Prepare statement err audioquestion";
}
$qnum = (int)$_POST['numaudio'];
$insertaudioquestion->bind_param("iii",$lastAudioID, $qnum);
$insertaudioquestion->execute();
if ($insertaudioquestion->errno) {
// Handle query error here
}
$insertaudioquestion->close();
?>
Below is the HTML form for the file input:
<form action='audioupload.php' method='post' enctype='multipart/form-data' target='upload_target_audio' onsubmit='return audioClickHandler(this);' class='audiouploadform' >
Audio File: <input name='fileAudio' type='file' class='fileAudio' /></label><br/><br/><label class='audiolbl'>
<input type='submit' name='submitAudioBtn' class='sbtnaudio' value='Upload' /></label>
<input type='hidden' class='numaudio' name='numaudio' value='" + GetFormAudioCount() + "' />
<label><input type='reset' name='audioCancel' class='audioCancel' value='Cancel' /></label>
<iframe class='upload_target_audio' name='upload_target_audio' src='#' style='width:300px;height:300px;border:0px;solid;#fff;'></iframe></form>
Finally below is the jquery function where if the user clicks on the "Cancel" button while the file is uploading, it will simply change the iframe source to "cancelaudio.php":
function startAudioUpload(audiouploadform){
$(audiouploadform).find('.audiof1_upload_process').css('visibility','visible');
$(audiouploadform).find('.audiof1_upload_form').css('visibility','hidden');
sourceAudioForm = audiouploadform;
$(audiouploadform).find(".audioCancel").on("click", function(event) {
$('.upload_target_audio').get(0).contentwindow
$("iframe[name='upload_target_audio']").attr("src", "cancelaudio.php");
return stopAudioUpload();
});
return true;
}
To get rid of your undefined index stuff, plus make your script a lot more robust, you SHOULD add error checking. Even a simple
if ($_FILES['fileAudio']['error'] === UPLOAD_ERR_OK) {
... successful upload ...
}
would reduce a lot of your problems. Right now your code simply assumes a successful upload, without even bothering to check if an upload was event attempted.
The various error codes for failure are defined here: http://php.net/manual/en/features.file-upload.errors.php
I have created together a pretty simple Download Code redeemer in .php (thanks to help from here) and am having a hard time trying to figure out what the best way to serve a download is if the validation is successful. Basically -
User enters invalid code -> Page is refreshed with error message.
User enters valid code -> Give download 'Save as' -> refresh page.
At the minute I'm using http://www.zubrag.com/scripts/download.php to serve the file but once it has started downloading, my form refreshes the page but only half loads the content?!
This is the form with the PHP script I did.
<div class="dcrForm">
<p>Have a physical copy of this release? Claim your digital download by entering your Download Code below.</p>
<form action="index.php" method="post">
<input type="text" name="code" class="dcrInput" value="">
<input type="submit" name="harrisSubmit" class="dcrSubmit" value="Submit">
</form>
<?php
include("scripts/dcr_config.php");
$code="";
$log="";
if (isset($_POST['harrisSubmit']))
{
$code=$_POST['code'];
$link = mysql_connect($hostname, $dbusername, $dbpassword);
mysql_select_db("$databasename");
$query = "select count from $harris where code='$code'";
if ($q=mysql_query($query))
if ($r=mysql_fetch_array($q)){
if ($r[0]<3)
{
$subquery="update $tbname set count='".($r[0]+1)."' where code='$code'";
mysql_query($subquery);
?><script>window.location.href="download.php?f=test.txt";</script><?php
}
}
$log="<p>Invalid code. Try Again.</p>";
}
echo $log."";
?>
</div>
Does anyone have an ideas on what the best way to serve the download would be? I know that currently anyone who had the file location could download the file but I'm not sure how I could go about protecting i
I am glad you have made it this far!
If you are going to redirect the user to a download script, that script would need to have some sort of token attached to it as to prevent unauthorized downloads, basically re-verifying the code or token given.
In the above script, instead of outputting the javascript to redirect to the download script you could do this:
<?php
include "scripts/dcr_config.php";
$code = "";
$log = "";
if (isset($_POST['harrisSubmit'])) {
$code = trim($_POST['code']);
$link = mysql_connect ( $hostname, $dbusername, $dbpassword );
mysql_select_db ( "$databasename" );
$code = mysql_real_escape_string($code); // very important! protects against exploits
$query = "select count from $harris where code='$code'";
if ($q = mysql_query ( $query )) {
if ($r = mysql_fetch_array ( $q )) {
if ($r [0] < 3) {
$subquery = "update $tbname set count='" . ($r [0] + 1) . "' where code='$code'";
mysql_query ( $subquery );
$file = '/path/to/protecteddownload.txt';
// send file to browser as a download dialog
// no content can be output prior to these header() calls
header('Content-type: application/octet-stream');
header('Content-Disposition: attachment; filename="file.txt"');
header('Content-Length: ' . filesize($file));
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");
echo file_get_contents($file);
exit; // terminate script
} else {
$log = 'Sorry, this code has already been redeemed.';
}
} else {
$log = 'Invalid download code. Try again.';
}
} else {
// query failed
$log = 'An error occurred validating your code, please try again later.';
}
$log = "<p>Invalid code. Try Again.</p>";
}
?>
<?php if (isset($log) && $log != ''): ?>
<strong class="error"><?php echo $log ?></strong>
<?php endif; ?>
<div class="dcrForm">
<p>Have a physical copy of this release? Claim your digital download by
entering your Download Code below.</p>
<form action="index.php" method="post"><input type="text" name="code"
class="dcrInput" value=""> <input type="submit" name="harrisSubmit"
class="dcrSubmit" value="Submit"></form>
</div>
The download script is probably similar to some of what I have above.
The key thing about this example is that the file you are serving with file_get_contents, is not accessible from the web. You only send it when a valid code is entered.
I have just 1 quick question, how big is this file? Could this be a case that the php timeout is being experienced while reading the file to the browser?
You could play around with the php settings to confirm this (http://php.net/manual/en/function.set-time-limit.php).
Just my 2 cents