EDIT: This is a original code, that is working ok. sorry for formating.
<?php
$target = "images/";
if(!is_dir($target)) mkdir($target); $target = $target . basename( $_FILES['photo']['name']);
$uvod = $_POST['uvod']; $text = $_POST['text']; $nadpis = $_POST['nadpis']; $datum = date("Y-m-d");
if (isset($_POST['zobrazeno'])) {
$zobrazeno = 1; } else {
$zobrazeno = 0; }
$fname=($_FILES['photo']['name']); $funiquename = uniqid() . $fname; $tmpName = $_FILES['photo']['tmp_name']; $fileSize = $_FILES['photo']['size']; $fileType = $_FILES['photo']['type'];
$fp = fopen($tmpName, 'r'); $content = fread($fp, filesize($tmpName)); $content = addslashes($content); fclose($fp);
if(!get_magic_quotes_gpc()){ $fname = addslashes($fname);}
require_once 'db_config.php'; $db_server=mysql_connect($db_hostname,$db_username,$db_password);
if(!$db_server) die("Unable to connect to MySQL" .mysql_error());
mysql_select_db($db_database,$db_server) or die("Unable to connect to database" .mysql_error());
$sql = "INSERT INTO `aktuality` (`nadpis`, `uvod`, `text`, `datum`, `zobrazeno`, `obr_nazev`, `obr_pripona`, `obr_velikost`, `obr_data`) VALUES ('$nadpis', '$uvod', '$text', '$datum', '$zobrazeno', '$funiquename','$fileType','$fileSize','$content')";
mysql_query($sql);
if(move_uploaded_file($_FILES['photo']['tmp_name'], $target)) {
echo "The file ". basename( $_FILES['photo']['name']). " has been uploaded, and your information has been added to the directory";
} else {
echo "Sorry, there was a problem uploading your file.";
}
?>
Im a php beginner.
I have a problem with sending sql command as a string thru two php files.
This php file should call function sql_string() in sql.php, but there is nothing happens.
<?php
------some code here-------
include 'sql.php';
mysql_query(sql_string1());
------some code here------
?>
sql.php
<?php
function sql_string1()
{
$sql ="INSERT INTO `aktuality` (`nadpis`, `uvod`, `text`, `datum`, `zobrazeno`, `obr_nazev`, `obr_pripona`, `obr_velikost`, `obr_data`) VALUES ('$nadpis', '$uvod', '$text', '$datum', '$zobrazeno', '$funiquename','$fileType','$fileSize','$content')";
return $sql;
}
?>
Thanks for your help!
Try doing this for the query to work:
<?php
------some code here-------
include 'sql.php';
$sql = sql_string1() ;
mysql_query($sql) or die(mysql_error());
------some code here------
?>
You should also be able to see what the error is if that query failed.
Related
In my website, I want to allow the user to upload files (they will be stored in a database) and then allow them to download the uploaded files after that. The uploading process is done without errors and they are saved in binary.
The downloading process also works but the downloaded files are corrupted !
Any idea why?
The uploading code:
<?php require_once('Connections/databasestudents.php'); ?>
<?php
$fileName = $_FILES['file']['name'];
$tmpName = $_FILES['file']['tmp_name'];
$fileSize = $_FILES['file']['size'];
$fileType = $_FILES['file']['type'];
$fp = fopen($tmpName, 'r');
$content = fread($fp, filesize($tmpName));
$content = addslashes($content);
$studentId = $_POST['studentId'];
fclose($fp);
$query = "INSERT INTO file (studentId, fileName, fileType, fileContent ) ".
"VALUES ('$studentId', '$fileName', '$fileType', '$content')";
mysql_select_db($database_databasestudents, $databasestudents);
mysql_query($query) or die('Error, query failed');
header("Location: students.php");
die();
?>
The download code:
<?php require_once('Connections/databasestudents.php'); ?>
<?php
mysql_select_db($database_databasestudents, $databasestudents);
$query = 'SELECT fileName, fileContent, fileType, LENGTH(fileContent) as fileSize from file WHERE id="'. $_GET ['id'].'";';
$Recordset1 = mysql_query($query, $databasestudents) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$result = mysql_query($query);
$row = mysql_fetch_array($result, MYSQL_BOTH);
$size = $row['fileSize'];
$type = $row['fileType'];
$name =$row['fileName'];
$fileContent = $row['fileContent'];
echo $size . "". $type . " ". $name;
header("Content-length: $size");
header("Content-type: $type");
header("Content-Disposition: attachment; filename=$name");
echo $fileContent;
mysql_close();
?>
Use PDOs and prepared statements. This may fix the issue, and it will fix the SQL injection vulnerability in the download code (which currently allows people to hack your database).
PDO has "large objects" (LOBs) support meant for exactly what you are doing. It will be much more efficient than what you are currently doing. The documentation provides excellent example code which does more or less exactly what you want.
I've figured it out .. jus removing this line from the download code:
echo $size . "". $type . " ". $name;
Need Help:
I am using a simple PHP code to upload photos into remote database. But.. Everytime, two copies of one photo is saved int the DB.
Can anyone tell me whats I am doing wrong?
PHP Code:
<?PHP
$uploadDir = 'image_folder/';
$uploadDir = 'image_folder/';
if(isset($_POST['Submit'])) //info saving in the variables
{
$fileName = $_FILES['Photo']['name'];
$tmpName = $_FILES['Photo']['tmp_name'];
$fileSize = $_FILES['Photo']['size'];
$fileType = $_FILES['Photo']['type'];
$filePath = $uploadDir . $fileName;
$result = move_uploaded_file($tmpName, $filePath); //moving the photo in the destination
if (!$result) {
echo "Error uploading file";
exit;
}
if(!get_magic_quotes_gpc())
{
$fileName = addslashes($fileName);
$filePath = addslashes($filePath);
}
echo "".$filePath."";
$query = "INSERT INTO picture (image) VALUES ('$filePath')";
if (mysql_query($query))
{echo "Inserted";}
mysql_query($query) or die('Error loading file!');
}?>
if (mysql_query($query))
{echo "Inserted";}
mysql_query($query) or die('Error loading file!');
you are calling mysql_query($query) twice
You are doing mysql_query($query) two times, first in IF{} and right after it. :D
ps. mysql_* functions are depricated, use PDO or mysqli
You are using mysql_query two times. Try this:
if (mysql_query($query)) {
echo "Inserted";
} else {
die('Error loading file!');
}
You are executing mysql_query twice. Modify your if to:
if (mysql_query($query)) {
echo "Inserted";
} else {
die('Error loading file!')
}
And, remove the following line:
mysql_query($query) or die('Error loading file!');
Note: Make sure that you read the warning box in http://in2.php.net/mysql_query. mysql_* functions are deprecated.
I made a simple script to insert files as BLOB (mediumblob) in MySQL Database.
The script works fine, the file is uploaded and saved into the table but when I download the file and I try to open it, it says: "File type HTML document (text/html) is not supported"!
This means there was an error while saving the file's type!
Here is my code, please tell me what can be wrong in it:
upload.php :
if (isset($_POST['upload']))
{
if(isset($_POST['upload']) && $_FILES['userfile']['size'] > 0)
{
$fileName = $_FILES['userfile']['name'];
$tmpName = $_FILES['userfile']['tmp_name'];
$fileSize = $_FILES['userfile']['size'];
$fileType = $_FILES['userfile']['type'];
$fp = fopen($tmpName, 'r');
$content = fread($fp, filesize($tmpName));
$content = addslashes($content);
fclose($fp);
if(!get_magic_quotes_gpc())
{
$fileName = addslashes($fileName);
}
$p = $cnx->prepare('INSERT INTO commandes (name, size, type, content) VALUES(:name, :size, :type, :content)');
$p->execute(array('name'=>$fileName, 'size'=>$fileSize, 'type'=>$fileType, 'content'=>$content));
echo "<br>File $fileName uploaded<br>";
}
}
Download.php :
$p = $cnx->prepare('SELECT cmd_id, name FROM commandes');
$p->setFetchMode(PDO::FETCH_OBJ);
$p->execute();
if($p->rowCount() == 0)
{
echo "0 Element <br />";
}
else
{
while($data = $p->fetch())
{
?>
<?php echo $data->name;?> <br>
<?php
}
}
if(isset($_GET['id']))
{
$id = $_GET['id'];
$q = $cnx->prepare('SELECT * FROM commandes WHERE cmd_id = :cmd_id');
$q->setFetchMode(PDO::FETCH_OBJ);
$q->execute(array('cmd_id'=>$id));
while($getFile = $q->fetch())
{
header("Content-length: $getFile->size");
header("Content-type: $getFile->type");
header("Content-Disposition: download; filename=$getFile->name");
echo $getFile->pdf;
exit;
}
}
Thank you!
What is the output for the response headers?
Can you ensure that "Content-type" is "Content-Type"
Also, using a debugger to inspect the response is really valuable.
http://fiddler2.com/get-fiddler
Here is my code. I am not getting an error statement, but the data is not inserted into the table. I tried running the query in PHPMyAdmin and it worked fine. It is also not because of user privileges.
if ($mysql->connect_errno) {
echo("Connect failed: ". $mysql->connect_error);
die();
}
echo "I am confused by this thing<br>";
if(isset($_POST['upload']) && $_FILES['userfile']['size'] > 0)
{
echo "Trying to figure out the errors!!!!<br>";
$fileName = $mysql->real_escape_string($_FILES['userfile']['name']);
$tmpName = $mysql->real_escape_string($_FILES['userfile']['tmp_name']);
$fileSize = intval($_FILES['userfile']['size']);
$fileType = $mysql->real_escape_string($_FILES['userfile']['type']);
echo $fileName."<br>";
echo $tmpName."<br>";
echo $fileSize."<br>";
echo $fileType."<br>";
//reads the file information
$fp = fopen($tmpName, 'r');
$content = fread($fp, filesize($tmpName));
$content = $mysql->real_escape_string(addslashes($content));
fclose($fp);
//this just adds slashes
This adds slashes
if(!get_magic_quotes_gpc())
{
$fileName = addslashes($fileName);
}
//This inserts into the databse
$query = "INSERT INTO upload VALUES ('', '$fileName', '$fileType', $fileSize, '$content')";
This is the line where the code messes up... It just hangs and never prints out the die message
$updateDB = $mysqli->query($query) or die($mysqli->error);
It never prints out this line.
echo "<br>File $fileName uploaded<br>";
}
You are working with $mysql object on the top and abruptly, you triggered your query on $mysqli object.
Change
$updateDB = $mysqli->query($query) or die($mysqli->error);
to
$updateDB = $mysql->query($query) or die($mysql->error);
I'm able to upload a file to mysql but when i download it, the content changes.. example i have test.txt with
"hello"
on it.. when i download it, the test.txt becomes
< pre class='xdebug-var-dump' dir='ltr'>string 'sfasfsafasfsaf' (length=14)
sfasfsafasfsaf
not sure, what's wrong..
this is my code for downloading the file:
<?php include("class_lib.php");
$db = new database();
$db->connect();
if(isset($_GET["file_id"])){
$file_id = $_GET["file_id"];
$query = "SELECT filename, filetype, filesize, bin_data " .
"FROM file_tbl WHERE id = '$file_id'";
$result = mysql_query($query) or die('Error, query failed' . mysql_error());
list($filename, $filetype, $filesize, $bin_data) = mysql_fetch_array($result);
var_dump($bin_data);
header("Content-length: $filesize");
header("Content-type: $filetype");
header("Content-Disposition: attachment; filename=$filename");
echo $bin_data;
}
?>
for images also, it downloads but there's no image anymore.. it only shows "no preview available".. is this with my download script above?
or maybe this upload script i have:
$fileid = (string) ($lastemp_id + 1);
$fileName = basename($_FILES['binFile']['name']);
$extension = pathinfo($fileName, PATHINFO_EXTENSION);
$fileName .= "_fileid_" . $fileid;
$fileName = $fileName.".".$extension;
$tmpName = $_FILES['binFile']['tmp_name'];
$fileSize = $_FILES['binFile']['size'];
$fileType = $_FILES['binFile']['type'];
$fileDesc = $_POST["txtDescription"];
$fp = fopen($tmpName, 'r');
$content = fread($fp, filesize($tmpName));
$content = addslashes($content);
fclose($fp);
if(!get_magic_quotes_gpc()){ $fileName = addslashes($fileName); }
if (isset($fileName)) {
$sql = "INSERT INTO file_tbl ";
$sql .= "(file_desc, bin_data, filename, filesize, filetype) ";
$sql .= "VALUES ('$fileDesc', '$content', ";
$sql .= "'$fileName', '$fileSize', '$fileType')";
mysql_query($sql, $db->connection) or die('Error: query failed' . mysql_error());
$message = "File uploaded.<br>"; var_dump($content);
}
else $message = "No file uploaded. (opt)";
what is wrong here exactly??
You're recklessly jamming binary data into your database without even a whiff of proper SQL escaping. What did you expect to happen? This short sample of code is so full of severe SQL injection bugs I hope for your sake it isn't deployed on the public internet.
For your own safety you should immediately stop using the creaky, old, deprecated mysql_query interface and spend the small amount of time necessary to switch your queries to PDO.
You would not have problems like this if you were using placeholders.
What you're seeing is probably the result of your spurious var_dump statement before you output your proper content.
Please try this, if upload file is flawless.
You can encode your binary data to 64 format when insert into database and also decode before download it.
<?php
ob_start();
include("class_lib.php");
$db = new database();
$db->connect();
if(isset($_GET["file_id"])){
$file_id = $_GET["file_id"];
$query = "SELECT filename, filetype, filesize, bin_data " .
"FROM file_tbl WHERE id = '$file_id'";
$result = mysql_query($query) or die('Error, query failed' . mysql_error());
list($filename, $filetype, $filesize, $bin_data) = mysql_fetch_array($result);
var_dump($bin_data);
ob_end_clean();
header("Content-length: $filesize");
header("Content-type: $filetype");
header("Content-Disposition: attachment; filename=$filename");
echo $bin_data;
exit;
}
?>