I have a PHP script that generates an HTML form for users to upload a file. I save that file on the server using move_uploaded_file then read it using fgets() and perform database inserts based on certain check. Here's a simplified version of the code:
$cart_id = 18566;
if (empty($_POST))
{
echo "<form name=\"upload\" action=\"myscan.php\" id=\"myScan\" method=\"POST\" enctype=\"multipart/form-data\">";
echo "Choose the file to upload:<br>\r\n";
echo "<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"300000\" form=\"myScan\" />";
echo "<input type=\"file\" name=\"file\" form=\"myScan\" id=\"fileUp\" /><br>";
echo "<input type=\"submit\" value=\"Upload\" name=\"sub\" form=\"myScan\" />";
echo "<input type=\"hidden\" name=\"ck\" form=\"myScan\" value=\"".$cart_id."\" />";
echo "</form><br>";
}
else
{
// link to cart goes here
}
$fname = "1SCAN20131031123456";
if (!empty($_POST))
{
$allowedExts = array("txt", "csv");
$extension = end(explode(".", $_FILES["file"]["name"]));
if ( ($_FILES["file"]["type"] == "text/plain"
|| $_FILES["file"]["type"] == "application/vnd.ms-excel")
&& array_search(strtolower($extension), array_map('strtolower', $allowedExts)) !== FALSE )
{
if ($_FILES["file"]["error"] > 0)
{
echo "Error: " . $_FILES["file"]["error"] . "<br>";
}
else
{
echo "Upload: " . $_FILES["file"]["name"] . "<br>";
echo "Type: " . $_FILES["file"]["type"] . "<br>";
echo "Size: " . ($_FILES["file"]["size"] / 1024) . " kB<br>";
echo "Stored in: " . $_FILES["file"]["tmp_name"]."<br>";
if (file_exists("upload/" . $_FILES["file"]["name"]))
{
echo $_FILES["file"]["name"] . " already exists. ";
}
else
{
move_uploaded_file($_FILES["file"]["tmp_name"], $fname);
echo "Moved to: " . $fname . "<br>";
}
}
}
else
{
echo "Invalid file<br>";
echo "Type: " . $_FILES["file"]["type"] . "<br>";
echo "Upload: " . $_FILES["file"]["name"] . "<br>";
echo "Extension: " . $extension . "<br>\n";
}
At this point the file $fname is ok, no duplicated lines. The next part is called as a function declared in the same PHP file. $link, $fname, and $cart_id are declared as globals
$bn = basename($fname);
$sfd = fopen($fname, "r");
$store_number = "$bn[0]";
if(is_numeric($bn[1]))
$store_number .= $bn[1];
$a = stripos($bn, "SCAN");
$a += 4;
$dt = substr($bn, $a);
// echo "Date = $dt \n";
$fy = substr($dt, 0, 4);
$fM = substr($dt, 4, 2);
$fd = substr($dt, 6, 2);
$fh = substr($dt, 8, 2);
$fm = substr($dt, 10, 2);
$fs = substr($dt, 12, 2);
$fdate = "$fy-$fM-$fd $fh:$fm:$fs";
// echo $fname . ",";
// echo $store_number . ",";
while ($line = fgets($sfd))
{
$li = explode(",", $line);
if (sizeof($li) == 5)
{
$scan = $li[0];
$poQty = $li[1];
$cntQty = $li[2];
$limd = $li[3];
$lihms = $li[4];
$query = "INSERT INTO upload_datalog (file_name, store, filedate, scan, po_qty, cnt_qty, scan_md, scan_hms, cart_id)\n"
. "VALUES (\"$bn\", $store_number, \"$fdate\", \"$scan\", $poQty, $cntQty, \"$limd\", \"$lihms\", $cart_id)";
mysqli_query($link, $query);
}
else if ($fM < 8 || ($fM == 8 && $fd < 16 ))
{
$scan = $li[0];
$poQty = $li[2];
$cntQty = $li[1];
$limd = $li[3];
$lihms = $li[4];
$query = "INSERT INTO upload_datalog (file_name, store, filedate, scan, po_qty, cnt_qty, scan_md, scan_hms, cart_id)\n"
. "VALUES (\"$bn\", $store_number, \"$fdate\", \"$scan\", $poQty, $cntQty, \"$limd\", \"$lihms\", $cart_id)";
mysqli_query($link, $query);
}
else if (sizeof($li) == 3 && $li[0] != "" && $li[1] != "" &&$li[2] != "" )
{
$scan = $li[0];
$poQty = $li[2];
$cntQty = $li[1];
$query = "INSERT INTO upload_datalog (file_name, store, filedate, scan, po_qty, cnt_qty)\n"
. "VALUES (\"$bn\", $store_number, \"$fdate\", \"$scan\", $poQty, $cntQty)";
mysqli_query($link, $query);
}
}
fclose($sfd);
The file contains this information:
This all works more than 99 percent of the time, but twice in the past 2 weeks, the entries in the upload_datalog table have been duplicated. There is another function after this that also reads the file and performs inserts based on different checks, and those are duplicated as well.
I know this is an edge case, but I couldn't find any information as to why this would happen on php.net or through google, and I have not been able to reproduce it mysqlf. But I know it occurs in the wild.
Is there a race condition I'm not seeing here?
You do your inserts in a while loop, so you run twice through that loop?
For debugging, add a counter in your loop and create a small debug function, and a debug table. Insert the counter and data in your debug table. Compare these values with your expectations
Related
I've created an image upload using PHP, the idea being that the image will save to a directory and the path to the the database which is pretty standard. The problem is it wont save anything over 20kb. I have increased the max upload and post max size in the php.ini file to 10M and have also set size to < 200000kb in the function but it makes no difference. Can somebody please tell me where i have been banging my head off this for days now :(
File upload function (based on example at W3Schools)
function upload_file(){
$allowedExts = array("gif", "jpeg", "jpg", "png");
$temp = explode(".", $_FILES["page_main_image"]["name"]);
$extension = end($temp);
if ((($_FILES["page_main_image"]["type"] == "image/gif")
|| ($_FILES["page_main_image"]["type"] == "image/jpeg")
|| ($_FILES["page_main_image"]["type"] == "image/jpg")
|| ($_FILES["page_main_image"]["type"] == "image/pjpeg")
|| ($_FILES["page_main_image"]["type"] == "image/x-png")
|| ($_FILES["page_main_image"]["type"] == "image/png"))
&& ($_FILES["page_main_image"]["size"] < 200000)
&& in_array($extension, $allowedExts))
{
if ($_FILES["page_main_image"]["error"] > 0) {
echo "Return Code: " . $_FILES["page_main_image"]["error"] . "<br />";;
}
else {
echo "Upload: " . $_FILES["page_main_image"]["name"] . "<br />";
echo "Type: " . $_FILES["page_main_image"]["type"] . "<br />";
echo "Size: " . ($_FILES["page_main_image"]["size"] / 1024) . " kb<br />";
if (file_exists("uploads/" . $_FILES["page_main_image"]["name"]))
{
echo $_FILES["page_main_image"]["name"] . " already exists. ";
}
else
{
move_uploaded_file($_FILES["page_main_image"]["tmp_name"],
"uploads/" . $_FILES["page_main_image"]["name"]);
echo "Stored in: " . "uploads/" . $_FILES["page_main_image"]["name"] . "<br />";
$image="{$_FILES['page_main_image']['name']}";
}
}
}
else {
echo "Invalid file";
}
return $image;
}
The form processing is as follows:
<?php
if (isset($_POST['submit'])) {
//Process the form
$image = upload_file();
$project_id = $_POST['project_id'];
//var_dump ($project_id);
$wireframe_title = mysql_prep($_POST["wireframe_title"]);
$browser_title = $_POST["browser_title"];
$url_key = $_POST["url_key"];
$wireframe_type = $_POST["wireframe_type"];
//$image = $_POST["page_main_image"];
$page_bg_color = $_POST ["page_bg_color"];
$query = "INSERT INTO wireframes (";
$query .= " project_id, wireframe_title, browser_title, url_key, wireframe_type, page_main_image, page_bg_color";
$query .= " ) VALUES (";
$query .= " '{$project_id}','{$wireframe_title}', '{$browser_title}', '{$url_key}', '{$wireframe_type}', '{$image}', '{$page_bg_color}' ";
$query .= ")";
echo $query;
try { $result = mysqli_query($connection, $query);
} catch (Exception $e) {
return 'Caught exception: '+ $e->getMessage()+ "\n";
}
//Test if there was a query error
if ($result) {
//Success
// would normally use a redirect ie redirect_to("somepage.php");
//$message = "Subject created.";
redirect_to("wireframes.php?id=$project_id");
}else {
//failure
//$message = "Subject creation failed.";
//redirect_to("add_project.php");
echo $query;
}
} else {
// This is probably a GET request
redirect_to("add_edit_wireframe.php?id= echo $_GET[$project_id]");
}
?>
The size in $_FILES is expressed in bytes. 200.000 = around 195 kilobyte.
Did you tested it without that condition in the if statement?
Can someone please tell me what I have done wrong with this code, I am connecting to localhost to the database called video. Then I am inserting in to table location and its column location the value $videoLocation.
The result I get is when I open my browser is
<?php
echo "Upload: " . $_FILES["file"]["name"] . "<br />";
echo "Type: " . $_FILES["file"]["type"] . "<br />";
echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";
?>
What I am trying to achieve with this code is for the video to appear on my webpage once a user has submitted it.
<?php
$allowedExts = array("jpg", "jpeg", "gif", "png", "mp3", "mp4", "wma");
$allowType = array("video/mp4","audio/mp3","audio/wma","image/png","image/gif","image/jpeg");
$maxSize = 20000000000000;
$extension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);
$pathToUpload = 'upload/';
if( in_array($_FILES["file"]["type"], $allowType) && in_array($extension, $allowedExts) && $_FILES["file"]["size"] <= $maxSize)
{
if ($_FILES["file"]["error"] > 0)
{
echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
}
else
{
echo "Upload: " . $_FILES["file"]["name"] . "<br />";
echo "Type: " . $_FILES["file"]["type"] . "<br />";
echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";
if (file_exists($pathToUpload . $_FILES["file"]["name"]))
{
echo $_FILES["file"]["name"] . " already exists. ";
}
else
{
move_uploaded_file($_FILES["file"]["tmp_name"], $pathToUpload . $_FILES["file"] ["name"]);
$videoLocation = "upload/".$_FILES['file']['name'];
// now insert $videoLocation into a database table
$db = new mysqli('127.0.0.1', 'root', '', 'video');
INSERT INTO location (location)
VALUES ($videoLocation)
//so you can fetch it on whatever page you feel like
}
}
}
else
{
echo "Invalid file";
}
?>
try this
$db = new mysqli('127.0.0.1', 'root', '', 'video');
$stmt = $db->prepare("INSERT INTO location (location) VALUES (?)");
$stmt->bind_param('s', $videoLocation);
$stmt->execute();
//so you can fetch it on whatever page you feel like
I recently answer a question for someone else who wanted to store image files in the database. Here is how to do it:
1) the database column must be defined as longblob.
Next, the code uses PDO rather than mysqli.
// database connection...
$dsn = 'mysql:host=localhost;dbname=testmysql';
$username = 'test';
$password = 'test';
$options = array(
PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8',
);
$connection = new PDO($dsn, $username, $password, $options);
$connection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
Then you need an open file handle as follows:
$fileVideo = fopen($videoLocation,'rb');
Then you prepare your statement and bind the file:
$stmt = $connection->prepare("INSERT INTO location (location) VALUES (?)");
$stmt->bindParam(1, $fileVideo, PDO::PARAM_LOB);
$connection->beginTransaction();
$stmt->execute();
$connection->commit();
fclose($fileVideo);
I haven't test the above on your files but the original code that was like the above but with names changes worked fine.
So i have a file upload feature on my site and rather than redirect to the php script page, I want to have an iframe that displays the message returned by the script. So here's my html:
<iframe class="iframe" name="my_iframe" src="upload_file.php" style="display:none;"></iframe>
<form id="uploadForm" action="upload_file.php" method="post" enctype="multipart/form-data" target="my_iframe">
So basically I want to hide my iframe UNTIL I the upload process finishes and the script returns a message. Here's my php script:
<?php
ini_set('display_errors', 'On');
error_reporting(E_ALL | E_STRICT);
session_start();
$allowedExts = array("doc", "docx");
$extension = pathinfo( $_FILES["upload"]["name"],PATHINFO_EXTENSION);
$username = $_SESSION["username"];
if (($_FILES["upload"]["size"] < 200000)
&& in_array($extension, $allowedExts)) {
if ($_FILES["upload"]["error"] > 0)
{
echo "Return Code: " . $_FILES["upload"]["error"] . "<br />";
}
else
{
echo "Upload: " . $_FILES["upload"]["name"] . "<br />";
echo "Type: " . $_FILES["upload"]["type"] . "<br />";
echo "Size: " . ($_FILES["upload"]["size"] / 1024) . " Kb<br />";
echo "Temp file: " . $_FILES["upload"]["tmp_name"] . "<br />";
$dir_exists = is_dir("/disks/*/*/*/*/". $_SESSION["FirstName"] ."-".$_SESSION["username"]."/");
$file_exists = file_exists("/disks/*/*/*/*/".$_SESSION["FirstName"] ."-".$_SESSION["username"]."/" . $_FILES["upload"]["name"]);
$folderName=$_SESSION["FirstName"];
$baseDir = "/disks/*/*/*/*/";
// Create directory if it does not exist
if (! $dir_exists) {
if (is_writable($baseDir)) {
mkdir($baseDir . $_SESSION["FirstName"]."-".$_SESSION["username"]);
} else {
trigger_error($baseDir. " is not writeable");
}
}
if ($file_exists) {
echo $_FILES["upload"]["name"] . " already exists. ";
} else {
$link = new PDO('mysql:host=***;dbname=***;charset=UTF-8','***','***');
$proptype = $_POST["prop_cat"];
$stmt = $link->prepare("UPDATE Table SET `PType`=:proptype WHERE Username=:username");
$stmt->bindParam(':username', $username);
$stmt->bindParam(':proptype', $proptype);
$stmt->execute();
move_uploaded_file($_FILES["upload"]["tmp_name"],
$baseDir. $_SESSION["FirstName"] ."-".$_SESSION["username"]."/". $_FILES["upload"]["name"]);
echo "Stored in: " . $baseDir. $_SESSION["FirstName"] ."-".$_SESSION["username"]."/". $_FILES["upload"]["name"];
}
}
} else {
echo "Invalid file";
}
?>
So basically to sum up my question: How can I hide the iframe until upload finishes, and then display it with the message that the user can close like an alert box?
Can you echo the Iframe at the end of the upload instead of trying to hide it then show it at the top?
if ($file_exists) {
echo $_FILES["upload"]["name"] . " already exists. ";
} else {
$link = new PDO('mysql:host=***;dbname=***;charset=UTF-8','***','***');
$proptype = $_POST["prop_cat"];
$stmt = $link->prepare("UPDATE Table SET `PType`=:proptype WHERE Username=:username");
$stmt->bindParam(':username', $username);
$stmt->bindParam(':proptype', $proptype);
$stmt->execute();
move_uploaded_file($_FILES["upload"]["tmp_name"],
$baseDir. $_SESSION["FirstName"] ."-".$_SESSION["username"]."/". $_FILES["upload"]["name"]);
echo "Stored in: " . $baseDir. $_SESSION["FirstName"] ."-".$_SESSION["username"]."/". $_FILES["upload"]["name"];
/// load the iframe now ///////////////
echo '<iframe class="iframe" name="my_iframe" src="upload_file.php"></iframe>';
///////////////////////////////////////
}
I am trying to combined these two script (a file upload) and (a mysql update) so that the image file is both uploaded to the correct folder and the file path is then updated in the mysql database. I know the $sql update query is wrong and thats where my trouble is. Any help would be great.
//db connection
require "connect.db.php";
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/pjpeg"))
&& ($_FILES["file"]["size"] < 20000))
{
if ($_FILES["file"]["error"] > 0)
{
echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
}
else
{
echo "Upload: " . $_FILES["file"]["name"] . "<br />";
echo "Type: " . $_FILES["file"]["type"] . "<br />";
echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";
if (file_exists("upload/" . $_FILES["file"]["name"]))
{
echo $_FILES["file"]["name"] . " already exists. ";
}
else
{
move_uploaded_file($_FILES["file"]["tmp_name"],
"upload/" . $_FILES["file"]["name"]);
echo "Stored in: " . "upload/" . $_FILES["file"]["name"];
}
}
}
else
{
echo "Invalid file";
}
// update data in mysql database
$sql="UPDATE `characters` SET ch_image='/upload/$_FILES["file"]["name"]' WHERE ID='$id'";
$result=mysql_query($sql);
// if successfully updated.
if($result){
echo "Successful";
echo "<BR>";
echo "<a href='test.html'>View result</a>";
touch('../file.html');
clearstatcache();
}
else {
echo "Whoops: " . mysql_error(); ;
}
mysql_close();
?>
change $sql to this
$sql="UPDATE `characters` SET ch_image='/upload/" . $_FILES['file']['name'] . "' WHERE ID='$id'";
Uploading an image into a directory, it seems to always try upload "" which is nothing. Rather then an actual image. What am I doing below. I know the value is "" because of what it inserts into the database.
<li class="formProductImage">
<span>Image:</span>
<input type="file" name="productImage" />
</li>
and the php:
if ($_FILES["productImage"]["error"] > 0)
{
echo "Return Code: " . $_FILES["productImage"]["error"] . "<br />";
}
else
{
echo "Upload: " . $_FILES["productImage"]["name"] . "<br />";
echo "Type: " . $_FILES["productImage"]["type"] . "<br />";
echo "Size: " . ($_FILES["productImage"]["size"] / 1024) . " Kb<br />";
echo "Temp file: " . $_FILES["productImage"]["tmp_name"] . "<br />";
$filename = mysql_real_escape_string($_FILES['productImage']['name']);
$query = "UPDATE products SET image = '$filename' WHERE name = '$name'";
$result = mysql_query($query);
if (mysql_affected_rows() == 1) {
// Show thank you message
echo '<span style="color:green;">Your image was added to database correctly.</span>';
if (file_exists("uploaded/" . $_FILES["productImage"]["name"]))
{
echo $_FILES["productImage"]["name"] . " already exists. ";
}
else
{
move_uploaded_file($_FILES["productImage"]["tmp_name"],
"uploaded/" . $_FILES["productImage"]["name"]);
echo "Stored in: " . "uploaded/" . $_FILES["productImage"]["name"];
}
} else {
echo '<font color="red">Image note inserted into database.</font>';
echo mysql_error();
}
}
}
}
Make sure you have enctype="multipart/form-data" in the <form> tag.
change this line:
$filename = mysql_real_escape_string($_FILES['file']['name']);
to :
$filename = mysql_real_escape_string($_FILES['productImage']['name']);