--0-628343493-1203378184=:56759
Content-Type: text/plain; charset=us-ascii

Hi All,

First of all A very big thank you to all of you for solving my Password() encryption problem.

Now I'm stuck on new problem which is image not uploading. I'm using the following code.


Regards

Nasreen

<?php

include ("header.php");
include ("dbconnect.php");

$submit=$_REQUEST["submit"] ;
$aname=$_REQUEST["aname"];
$aboutu=$_REQUEST["urself"];
$file=$_REQUEST["file"];
$url_provided = $_REQUEST["url_provided"];

echo($aname);
if ($submit == "Sign!")
{

function getImageFile($file){
$takeFile = fopen($file, "r");
$file = fread($takeFile, filesize($file));
fclose($takeFile);
return $file;
}

function getfileType( $name ){
$name = explode(".", $name);
$name = array_reverse($name);
$name = $name[0];
return $name;
}
$allowedImageTypes = array("gif","jpg","png");
if(empty($_FILES['image_file']['tmp_name'])){
echo "File not uploaded";
}
else {
$fileType = $_FILES['file']['name'];
if(in_array(getfileType($fileType), $allowedImageTypes)){
$fileContent = getImageFile($_FILES['file']['tmp_name']);
$uploadedImage = chunk_split(base64_encode($fileContent));
$query = "INSERT INTO artist (name,about_u,imgdata, profile_url) VALUES('$aname','$aboutu','$uploadedImage','$url_provided')" ;

$result = mysql_query($query);
if(mysql_affected_rows() > 0){
echo "Image has been inserted succesfully";
}
else {
echo "Image can not be inserted check your submission";
}
}
else {
echo "This is not a true image type";
}
}

}
?>
<div align="center" class="style1">
<h1>Artist Profile Form</h1>
<p> </p>
<form action="artist.php" method="post" enctype="multipart/form-data">
<table width="397" border="0">
<tr>
<th width="221" scope="col"><h4 align="right">Name:</h4></th>
<th width="166" scope="col"><div align="left">
<input name="aname" type="text" id="username3">
</div></th>
</tr>
<tr>
<th scope="row"><div align="right">About Yourself </div></th>
<td><div align="left">
<textarea name="urself"></textarea>
</div></td>
</tr>
<tr>
<th scope="row"><div align="right"> Profile export from myspace/face book </div></th>
<td><div align="left">
<input name="url_provided" type="text" id="repass">
</div></td>
</tr>
<tr>
<th scope="row"><div align="right">Upload Photo </div></th>
<td><div align="left">
<input type="file" name="file">
</div></td>
</tr>
<tr>
<th scope="row"> </th>
<td>
<input type="submit" name="submit" value="Sign!">
<input type="reset" name="Reset" value="Reset"></td>
</tr>
</table>
</form>
<p><strong></strong></p>
</div>


____________________________________________________________ ________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

--0-628343493-1203378184=:56759--

Nasreen Laghari wrote:
> Hi All,
>
> First of all A very big thank you to all of you for solving my Password() encryption problem.
>
> Now I'm stuck on new problem which is image not uploading. I'm using the following code.

Which bit breaks exactly? Nobody's going to read through 200 lines of code..


$query = "INSERT INTO artist (name,about_u,imgdata, profile_url)
VALUES('$aname','$aboutu','$uploadedImage','$url_provided')" ;

You have an sql injection problem here. Read up about that on the
phpsec.org site:

http://phpsec.org/projects/guide/3.html#3.2

and a really good basic guide here:

http://unixwiz.net/techtips/sql-injection.html

--
Postgresql & php tutorials
http://www.designmagick.com/

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

On Feb 18, 2008 6:56 PM, Chris <dmagick [at] gmail.com> wrote:

> Which bit breaks exactly? Nobody's going to read through 200 lines of code..

Normally, you're right.... but today I did just to be a jerk and
prove you wrong. ;-P

> Nasreen Laghari wrote:
> > Hi All,
> >
> > First of all A very big thank you to all of you for solving my Password() encryption problem.
> >
> > Now I'm stuck on new problem which is image not uploading. I'm using the following code.
[snip!]
$allowedImageTypes = array("gif","jpg","png");
if(empty($_FILES['image_file']['tmp_name'])){
echo "File not uploaded";
}
else {
$fileType = $_FILES['file']['name'];
if(in_array(getfileType($fileType), $allowedImageTypes)){
[snip!]

Nasreen,

The above code depends on two things:
a.) The getfiletype() response exactly matches at least one of
the entries in the array $allowedImageTypes
b.) The response and array entry are matched cAsE-sEnSiTiVeLy

If you're uploading an image that was created in Windows Paint,
for example, the extension will be CAPITALIZED (imagename.JPG) by
default. Try using a strtolower() in your getfiletype() function to
see if it clears things up.

>
>
> $query = "INSERT INTO artist (name,about_u,imgdata, profile_url)
> VALUES('$aname','$aboutu','$uploadedImage','$url_provided')" ;
>
> You have an sql injection problem here. Read up about that on the
> phpsec.org site:
>
> http://phpsec.org/projects/guide/3.html#3.2
>
> and a really good basic guide here:
>
> http://unixwiz.net/techtips/sql-injection.html
>
> --
> Postgresql & php tutorials
> http://www.designmagick.com/
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>



--
</Dan>

Daniel P. Brown
Senior Unix Geek
<? while(1) { $me = $mind--; sleep(86400); } ?>

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

On Feb 18, 2008 6:56 PM, Chris <dmagick [at] gmail.com> wrote:
> $query = "INSERT INTO artist (name,about_u,imgdata, profile_url)
> VALUES('$aname','$aboutu','$uploadedImage','$url_provided')" ;
>
> You have an sql injection problem here. Read up about that on the
> phpsec.org site:
>
> http://phpsec.org/projects/guide/3.html#3.2
>
> and a really good basic guide here:
>
> http://unixwiz.net/techtips/sql-injection.html

And in addition to the links Chris suggested, also RTFM on
mysql_real_escape_string(). It'll be your new best friend (unless
you're already using mysqli).

--
</Dan>

Daniel P. Brown
Senior Unix Geek
<? while(1) { $me = $mind--; sleep(86400); } ?>

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php