Issue with PHP file uploads
I have the following code to register new users, They photos are uploaded renamed and moved to a folder however i keep getting errors saying photo is undefined, I think it must be a (stupid) issue with my form that im missing but I've stepped though my code repeatably and cant work this out.
<?php
include 'includes/config.inc.php';
//error_reporting(0);
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($dbname);
echo '<center>
<form name="login" action="register.php" method="post">
Username: <input type="text" name="username"/><br>
Password: <input type="password" name="password"/><br>
Email: <input type="text" name="email"/><br>
First Name: <input type="text" name="firstname"/><br>
Last Name: <input type="text" name="lastname"/><br>
Photo: <input type="file" name="photo" id="photo"/><br>
<small>Files must be; PNG, JPEG, JPG</small>
<input type="submit" value="Register"/>
<input type="hidden" name="submitted" value="1">
</form>
<br>
<br>
';
if (isset($_POST['submitted'])){
if ($_POST['submitted']==1) {
if (is_string($_POST['username'])) {
$username = $_POST['username'];
$username = mysql_real_escape_string($username);
}
else
{
echo 'Please enter a valid username<br>';
}
if ($_POST['password']) {
$password = md5($_POST['password']);
}
else
{
echo 'Please enter a valid password<br>';
}
if (is_string($_POST['firstname'])) {
$firstname = $_POST['firstname'];
$firstname = mysql_real_escape_string($firstname);
}
else
{
echo 'Please enter a valid realname<br>';
}
if (is_string($_POST['lastname'])) {
$lastname = $_POST['lastname'];
$lastname = mysql_real_escape_string($lastname);
}
else
{
echo 'Please enter a valid realname<br>';
}
if (filter_var($_POST['email'],FILTER_VALIDATE_EMAIL)){
$email = $_POST['email'];
$email = mysql_real_escape_string($email);
}
else
{
echo 'Please enter a valid email address.<br>';
}
//INSERT TO DB
$users = mysql_query("SELECT username FROM tbl_users WHERE username='$username'")or die(mysql_error());
$numrows = mysql_num_rows($users);
if($numrows == 1){
echo 'Username taken, please choose another.<br>';
}
elseif ($username && $password && $firstname && $lastname && $email && $_GET['photo'] != ''){
//UPLOAD FILE
$filename = $_FILES["photo"]["name"];
echo $filename;
$file_ext = substr($filename, strripos($filename, '.'));
$filesize = $_FILES["photo"]["size"];
if (($file_ext == ".png" || $file_ext == ".jpg" || $file_ext == ".jpeg") && ($filesize < 500000)) {
$photo_ID = md5($filename);
$rand = rand();
$newfilename = $photo_ID . $rand . $file_ext;
move_uploaded_file($_FILES["photo"]["tmp_name"], "images/profile_pics/" . $newfilename) or die("error uploading photo");
}
else
{
echo 'Wrong file type<br>';
}
$query = "INSERT INTO tbl_users ( usernam开发者_运维知识库e, password, firstname, lastname, Email_address, photo_url )
VALUES ( '$username' , '$password' , '$firstname', '$lastname', '$email', '$newfilename' );";
mysql_query($query) or die(mysql_error());
echo 'Thank you for registering '. $firstname .'. Your username is '. $username .'.<br>';
echo 'Click here to <a href="./index.php?">login</a>.<br></center>';
mysql_close();
}
}
else
{
echo 'Please fill the form out.';
}
}
?>
You must set the enctype of the form-tag to enctype="multipart/form-data"
See e.g. http://www.15seconds.com/issue/001003.htm
Here we go again....
a) Do not validate a file upload to see if its user-provided filename is present. It's entirely possible to upload a file with no name. Proper method to check for upload success is:
if ($_FILES['name_of_file_field']['error'] === UPLOAD_ERR_OK) {
... worked ok ...
} else {
die("Upload failed with errno #" > $_FILES['name_of_file_field']['error']);
}`
b) Don't validate the uploaded filetype by checking file extensions. Nothing says a malicious user can't upload "cute puppy.jpg" but really be sending "nasty virus.exe". Always determine file-type on the server via alternate methods, such as using file_info
.
c) You seem to be registering the upload in the database regardless of it being valid or not. "Hey, you're sending us a truckload of garbage instead of flowers. Oh well, I'll just accept the delivery anyways. Thanks!". As well, you don't check if the move_uploaded_file()
succeeds at all, so there's another point of failure. Your final destination of the file may run out of disk space, but you still record the upload as succeeding.
Bonus points: You're actually doing escaping on your data before doing the query, and checking if the query suceeded. Don't often see that on this site.
Your form needs to set the 'enctype' attribute to be 'multipart/form-data'
<form name="login" action="register.php" method="post" enctype="multipart/form-data">
Your form should look like this:
<form name="login" action="register.php" method="post" enctype="multipart/form-data">
The thing is if you dont set enctype it'll send the image as POST data.
You can read more about enctype here.
Do you really mean to access both $_POST and $_GET?
$_POST
if (isset($_POST['submitted'])){
$_GET
elseif ($username && $password && $firstname && $lastname && $email && $_GET['photo'] != ''){
note the "$_GET['photo']"
My guess is you meant $_POST where you have $_GET
精彩评论