Trouble Uploading to mySQL with PHP

 
Post new topic   Reply to topic    Aprelium Forum Index -> PHP
View previous topic :: View next topic  
Author Message
sblade46
-


Joined: 11 Dec 2009
Posts: 1

PostPosted: Fri Dec 11, 2009 8:18 pm    Post subject: Trouble Uploading to mySQL with PHP Reply with quote

So I am trying to upload to a blob in mySQL using PHP and I keep getting the error built into my script... I am running abyss on a windows box, and have php-5. Please let me know what I am doing wrong? Is there a setting I need? I have cut and pasted my code and I have the items set up right as far as I know in MySQL. When ran I get the error "File binary data insert failed!" Please help cause I have looked forever and cant find anything. Starting to wonder if Abyss isn't setup to handle this but that would be surprising... Thank you!

<?php
ob_start("ob_gzhandler");
$con = mysql_connect("localhost","myroot","mypassword");
if (!$con) {
die('Could not connect: ' . mysql_error());
}
mysql_select_db("mydb", $con);
foreach ($_REQUEST as $key => $value) {
${$key} = mysql_escape_string($value);
}
//special file upload array:
$userfile_name = $_FILES['userfile']['name'];
$userfile = $_FILES['userfile']['tmp_name'];

if ($action == 2) {
if ($userfile <> "") {
//gathering data:
$filedate = time();
$userfile_name = mysql_escape_string($userfile_name);
$data = "";
//get file
$fp = fopen($userfile, "rb");
while(!feof($fp)) {
$data .= fread($fp, 1024);
}
fclose($fp);


$data = addslashes($data);
$data = addcslashes($data, "\0");

$query = "INSERT INTO loanfiledata VALUES(\"\",\"{$data}\")";
mysql_query($query)
or die("File binary data insert failed!");

$query = "select LAST_INSERT_ID() as dataid";
$result = mysql_query($query)
or die("New contact ID fetch failed!");
if (!mysql_data_seek($result, 0)) {
echo "cannot seek to the new ID!";
continue;
}
if (!($row = mysql_fetch_object($result)))
continue;
$dataid = $row->dataid;
mysql_free_result($result);

$query = "INSERT INTO loanfiles VALUES(\"\", \"{$userfile_name}\", \"{$ffiletype}\", \"{$filedate}\", \"{$dataid}\", \"{$note}\", \"0\")";
mysql_query($query)
or die("File header insert failed!");
}
}
?>
<HTML>
<HEAD>
<TITLE>Add File:</TITLE>
</HEAD>
<BODY BGCOLOR="#ffffff" TEXT="#000000" LINK="#000000" ALINK="#000000" VLINK="#000000">

<form action="uploadthom.php" method="post" enctype="multipart/form-data">
<input type="hidden" name="action" value="2">
<!-- change this to the size that you want to allow for uploads, this must be <= the allowed packet size in your SQL server setup (default 8MB) -->
<input type="hidden" name="MAX_FILE_SIZE" value="7000000">

<table cellspacing="2" cellpadding="2" border="0">
<tr>
<td><b>File to attach:</b> <input type="file" name="userfile" size="20" maxlength="255"></td>
<td><b>Description:</b> <input type="text" name="note" size="40" maxlength="255"></td>
</tr>

<tr>
<td>
<b>File type:</b> <select name="ffiletype" size="1">
<option value="0">General Document</option>
<option value="1">Resume</option>
<option value="1">Background Check</option>
</select>
</td>
</tr>
<tr>
<td><input type="submit" value="add&nbsp;&gt;&gt;"></td>
<td></td>
</tr>
</table>
</form>

</BODY>
</HTML>
<?php

ob_end_flush();
?>
Back to top View user's profile Send private message
DonQuichote
-


Joined: 24 Dec 2006
Posts: 68
Location: The Netherlands

PostPosted: Fri Dec 11, 2009 11:08 pm    Post subject: Reply with quote

First, use standard quotes in SQL. These are single quotes for strings. Also, do not use addslashes, but mysql_escape_string(). And implement some error handling that makes sure that the errors are logged while the user is not bothered by technical messages (and hackers do not get to know too many details). On your development machine, for testing, you can use die(mysql_error($con)).
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> PHP All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group