Is there anything wrong with this script?

<?php

$username="";
$password="";
$database="";

$rom_name     = $_POST['rom_name'];
$rom    = $_FILES['rom']['name'];

function getExtension($str) {
$i = strrpos($str,".");
if (!$i) { return ""; }
$l = strlen($str) - $i;
$ext = substr($str,$i+1,$l);
return $ext;
}

if (empty($rom)) {
	$result = '<font color=FFFFFF>Please choose a ROM to upload</font>';
	$error++;
}
else {
		$filename = stripslashes($rom);
		$extension = getextension($filename);
		$extension = strtolower($extension);
		if (($extension !== "zip") && ($extension !== "ZIP") && ($extension !== "rar") && ($extension !== "ZIP")) {
			$result = '<font color=FFFFFF>Unknown file extension, please try again</font>';
			$error++;
		}
		else {
			$tmpFile = $_FILES['rom']['tmp_name'];
			$sizekb = filesize($tmpFile);
			if ($sizekb > 5000000) {
				$result = '<font color=FFFFFF>The file has exceeded the size limit, please try again</font>';
				$error++;
			}
			else {
				$romName = '/gba_roms/files/' . time() . '.' . $extension;
				$copy = copy($tmpFile, $romName);
				$letter = ucfirst($rom_name);
				if (!$copy) {
					$result = '<font color=FFFFFF>File upload unsuccessful, please try again</font>';
					$error++;
				}
			}
		}
}
if ($error > 0) {
	echo $result;
}
else {
	$con = mysql_connect('localhost',$username,$password);
	@mysql_select_db($database) or die( "Unable to select database");
	$sql = "INSERT INTO `gba_roms` VALUES ('','$rom_name','$romName','$letter')";
	$query = mysql_query($sql) or die('Error: ' . mysql_error());
}

mysql_close();

?>

Hi Scottmandoo,
best if you place this at the top and run it:

ini_set("display_errors", true);
error_reporting(255);

Then you could post the error messages and I'll explain what they mean.

Also, could you please edit your post and add "=php" into the tag code (code=php)? It will tell this forum to use PHP language syntax highlighting and the source code will be much easier to read.

As a bonus, here's a simpler getExtension() function:

$extension = strtolower(substr(strrchr($file_name, "."), 1));

Heres what I got...

Notice: Undefined index: rom_name in /www/10gbfreehost.com/b/l/a/blastburners/htdocs/gba_roms/insert-gba.php on line 490

Notice: Undefined index: rom in /www/10gbfreehost.com/b/l/a/blastburners/htdocs/gba_roms/insert-gba.php on line 491

Notice: Undefined variable: error in /www/10gbfreehost.com/b/l/a/blastburners/htdocs/gba_roms/insert-gba.php on line 503
Please choose a ROM to upload
Warning: mysql_close(): no MySQL-Link resource supplied in /www/10gbfreehost.com/b/l/a/blastburners/htdocs/gba_roms/insert-gba.php on line 540

Wheres the edit button? Anyway heres my code again using the php code thing

<?php

$username="";
$password="";
$database="";

$rom_name     = $_POST['rom_name'];
$rom    = $_FILES['rom']['name'];

function getExtension($str) {
$i = strrpos($str,".");
if (!$i) { return ""; }
$l = strlen($str) - $i;
$ext = substr($str,$i+1,$l);
return $ext;
}

if (empty($rom)) {
	$result = '<font color=FFFFFF>Please choose a ROM to upload</font>';
	$error++;
}
else {
		$filename = stripslashes($rom);
		$extension = getextension($filename);
		$extension = strtolower($extension);
		if (($extension !== "zip") && ($extension !== "ZIP") && ($extension !== "rar") && ($extension !== "ZIP")) {
			$result = '<font color=FFFFFF>Unknown file extension, please try again</font>';
			$error++;
		}
		else {
			$tmpFile = $_FILES['rom']['tmp_name'];
			$sizekb = filesize($tmpFile);
			if ($sizekb > 5000000) {
				$result = '<font color=FFFFFF>The file has exceeded the size limit, please try again</font>';
				$error++;
			}
			else {
				$romName = '/gba_roms/files/' . time() . '.' . $extension;
				$copy = copy($tmpFile, $romName);
				$letter = ucfirst($rom_name);
				if (!$copy) {
					$result = '<font color=FFFFFF>File upload unsuccessful, please try again</font>';
					$error++;
				}
			}
		}
}
if ($error > 0) {
	echo $result;
}
else {
	$con = mysql_connect('localhost',$username,$password);
	@mysql_select_db($database) or die( "Unable to select database");
	$sql = "INSERT INTO `gba_roms` VALUES ('','$rom_name','$romName','$letter')";
	$query = mysql_query($sql) or die('Error: ' . mysql_error());
}

mysql_close();

?><?php

$username="";
$password="";
$database="";

$rom_name     = $_POST['rom_name'];
$rom    = $_FILES['rom']['name'];

function getExtension($str) {
$i = strrpos($str,".");
if (!$i) { return ""; }
$l = strlen($str) - $i;
$ext = substr($str,$i+1,$l);
return $ext;
}

if (empty($rom)) {
	$result = '<font color=FFFFFF>Please choose a ROM to upload</font>';
	$error++;
}
else {
		$filename = stripslashes($rom);
		$extension = getextension($filename);
		$extension = strtolower($extension);
		if (($extension !== "zip") && ($extension !== "ZIP") && ($extension !== "rar") && ($extension !== "ZIP")) {
			$result = '<font color=FFFFFF>Unknown file extension, please try again</font>';
			$error++;
		}
		else {
			$tmpFile = $_FILES['rom']['tmp_name'];
			$sizekb = filesize($tmpFile);
			if ($sizekb > 5000000) {
				$result = '<font color=FFFFFF>The file has exceeded the size limit, please try again</font>';
				$error++;
			}
			else {
				$romName = '/gba_roms/files/' . time() . '.' . $extension;
				$copy = copy($tmpFile, $romName);
				$letter = ucfirst($rom_name);
				if (!$copy) {
					$result = '<font color=FFFFFF>File upload unsuccessful, please try again</font>';
					$error++;
				}
			}
		}
}
if ($error > 0) {
	echo $result;
}
else {
	$con = mysql_connect('localhost',$username,$password);
	@mysql_select_db($database) or die( "Unable to select database");
	$sql = "INSERT INTO `gba_roms` VALUES ('','$rom_name','$romName','$letter')";
	$query = mysql_query($sql) or die('Error: ' . mysql_error());
}

mysql_close();

?>

EDIT: found the edit button, but for some reason it doesnt show up on my first post

Thanks for the syntax highlighting it's much better.
The errors you are getting aren't deadly. So why do you think there's something wrong with the script?

Looking at the script I have a few suggestions:
* don't use copy() for moving uploaded files as most hostings will not like it.
First test if the upload was successful:

if (is_uploaded_file($_FILES['rom']['tmp_name'])) {
}

and then move it with

move_uploaded_file ($_FILES['rom']['tmp_name'], $romName);

* $romName most likely doesn't contain a valid path
It should be
/www/10gbfreehost.com/b/l/a/blastburners/htdocs/gba_roms/files/....
not just
/gba_roms/files/...

Best if you use $_SERVER["DOCUMENT_ROOT"].'/gba_roms/files/'...

* you should move mysql_close() two lines higher just after mysql_query()
Now it attempts to close a non-existing connection if $error > 0.

* you shouldn't insert values taken from $_POST/$_GET directly into database without running it through mysql_real_escape_string(). A hacker could use this security hole to wipe out your database or replace its content with malicious data.

Thanks it works now, just one more problem though, when I upload files over 2mb it doesnt work. I get the first error "Please choose a rom to upload!"

<?php

$username="my_username";
$password="my_password";
$database="my_database";

$tut_name     = $_POST['tut_name'];
$letter       = ucfirst($_POST['tut_name']);
$tut_image    = $_FILES['tut_image']['name'];

function getExtension($str) {
$i = strrpos($str,".");
if (!$i) { return ""; }
$l = strlen($str) - $i;
$ext = substr($str,$i+1,$l);
return $ext;
}

if (empty($tut_image)) {
	$result = '<font color=FFFFFF>Please choose a rom to upload!</font>';
	$error++;
}
else {
		$filename = stripslashes($tut_image);
		$extension = getextension($filename);
		$extension = strtolower($extension);
		if (($extension !== "zip") && ($extension !== "rar")) {
			$result = '<font color=FFFFFF>Unknown file extension, please try again</font>';
			$error++;
		}
		else {
			$tmpFile = $_FILES['tut_image']['tmp_name'];
			$sizekb = filesize($tmpFile);
			if ($sizekb > 8000000) {
				$result = '<font color=FFFFFF>The file has exceeded the size limit, please try again</font>';
				$error++;
			}
			else {
				$imageName = '../files/gba-roms/' . time() . '.' . $extension;
				$copy = copy($tmpFile, $imageName);
				if (!$copy) {
					$result = '<font color=FFFFFF>File upload unsuccessful, please try again</font>';
					$error++;
				}
			}
		}
}
if ($error > 0) {
	echo $result;
}
else {
	$con = mysql_connect('localhost',$username,$password);
	@mysql_select_db($database) or die( "Unable to select database");
	$sql = "INSERT INTO `gba_roms` VALUES ('','$tut_name','$imageName','$letter')";
	$query = mysql_query($sql) or die('Error: ' . mysql_error());

mysql_close();
}



?>

Also you may knowtice in this script it doesnt contain most of your advice, this is because when I tried it my page just loaded blank, unless I did it wrong let me know.

Also note I am able to upload up to 8mb on my host and have successfully done so with an FTP client.

Hi there,
because you posted your database login info here you will have to change it. Otherwise the first hacker who happens to read this (e.g. using an automated search script) will either erase your database or fill it with malicious data.

Now back to bug hunting: I suggest you keep

ini_set("display_errors", true);
error_reporting(255);

at the top until you solve all problems.
This should show you what is the reason for getting a blank screen.

The 2MB is default file upload PHP limit, that's why it didn't affect you when you used FTP.
It's very likely that you aren't allowed to change this settings unless you have a very benevolent hosting provider. If you are though, then you have these options:

  • If you run the server yourself then locate php.ini and edit upload_max_filesize, post_max_filesize, max_execution_time, max_input_time and memory_limit. I'll explain them later.
  • Or if your server runs web server Apache and .htaccess parsing is on then put file .htaccess into the same directory as your script. Its name really starts with a dot. Some FTP clients don't show unix hidden files by default - and hidden files = dot files. So don't be surprised if you upload the file and don't see it then in the listing. Check your FTP client settings. This should be in it (use your own values):
    php_value upload_max_filesize 100M
    php_value post_max_size 100M
    php_value max_execution_time 1800
    php_value max_input_time 1800
    php_value memory_limit 100M

    Note: I think you have to use Unix line endings if your server is on *nix although I'm not sure.

  • or you have to use ini_set() functions to set the values in PHP
    e.g. ini_set("upload_max_filesize" , "10M");

Now why so many settings. There's a limit for file size (upload_max_filesize) but there's also a limit for how much you can send through POST (post_max_size). The only meaningful method of sending files is using POST but files aren't all you can send with POST. That's why there are two limits.
Then max_input_time limits how long the script waits for input (until your files are transmitted). Calculate it using your Internet connection speed and max file size.
Input time (I think) counts into execution time so you have to set max_execution_time as well.
Again, I'm not sure but I think that uploaded files count into your memory limit (memory_limit). Maybe not if you don't read them into memory (e.g. file_get_contents()) but it's up to you to find out.

Sorry I havnt replied for a while, I've been on holidays for the weekend and just gut back.

My web server doesnt allow .htaccess files because...

htaccess eats a lot of server resources and this is why it is not allowed on our free plan.

So I have asked my web server admin if theres any chance of changing those settings in the php.ini with no reply as of yet. Though the web host on very new and is still constantly changing settings to help out its members so theres a high chance the settings will get changed.

What I want to know is, if the host asks what I want all these settings (upload_max_filesize, post_max_filesize, max_execution_time, max_input_time and memory_limit) changed to what should I say? Remember the max file size my host accepts for free accounts is currently 8mb.

Hi Scottmandoo,
I'm a bit confused. Are you saying that the total file size of all files in your hosting must not be higher than 8 MB? Boy that's not much :-) Try http://pipni.cz/ - you get 1.5 GB there for free (it's a Czech server but you can switch the language to English).

If your limit for all files really is 8MB then you have to modify your script to check what the file size of already uploaded files is.

Let's assume that you want to limit max size of the file being uploaded to 7MB:
upload_max_filesize 7M
post_max_size 7M
(If you are going to read the file into memory then set memory_limit too.)

Now let me show you how you are going to calculate the other two:
We have to decide what is the slowest Internet connection that you will support. Let's make it 256 kpbs (uplink), for instance.
Here's the formula:
y = (256/8) speed in kilobytes per second
x = (7*1024 / y) how many seconds it would take to upload a 7MB file
Result is: 224 seconds
This would be true if your customer is able to use full this theoretical speed throughout the whole upload time which is impossible. So I suggest that you multiply it by 1.5 to provide some cushion.

Your value would be then 336 seconds:
max_input_time 336
You don't have to touch max_execution_time because your script doesn't really do anything, it just moves the file, it doesn't process it. (I'd like to correct my earlier statement here - input time doesn't count into execution time)

Are you saying that the total file size of all files in your hosting must not be higher than 8 MB? Boy that's not much :-) Try http://pipni.cz/

Yeah I know it sucks, but thats the only downfall of my host along with no .htaccess support for free accounts, it provides 10gb of storage, 20gb monthly bandwidth, no ads and heaps more. http://10gbfreehost.com

Also so what your saying is I only need the following editted?
upload_max_filesize 8M
post_max_size 8M
max_input_time 384

If you are going to do only what you do now: move the file from temporary location to permanent location then yes, set only these three ini attributes.

If you are going to process the ROM files though, (extract something from it or rearrange it) then you will also have to set memory_limit and max_execution_time.

Nah im not going to process it, unless you can edit my script to check for, which i highly doubt, that should be it.

Also i've been doing some research and just wanted to ask you is there a way I can use ftp in my script to upload the file so that I won't have to change those settings or will this process still require for those setting to be changed?

check for viruses:

  • your hosting must be allowed to execute files (which I seriously doubt)
  • you have to know where the antivirus program is and what parameters it expects
  • then use exec() to run it

ftp:

  • your script can use FTP if PHP has been compiled with FTP support - but that's likely
  • but it wouldn't solve your problem - you would need your users to use FTP instead of HTTP upload

To let your users upload files via FTP safely (safely for you, not for them), you need this:

  • set up a separate FTP user with access only to a specified directory (so that he cannot mess with your scripts)
  • this directory must not be allowed to run PHP scripts (best if it's outside httpdocs) otherwise someone will misuse it to run a spam-bot
Comments
For continuously helping me out, thanks heaps

Thanks a lot, I don't think I could ask anymore from you, though if theres anything I need help with i'll let you know, if thats fine with you, but until then I think this topic has been solved as all I can do now is just wait for my host to update the php.ini.

Thanks again,
Scottmandoo

This question has already been answered. Start a new discussion instead.