0

how come my real escape strings are getting entered into my table as blank entries - if i don't escape them, they enter just fine.... Any ideas?

<?php
  session_id($_POST['current_email']);
  session_start();
  if (!empty($_FILES)) {
      $con = mysql_connect("xxx", "xxx", "xxx") or die("cannot connect");
      mysql_select_db("xxx", $con) or die("cannot select DB");
      $tempFile = $_FILES["Filedata"]["tmp_name"];
      $name = $_FILES["Filedata"]["name"];
      $targetPath = "uploads/";
      $targetFile = str_replace('//', '/', $targetPath) . $_FILES["Filedata"]['name'];
      $size = $_FILES["Filedata"]["size"];
      $oext = getExtension($name);
      $ext = strtolower($oext);
      $whois = $_SERVER['REMOTE_ADDR'];
      $email = $_POST['current_email'];
      if ($ext == "jpg" || $ext == "jpeg" || $ext == "bmp" || $ext == "gif") {
          if ($size < 1024 * 1024) {
              if (file_exists("uploads/" . $name)) {
                  move_uploaded_file($tempFile, "uploads/" . $name);
                  $qry = "select id from pictures where file='$name' and type='$ext'";
                  $res = mysql_fetch_array(mysql_query($qry));
                  $id = $res['id'];
   		  $safename = mysql_real_escape_string($name);
		  $safesize = mysql_real_escape_string($size);
		  $safeext = mysql_real_escape_string($ext);
		  $safewhois = mysql_real_escape_string($whois);
		  $safeemail = mysql_real_escape_string($email);
                  $qry = "UPDATE pictures SET file='$safename', type='$safeext', size='$safesize', whois='$safewhois', date=NOW() where id=$id";
                  mysql_query($qry);
                  echo "1";
              } else {
                  move_uploaded_file($tempFile, "uploads/" . $name);
                  $qry = "INSERT INTO pictures(id, file, type, size, email, whois, date) VALUES ('', '$safename', '$safeext', '$safesize', '$safeemail', '$safewhois', NOW())";
                  mysql_query($qry, $con);
                  echo "1";
              }
          }

      }
  }
  function getExtension($image_name)
  {
      return substr($image_name, strrpos($image_name, '.') + 1);
  }
?>
3
Contributors
3
Replies
4
Views
7 Years
Discussion Span
Last Post by dschuett
0

I seem to have fixed it by placing the escape strings before any of the if statements like so:

<?php
  session_id($_POST['current_email']);
  session_start();
  if (!empty($_FILES)) {
      $con = mysql_connect("localhost", "xxx", "xxx") or die("cannot connect");
      mysql_select_db("xxx", $con) or die("cannot select DB");
      $tempFile = $_FILES["Filedata"]["tmp_name"];
      $name = $_FILES["Filedata"]["name"];
      $targetPath = "uploads/";
      $targetFile = str_replace('//', '/', $targetPath) . $_FILES["Filedata"]['name'];
      $size = $_FILES["Filedata"]["size"];
      $oext = getExtension($name);
      $ext = strtolower($oext);
      $whois = $_SERVER['REMOTE_ADDR'];
      $email = $_POST['current_email'];
                  $safename = mysql_real_escape_string($name);
                  $safesize = mysql_real_escape_string($size);
                  $safeext = mysql_real_escape_string($ext);
                  $safewhois = mysql_real_escape_string($whois);
                  $safeemail = mysql_real_escape_string($email);
      if ($ext == "jpg" || $ext == "jpeg" || $ext == "bmp" || $ext == "gif") {
          if ($size < 1024 * 1024) {
              if (file_exists("uploads/" . $name)) {
                  move_uploaded_file($tempFile, "uploads/" . $name);
                  $qry = "select id from pictures where file='$name' and type='$ext'";
                  $res = mysql_fetch_array(mysql_query($qry));
                  $id = $res['id'];
   		  $safename = mysql_real_escape_string($name);
		  $safesize = mysql_real_escape_string($size);
		  $safeext = mysql_real_escape_string($ext);
		  $safewhois = mysql_real_escape_string($whois);
		  $safeemail = mysql_real_escape_string($email);
                  $qry = "UPDATE pictures SET file='$safename', type='$safeext', size='$safesize', whois='$safewhois', date=NOW() where id=$id";
                  mysql_query($qry);
                  echo "1";
              } else {
                  move_uploaded_file($tempFile, "uploads/" . $name);
                  $qry = "INSERT INTO pictures(id, file, type, size, email, whois, date) VALUES ('', '$safename', '$safeext', '$safesize', '$safeemail', '$safewhois', NOW())";
                  //Start buffering
                  ob_start();
                  //print the result
                  print_r($safename);
                  //get the result from buffer
                  $output = ob_get_contents();
                  //close buffer
                  ob_end_clean();
                  //open a file
                  $h = fopen('log.txt', 'w+');
                  //write the output text
                  fwrite($h, $output);
                  //close file
                  fclose($h);
                  mysql_query($qry, $con);
                  echo "1";
              }
          }

      }
  }
  function getExtension($image_name)
  {
      return substr($image_name, strrpos($image_name, '.') + 1);
  }
?>
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.