Hi guys.. I have a page where I can add values and upload file. Example. I can add name age and upload a pdf file with it. After addingi can view in a table as a row where I can delete or edit the record. The uploaded file gets saved in a folder I created. And the file name goes to the databse and l can access the file by a link I created on the table view.. My problem is that. In my edit page.. Evrything gets edited correctly.. But my file name and actuall file does not update. Want I want to do is. in my edit page I should be able to update the file name in database and upload new file in folder for the selected record in table. If I only update values then it should work. But if I want to upload new file for that specific name. I should be able to upload new file in folder and change file name in database as well
Recommended Answers
Jump to PostOK, you need to show your code. Nobody will be able to guess where you've made a mistake.
Jump to PostI'm sorry Enersto, I already tried really really hard. For some reason, I can't see it on my crystal ball. :)
image was lifted from here without permission.
All 5 Replies
OK, you need to show your code. Nobody will be able to guess where you've made a mistake.
adding the values and uploading.php
<?php
$id= $_REQUEST['main_id'];
require_once('sql.php');
if ($_REQUEST['name']!='')
{
$name = $_REQUEST['name'];
$age = $_REQUEST['age'];
$fload=($_FILES['FileUpLoad']['name']);
$folder = "upload/";
// "FileUploaded" IS THE NAME OF THE INPUT WHERE I UPLOAD A FILE
$File = $_FILES["FileUpLoad"]['name'];
$folder = $folder . $File;
echo $folder . "<br>";
$ok=1;
//This is our size condition
if ($FileUpLoad_size > 990000000){
echo "Your file is too large.<br>";
$ok=0;
}
//This is our limit file type condition
if ($FileUpLoad_type =="text/php") {
echo "No PHP files<br>";
$ok=0;
}
$File = $_FILES["FileUpLoad"]['name'];
echo("Die file = " . $File . "<br>");
if ($_FILES["FileUpLoad"]["name"]!="") {
$fload = $_FILES["FileUpLoad"]["name"] ;
while (file_exists("upload/" . $fload)) {
echo $File . " already exists. ";
$puntPos = strpos($fload,'.');
$len = strlen($fload);
$fload=substr($fload,0,$puntPos). "_" . rand(100,1000) . substr($puntPos,$fload) ;
$fload = rand(100,1000). "_".$_FILES["FileUpLoad"]["name"];
}
$tmpName = $_FILES["FileUpLoad"]["tmp_name"];
echo "Die tydelike naam = " . $tmpName;
move_FileUpLoad_file($_FILES["FileUpLoad"]["tmp_name"] ,
"upload/" . $fload);
}
$sql = "insert into tbl_gb (Name,Age,File,) values ('$name','$age','$fload')";
mysqli_query($conn,$sql);
}
?>
<form name="form1" id="form1" method="POST" enctype='multipart/form-data'>
<input type="text" name="name" id="name" /><br>
<input type="age" name="age" id="age" ><br>
<label>upload:</label><input type="file" name="FileUpLoad" id="FileUpLoad" value="$fload"><br>
<input type="button" value="save" />
this is my edit page
edit.php
<?php
// update part************
if (isset($_REQUEST['update']))
{
$name = $_REQUEST['name'];
$age = $_REQUEST['age'];
$fload = $_REQUEST['FileUpLoad'];
// here what i want to do is.. if no file is uploaded in the edit page then it should update without updating the file , which means file name and actuall file wont be affected
if ($fload==""){
$query = "update tbl_gd set Name='$name',Age='$age' where tbl_gd.r_id=$id";
mysqli_query($conn,$query);
}
///// here what i want to do is .. if a new file is uploaded at edit page then it should update file
else
$folder = "upload/";
// "FileUploaded" IS THE NAME OF THE INPUT WHERE I UPLOAD A FILE
$File = $_FILES["FileUpLoad"]['name'];
$folder = $folder . $File;
echo $folder . "<br>";
$ok=1;
//This is our size condition
if ($FileUpLoad_size > 990000000){
echo "Your file is too large.<br>";
$ok=0;
}
//This is our limit file type condition
if ($FileUpLoad_type =="text/php") {
echo "No PHP files<br>";
$ok=0;
}
$File = $_FILES["FileUpLoad"]['name'];
echo("Die file = " . $File . "<br>");
if ($_FILES["FileUpLoad"]["name"]!="") {
$fload = $_FILES["FileUpLoad"]["name"] ;
while (file_exists("upload/" . $fload)) {
echo $File . " already exists. ";
$puntPos = strpos($fload,'.');
$len = strlen($fload);
$fload=substr($fload,0,$puntPos). "_" . rand(100,1000) . substr($puntPos,$fload) ;
$fload = rand(100,1000). "_".$_FILES["FileUpLoad"]["name"];
}
$tmpName = $_FILES["FileUpLoad"]["tmp_name"];
echo "Die tydelike naam = " . $tmpName;
move_FileUpLoad_file($_FILES["FileUpLoad"]["tmp_name"] ,
"upload/" . $fload);
}
$query = "update tbl_gd set Name='$name',Age='$age',File='$fload' where tbl_gd.r_id=$id";
mysqli_query($conn,$query);
{
//}
//showing saved values*******
include('sql.php');
$id = $_REQUEST['main_id'];
$sql = "select * from tbl_gb where r_id=$id";
$rs = mysqli_query($conn,$sql);
$row = mysqli_fetch_assoc($rs);
$name = $row['Name'];
$age = $row['Age'];
$fload = $row['File'];
?>
<form>
<label>Name:</label><input type="text" name="name" id="name" value="<?php echo $name; ?>"/ > <br>
<label>age:</label><input type="text" name="age" id="age" value="<?php echo $age; ?>"/ ><br>
<label>upload</label><input type="file" name="FileUpLoad" id="FileUpLoad" ><br><br>
<!--the input below is to display current uploaded file name>-->
<input type="text" name="FileUpLoadCurrent" value="<?php echo $fload ?>"/>
<input type="submit" value="Edit" name="update"/>
</form>
Before giving response to your inquiries, please allow me to point out problem on your codes that needs to be fix immediately.
We must not use $_REQUEST when processing form data from user. The reason is that $_REQUEST is like a garbage disposal it will process "post" and "get" $_SERVER['REQUEST_METHOD']. We want to be more specific on which one to use. e.g. post or get.
Most hackers are focusing on PHP's superglobal variables vulnerabilities. To make the matter worse, your script is using $_REQUEST.
Although the link I have provided above is somewhat focused on the session exploits.
I wish I could explain this topic in great detail, but due to time constraint, I wrote a simple function for you to experiment and observe the behavior of the form processor with $_REQUEST.
In my humble opinion $_REQUEST is a lazy tool for a lazy developer. A developer who is lazy to define the appropriate method for the from processor.
Let's prove that your code will fail. Create a new file formtest.php
<?php
function adaptive_form($method)
{
$form ='<form method="'. $method .'" action="">
<input type="text" name="name"/>
<br/>
<input type="password" name="pass"/>
<br/>
<input type="submit" name="submit" value="submit"/>
</form>';
return $form;
}
if(isset($_REQUEST['submit'])){
echo $_REQUEST['name'];
echo '<br/>';
echo $_REQUEST['pass'];
}
## call the function above with different params
echo '<br/>';
//echo adaptive_form('');
//echo adaptive_form('get');
echo adaptive_form('post');
Uncomment one at a time and test by directing your browser to formtest.php
//echo adaptive_form('');
//echo adaptive_form('get');
echo adaptive_form('post');
regardless of the value given to the method parameter, the form will be process. However, when method is equal to empty and get , the processor is shifted to get. Regardless if we make it a "post", the process is still open to all of the three.
so this one
<form action="testform.php" method="post">
<input type="text" name="name"/>
<br/>
<input type="password" name="pass"/>
<br/>
<input type="submit" name="submit" value="submit"/>
</form>
can be easily overridden by simply doing this
http://localhost/testform.php?name=veedeoo&pass=password&submit=submit
If you don't have a solid form validations and filters, someone can easily send a link to anyone with their valid credentials and the recipient can literally login on that account. Assuming that the system does not have any unique session identifier unique only to user. Even with a properly design session manager, cURL can still be use with a cookiejar to take care of the session verification issue. Again, the malicious user is more likely to penetrate your application.
So, what I am trying to suggest here is to remove the $_REQUEST on your script and change them with post e.g.
if(isset($_POST['submit'])){
echo $_POST['name'];
echo '<br/>';
echo $_POST['pass'];
}
You should also set a unique upload id and then assign and verify using a session function.
After you have done that, we can move on to the real update problems.
thanx alot ! it was very interesting and stimulating. but this is a system that i will only be using alone locally, so security is not my main concern right now. And yes i have so far changed all all my public systems to a more secure stream. however my concern still applies in the update of the file being uploaded. please teach me more and help me tackle my challenge
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.