PLEASE HELP: Uploading Pictures

Hello
I create a web site www.falkirkoldfordclub.co.uk that I was able to upload pictures on the site and admin area.
Now i am need to do the same on a new site i am amending but I cannot use the same code to upload my pictures one of the error message pops up! Will let you know when I show you the code:

[code]
addpic.html





Falkirk Old Ford Club - Upload a File





Click Here to go back to admin page



Upload a File




Please select a file from your local computer to upload to our web server

for saving in our database. This file can be of any type you like. Once you

have chosen a file, please click on the "Upload this file" button below. 

 
 



Description:



File Location:













 










[/code]

PHP Code

[code]
addpic.php

<?php

global $strDesc;

global $fileUpload;

global $fileUpload_name;

global $fileUpload_size;

global $fileUpload_type;

// Make sure both a description and

// file have been entered

if(empty($strDesc) || $fileUpload == "none")

die("You must enter both a description and file");

// Database connection variables

$dbServer = "";

$dbDatabase = "";

$dbUser = "";

$dbPass = "";

$fileHandle = fopen($fileUpload, "r");

$fileContent = fread($fileHandle, $fileUpload_size);

$fileContent = addslashes($fileContent);

$sConn = mysql_connect($dbServer, $dbUser, $dbPass)

or die("Couldn't connect to database server");



$dConn = mysql_select_db($dbDatabase, $sConn)

or die("Couldn't connect to database $dbDatabase");

$dbQuery = "INSERT INTO myBlobs VALUES ";

$dbQuery .= "(0, '$strDesc', '$fileContent', '$fileUpload_type')";

mysql_query($dbQuery) or die("Couldn't add file to database");

echo "<h1>File Uploaded";

echo "The details of the uploaded file are shown below:

";

echo "File name: $fileUpload_name
";

echo "File type: $fileUpload_type
";

echo "File size: $fileUpload_size
";

echo "Uploaded to: $fileUpload

";

?>
[/code]

The problem I am having is with the
if(empty($strDesc) || $fileUpload == "none")

die("You must enter both a description and file");

This error message pops up!

Please Help me as soon as posible

Regards

Stephen



Comments

  • Hi,

    I suspect it's because the server you are using doesn't have auto-globals turned on, so having a field in a form doesn't automatically create a global variable of that name (a good thing, since it led to all manner of security holes and was one item in PHP's catalog of errors).

    If you use $HTTP_POST_VARS['strDesc'] instead of $strDesc (and get rid of the "global" declaration at the top), it should work out; you'll need to do similar tweaks to other fields too.

    Also, as it stands, your script is vulnerable to an SQL Injection vulnerability, which means that I can go to your site and (once you fix this validation bug) hack it to delete all uploaded data. So it's a good idea, to fix this. :-) For more, see:
    http://en.wikibooks.org/wiki/Programming:PHP:SQL_Injection

    Jonathan (not actually a PHP programmer, but I can read it...)
    ###
    for(74,117,115,116){$::a.=chr};(($_.='qwertyui')&&
    (tr/yuiqwert/her anot/))for($::b);for($::c){$_.=$^X;
    /(p.{2}l)/;$_=$1}$::b=~/(..)$/;print("$::a$::b $::c hack$1.");
  • Hello

    Thank you for your help!

    Its bring back this error now!

    Warning: fread(): supplied argument is not a valid stream resource in /home/www/Sweeneyc/Scottishtruckerclub/addpic.php on line 39


    $fileContent = fread($fileHandle, $fileUpload_size);

    Regards

    Stephen
    : Hi,
    :
    : I suspect it's because the server you are using doesn't have
    : auto-globals turned on, so having a field in a form doesn't
    : automatically create a global variable of that name (a good thing,
    : since it led to all manner of security holes and was one item in
    : PHP's catalog of errors).
    :
    : If you use $HTTP_POST_VARS['strDesc'] instead of $strDesc (and get
    : rid of the "global" declaration at the top), it should work out;
    : you'll need to do similar tweaks to other fields too.
    :
    : Also, as it stands, your script is vulnerable to an SQL Injection
    : vulnerability, which means that I can go to your site and (once you
    : fix this validation bug) hack it to delete all uploaded data. So
    : it's a good idea, to fix this. :-) For more, see:
    : http://en.wikibooks.org/wiki/Programming:PHP:SQL_Injection
    :
    : Jonathan (not actually a PHP programmer, but I can read it...)
    : ###
    : for(74,117,115,116){$::a.=chr};(($_.='qwertyui')&&
    : (tr/yuiqwert/her anot/))for($::b);for($::c){$_.=$^X;
    : /(p.{2}l)/;$_=$1}$::b=~/(..)$/;print("$::a$::b $::c hack$1.");
  • : Hi,
    :
    : I suspect it's because the server you are using doesn't have
    : auto-globals turned on, so having a field in a form doesn't
    : automatically create a global variable of that name (a good thing,
    : since it led to all manner of security holes and was one item in
    : PHP's catalog of errors).
    :
    : If you use $HTTP_POST_VARS['strDesc'] instead of $strDesc (and get
    : rid of the "global" declaration at the top), it should work out;
    : you'll need to do similar tweaks to other fields too.
    :
    : Also, as it stands, your script is vulnerable to an SQL Injection
    : vulnerability, which means that I can go to your site and (once you
    : fix this validation bug) hack it to delete all uploaded data. So
    : it's a good idea, to fix this. :-) For more, see:
    : http://en.wikibooks.org/wiki/Programming:PHP:SQL_Injection
    :
    : Jonathan (not actually a PHP programmer, but I can read it...)
    : ###
    : for(74,117,115,116){$::a.=chr};(($_.='qwertyui')&&
    : (tr/yuiqwert/her anot/))for($::b);for($::c){$_.=$^X;
    : /(p.{2}l)/;$_=$1}$::b=~/(..)$/;print("$::a$::b $::c hack$1.");


    Try modifying
    $fileHandle = fopen($fileUpload, "r");
    to
    $fileHandle = fopen($HTTP_POST_VARS['fileUpload']['tmp_name'], "r");

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories