php - Store path to uploaded Image in database -
i'm trying add path of uploaded image database in order use display thumbnail post. found tutorial , used code upload image. gets else statement , exit("error while uploading image on server"); have form collect data:
<form action='' method='post' enctype="multipart/form-data"> <p><label>title</label><br /> <input id="title-input" type='text' name='posttitle' value='<?php if(isset($error)){ echo $_post['posttitle'];}?>'></p> <p><label>description</label><br /> <textarea id="textarea" name='postdesc' cols='20' rows='5'><?php if(isset($error)){ echo $_post['postdesc'];}?></textarea></p> <p><label>content</label><br /> <textarea name='postcont' cols='20' rows='5'><?php if(isset($error)){ echo $_post['postcont'];}?></textarea></p> <p><label>image</label><input type="file" name="uploadedimage"> </p> <input type='submit' name='submit' value='submit'> <input type='reset' name='submit' value='reset'> </form> <?php include 'add-post-handler.php' ?> and here code used upload image:
function getimageextension($imagetype) { if(empty($imagetype)) return false; switch($imagetype) { case 'image/bmp': return '.bmp'; case 'image/gif': return '.gif'; case 'image/jpeg': return '.jpg'; case 'image/png': return '.png'; default: return false; } } if (!empty($_files["uploadedimage"]["name"])) { $file_name=$_files["uploadedimage"]["name"]; $temp_name=$_files["uploadedimage"]["tmp_name"]; $imgtype=$_files["uploadedimage"]["type"]; $ext= getimageextension($imgtype); $imagename=$_files["uploadedimage"]["name"]; $target_path = "../img/".$imagename; if(move_uploaded_file($temp_name, $target_path)) { $query_upload="insert blog_images (imgpath) values ('$target_path')"; mysqli_query($link, $query_upload) or die("error in $query_upload == ----> ".mysql_error()); }else{ exit("error while uploading image on server"); } } ps: have doubts on how can imageid related postid considering both submitted same form.(i made relation between 2 tables it's on primary keys i'm not sure if it's correct)
thanks help!
looking @ code:
move_uploaded_file returns false on 2 premises (stated in php docs):
if filename not valid upload file, no action occur, , move_uploaded_file() return false.
if filename valid upload file, cannot moved reason, no action occur, , move_uploaded_file() return false. additionally, warning issued.
my best guess is, information provided:
- your path not writeable application/webserver, won't moved
make sure application (the webserver) can write in path: '../img/' issuing chmod give directory correct rights webserver user.
security advice (not related question):
your application has in state potential sqli in $target_path. should think using prepared statements
your form writes post data directly output. leads xss. should encode special characters in output.
make sure, images can uploaded , scripts can't executed in '../img' path. exploit upload upload script , execute it.
easiest way prevent sqli in case hashing imagename , setting extension $ext variable:
[...] $ext=getimageextension($imgtype); if($ext === false) { exit("couldn't determine filetype correctly. please upload pictures only."); } $imagename=md5($_files["uploadedimage"]["name"].time()).$ext; $target_path = "../img/".$imagename; [...] the time() included, can upload pictures same name.
Comments
Post a Comment