1

I'm not getting any errors when I run this script. It is creating the directories needed, but the image is not being moved or uploaded. It's not the best code in the world, but I feel like I am on the right track for what I need. I know I still need to escape the user input and limit file types to images only on the server side.

Could anyone tell me/show me how to improve this code?

require ($_SERVER['DOCUMENT_ROOT'].'/settings/global.php');
 session_start();
 $fName = $_POST['first_name'];
 $lName = $_POST['last_name'];
 $dob = $_POST['dob'];
 $dod = $_POST['dod'];
 $born = $_POST['born'];
 $image = $_FILES['image'];
 $about = $_POST['about'];
 $started = $_POST['started'];
 $company = $_POST['company'];

 $name = $lName.$fName;
 $name1 = substr($name, 0, 1); 
 $name2 = substr($name, 0, 2); 
 $name3 = substr($name, 0, 3); 
 $name4 = substr($name, 0, 4); 

  $imagePath = $_SERVER['DOCUMENT_ROOT']."/images/fallenIcons/".$name1."/".$name2."/".$name3."/".$name4."/".$name."/";

  $imageStorePath = "http://example.com/images/fallenIcons/".$name1."/".$name2."/".$name3."/".$name4."/".$name."/";


 if (!file_exists($imagePath)) {
    mkdir($imagePath, 0777, true);
}

 $filename = $_FILES["image"]["name"];
 $extension = end(explode(".", $filename));
 $newfilename = $name .".".$extension;

 $image = $imageStorePath.$newfilename;

 move_uploaded_file($_FILES[ 'image' ][ 'tmp_name' ], $imageStorePath.$newfilename);

 $mysqli=mysqli_connect(HOST,USERNAME,PASSWORD,'fallenPEVORecords');
 $query = "INSERT INTO fallenPEVOEntries (first_name,last_name,date_of_birth,date_of_death,born_in,main_image,pevo_details,year_started,worked_for,approved) 
                              VALUES 
                             ('$fName','$lName','$dob','$dod','$born','$image','$about','$started','$company','pending')";
 $result = mysqli_query($mysqli,$query)or die(mysqli_error());

 if($result) {
  header('Location: http://example.com/fallen/addFallen.php');
  echo 'true';
 }
 else{
 echo 'false';
 }

HTML:

<form action="http://example.com/scripts/php/addFallen.php" method="post">
        <ul>
              <li> 
               <label for="first_name">First Name</label>
           <input type="text" size="30"  name="first_name"/>
          </li>
          <li> 
               <label for="last_name">Last Name</label>
           <input type="text" size="30"  name="last_name"/>
          </li>
          <li> 
               <label for="dob">Date of Birth</label>
           <input type="text" size="30"  name="dob" class="datepicker">
          </li>
          <li> 
               <label for="dod">Date of Passing</label>
           <input type="text" size="30"  name="dod" class="datepicker">
          </li>
          <li> 
               <label for="born">Born In [City, State]</label>
           <input type="text" size="30"  name="born"/>
          </li>
          <li> 
               <label for="image">Image</label>
           <input type="file" name="image" enctype="multipart/form-data" accept="image/x-png, image/gif, image/jpeg"/>
          </li>
          <li> 
               <label for="about">About The PEVO</label>
           <textarea name="about" rows="8" cols="45"></textarea>
          </li>
          <li> 
               <label for="started">When did this PEVO start piloting? [Year]</label>
           <input type="text" name="started"  class="date-picker-year">
          </li>
          <li> 
               <label for="company">Company Worked For</label>
           <input type="text" name="company" size="30">
          </li>
                  <li> 
                   <label></label>
           <input type="submit" name="addFallen" value="Submit">
          </li>
          <li>
           <b>ALL SUBMISSIONS MUST BE APPROVED BY AN ADMIT BEFORE THEY APPEAR!</b>
          </li>
        </ul>
         </form>

EDIT Just modified how you get your extension

<?php 
require ($_SERVER['DOCUMENT_ROOT'].'/settings/global.php');
 session_start();
 $fName = $_POST['first_name'];
 $lName = $_POST['last_name'];
 $dob = $_POST['dob'];
 $dod = $_POST['dod'];
 $born = $_POST['born'];
 $image = $_FILES['image'];
 $about = $_POST['about'];
 $started = $_POST['started'];
 $company = $_POST['company'];

 $name = $lName.$fName;
 $name1 = substr($name, 0, 1); 
 $name2 = substr($name, 0, 2); 
 $name3 = substr($name, 0, 3); 
 $name4 = substr($name, 0, 4); 

  $imagePath = $_SERVER['DOCUMENT_ROOT']."/images/fallenIcons/".$name1."/".$name2."/".$name3."/".$name4."/".$name."/";

  $imageStorePath = "http://example.com/images/fallenIcons/".$name1."/".$name2."/".$name3."/".$name4."/".$name."/";


 if (!file_exists($imagePath)) {
    mkdir($imagePath, 0777, true);
}

 $filename = $_FILES["image"]["name"];
 $extension = pathinfo( $filename );
 $extension = ( isset( $extension[ 'extension' ] ) && trim( $extension[ 'extension' ] ) ? $extension[ 'extension' ] : '' );
 $newfilename = $name .".".$extension;

 $image = $imageStorePath.$newfilename;

 move_uploaded_file($_FILES[ 'image' ][ 'tmp_name' ], $image );

 $mysqli=mysqli_connect(HOST,USERNAME,PASSWORD,'fallenPEVORecords');
 $query = "INSERT INTO fallenPEVOEntries (first_name,last_name,date_of_birth,date_of_death,born_in,main_image,pevo_details,year_started,worked_for,approved) 
                              VALUES 
                             ('$fName','$lName','$dob','$dod','$born','$image','$about','$started','$company','pending')";
 $result = mysqli_query($mysqli,$query)or die(mysqli_error());

 if($result) {
  header('Location: http://example.com/fallen/addFallen.php');
  echo 'true';
 }
 else{
 echo 'false';
 }
Improve this question

1 Answer 1

Reset to default
1

First argument in move_uploaded_file() is the temp file of the uploaded file, here you are giving another thing to it

move_uploaded_file($image, $imagePath.$newfilename);

Should be 

move_uploaded_file($_FILES[ 'image' ][ 'tmp_name' ], $imagePath.$newfilename);
Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

changed it but still didn't move the file.
In your form, are you sure you are having enctype="multipart/form-data" attribute?
I'll post my html :) I should have done that from the start.
Now your form is not having it...it should lie here <form action="http://example.com/scripts/php/addFallen.php" method="post" enctype="multipart/form-data">
That fixed it. Other than escaping user input, got any suggestions to improve this script?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.