Upload a file question
This is a discussion on Upload a file question within the PHP Language forums, part of the PHP Programming Forums category; Hi all. Im a newbie in PHP and im trying to upload a file to the server. I use a ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-20-2008
|
|||
|
|||
Upload a file question
Hi all.
Im a newbie in PHP and im trying to upload a file to the server. I use a form to upload a pdf file and some text information about it. The client uploads the file and the system renames that file and puts all the information in the database. The problem is when the client goes again to edit the information, i always have to choose a file to upload or else it will put blank the pdf column and he cant find the old one! i do a $_POST['file'] to the UPDATE statement but i think i need to do a if clause(and dont know what im going to put )...but where? i tried it in the UPDATE statement and i cant.. 
|
|
06-20-2008
|
|||
|
|||
|
Re: Upload a file question
On Jun 20, 10:54*am, Pépê <josemariabar...@gmail.com> wrote:
> Hi all. > > Im a newbie in PHP and im trying to upload a file to the server. > > I use a form to upload a pdf file and some text information about it. > > The client uploads the file and the system renames that file and puts > all the information in the database. > > The problem is when the client goes again to edit the information, i > always have to choose a file to upload or else it will put blank the > pdf column and he cant find the old one! > > i do a $_POST['file'] to the UPDATE statement but i think i need to do > a if clause(and dont know what im going to put )...but where? i tried > it in the UPDATE statement and i cant.. Build your update statement dynamically. This is the sort of thing, but you should sanitise the $_POST input. if($_POST['file']) $fileup = ",file = '{$_POST['file']}'"; else $fileup = ''; $qry = " INSERT INTO fred SET id = {$id}, info1 = '{$info1}', info2 = '{$info2} {$fileup} ON DUPLICATE KEY UPDATE info1 = '{$info1}', info2 = '{$info2}' {$fileup} ";
|
|
06-20-2008
|
|||
|
|||
|
Re: Upload a file question
Thanks for the help Captain.
Ive had some problems recently with sql injection in ASP. Im new in PHP. How can i protect the forms in PHP? I will do a search in google in the meantime... Once again, thanks On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.com> wrote: > On Jun 20, 10:54*am, Pépê <josemariabar...@gmail.com> wrote: > > > > > Hi all. > > > Im a newbie in PHP and im trying to upload a file to the server. > > > I use a form to upload a pdf file and some text information about it. > > > The client uploads the file and the system renames that file and puts > > all the information in the database. > > > The problem is when the client goes again to edit the information, i > > always have to choose a file to upload or else it will put blank the > > pdf column and he cant find the old one! > > > i do a $_POST['file'] to the UPDATE statement but i think i need to do > > a if clause(and dont know what im going to put )...but where? i tried > > it in the UPDATE statement and i cant.. > > Build your update statement dynamically. This is the sort of thing, > but you should sanitise the $_POST input. > > if($_POST['file']) > * $fileup = ",file = '{$_POST['file']}'"; > else > * $fileup = ''; > > $qry = " > INSERT INTO fred SET > * id = {$id}, > * info1 = '{$info1}', > * info2 = '{$info2} > * {$fileup} > ON DUPLICATE KEY UPDATE > * info1 = '{$info1}', > * info2 = '{$info2}' > * {$fileup} > ";
|
|
06-20-2008
|
|||
|
|||
|
Re: Upload a file question
On Jun 20, 11:33*am, Pépê <josemariabar...@gmail.com> wrote:
> On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.com> wrote: > > On Jun 20, 10:54*am, Pépê <josemariabar...@gmail.com> wrote: > > > > Hi all. > > > > Im a newbie in PHP and im trying to upload a file to the server. > > > > I use a form to upload a pdf file and some text information about it. > > > > The client uploads the file and the system renames that file and puts > > > all the information in the database. > > > > The problem is when the client goes again to edit the information, i > > > always have to choose a file to upload or else it will put blank the > > > pdf column and he cant find the old one! > > > > i do a $_POST['file'] to the UPDATE statement but i think i need to do > > > a if clause(and dont know what im going to put )...but where? i tried > > > it in the UPDATE statement and i cant.. > > > Build your update statement dynamically. This is the sort of thing, > > but you should sanitise the $_POST input. > > > if($_POST['file']) > > * $fileup = ",file = '{$_POST['file']}'"; > > else > > * $fileup = ''; > > > $qry = " > > INSERT INTO fred SET > > * id = {$id}, > > * info1 = '{$info1}', > > * info2 = '{$info2} > > * {$fileup} > > ON DUPLICATE KEY UPDATE > > * info1 = '{$info1}', > > * info2 = '{$info2}' > > * {$fileup} > > > Thanks for the help Captain. > > Ive had some problems recently with sql injection in ASP. > > Im new in PHP. How can i protect the forms in PHP? > > I will do a search in google in the meantime... > > Once again, thanks Please do not top post (top posting fixed). Your main tool for this is mysql_real_escape_string(), but you will find lots of good threads about this subject in the archives of this forum.
|
|
06-20-2008
|
|||
|
|||
|
Re: Upload a file question
sheldonlg wrote:
> Pépê wrote: >> Thanks for the help Captain. >> >> Ive had some problems recently with sql injection in ASP. >> >> Im new in PHP. How can i protect the forms in PHP? > > Look up mysql_real_escape_string I'm new to php also. Wouldn't that be unnecessary with PDO and placeholders? It is with perl DBI that strongly resembles PDO and I'd like to know if I'm mistaken. Jeff
|
|
06-20-2008
|
|||
|
|||
|
Re: Upload a file question
On Fri, 20 Jun 2008 14:17:27 +0200, Jeff <jeff@spam_me_not.com> wrote:
> sheldonlg wrote: >> Pépê wrote: >>> Thanks for the help Captain. >>> >>> Ive had some problems recently with sql injection in ASP. >>> >>> Im new in PHP. How can i protect the forms in PHP? >> Look up mysql_real_escape_string > > > I'm new to php also. > > Wouldn't that be unnecessary with PDO and placeholders? If you indeed use prepared statments, then yes, it is not necessary to use mysql_real_escape_string(). It would be destructive even, as your variables in the database could be polluted with unnecessary (and unused) escaping characters. -- Rik Wasmus ....spamrun finished
|
|
06-24-2008
|
|||
|
|||
|
Re: Upload a file question
On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.com> wrote:
> On Jun 20, 10:54*am, Pépê <josemariabar...@gmail.com> wrote: > > > > > Hi all. > > > Im a newbie in PHP and im trying touploada file to the server. > > > I use a form touploada pdf file and some text information about it. > > > The client uploads the file and the system renames that file and puts > > all the information in the database. > > > The problem is when the client goes again to edit the information, i > > always have to choose a file touploador else it will put blank the > > pdf column and he cant find the old one! > > > i do a $_POST['file'] to the UPDATE statement but i think i need to do > > a if clause(and dont know what im going to put )...but where? i tried > > it in the UPDATE statement and i cant.. > > Build your update statement dynamically. This is the sort of thing, > but you should sanitise the $_POST input. > > if($_POST['file']) > * $fileup = ",file = '{$_POST['file']}'"; > else > * $fileup = ''; > > $qry = " > INSERT INTO fred SET > * id = {$id}, > * info1 = '{$info1}', > * info2 = '{$info2} > * {$fileup} > ON DUPLICATE KEY UPDATE > * info1 = '{$info1}', > * info2 = '{$info2}' > * {$fileup} > "; Hi Captain, I tried what you ve done but with the update statment: if($_POST['relatorio_pdf']){ $fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'"; }else{ $fileup = ''; if (empty($error) ) { $sql = "UPDATE relatorio SET relatorio_nome = '{$_POST['relatorio_nome']}', relatorio_ano = '{$_POST['relatorio_ano']}', relatorio_pdf = '$fileup', relatorio_activo = '{$_POST['relatorio_activo']}' WHERE relatorio_id = {$_GET['relatorio_id']}"; } But it didnt worked.. And i didnt quite understand this line: $fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'"; (why the comma, and then a variable name?
|
|
06-24-2008
|
|||
|
|||
|
Re: Upload a file question
Pépê wrote:
> On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.com> wrote: >> On Jun 20, 10:54 am, Pépê <josemariabar...@gmail.com> wrote: >> >> >> >>> Hi all. >>> Im a newbie in PHP and im trying touploada file to the server. >>> I use a form touploada pdf file and some text information about it. >>> The client uploads the file and the system renames that file and puts >>> all the information in the database. >>> The problem is when the client goes again to edit the information, i >>> always have to choose a file touploador else it will put blank the >>> pdf column and he cant find the old one! >>> i do a $_POST['file'] to the UPDATE statement but i think i need to do >>> a if clause(and dont know what im going to put )...but where? i tried >>> it in the UPDATE statement and i cant.. >> Build your update statement dynamically. This is the sort of thing, >> but you should sanitise the $_POST input. >> >> if($_POST['file']) >> $fileup = ",file = '{$_POST['file']}'"; >> else >> $fileup = ''; >> >> $qry = " >> INSERT INTO fred SET >> id = {$id}, >> info1 = '{$info1}', >> info2 = '{$info2} >> {$fileup} >> ON DUPLICATE KEY UPDATE >> info1 = '{$info1}', >> info2 = '{$info2}' >> {$fileup} >> "; > > Hi Captain, > > I tried what you ve done but with the update statment: > > if($_POST['relatorio_pdf']){ > $fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'"; > }else{ > $fileup = ''; > > if (empty($error) ) { > > $sql = "UPDATE relatorio SET > relatorio_nome = '{$_POST['relatorio_nome']}', > relatorio_ano = '{$_POST['relatorio_ano']}', > relatorio_pdf = '$fileup', > relatorio_activo = '{$_POST['relatorio_activo']}' > WHERE relatorio_id = {$_GET['relatorio_id']}"; > > > } > But it didnt worked.. > > And i didnt quite understand this line: $fileup = ",relatorio_pdf = > '{$_POST['relatorio_pdf']}'"; (why the comma, and then a variable name? > That's because you use UPDATE instead of INSERT. INSERT adds a new row to the database (or, as a MySQL extension, updates a current row). UPDATE only changes a row which already exists; it does not add a new row. Additionally, $fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'" is part of the SQL statement. Do you have a column named 'relatorio_pdf' in your table? Also, is the field name in your form 'relatorio_pdf'? If the answer to both is yes, then this code is correct. Otherwise, this is a problem. And finally, when you get your code to what Paul showed you, "it's not working" isn't much help. What errors do you get? -- ================== Remove the "x" from my email address Jerry Stuckle JDS Computer Training Corp. jstucklex@attglobal.net ==================
|
|
06-24-2008
|
|||
|
|||
|
Re: Upload a file question
On 24 Jun, 12:46, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> Pépê wrote: > > On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.com> wrote: > >> On Jun 20, 10:54 am, Pépê <josemariabar...@gmail.com> wrote: > > >>> Hi all. > >>> Im a newbie in PHP and im trying touploada file to the server. > >>> I use a form touploada pdf file and some text information about it. > >>> The client uploads the file and the system renames that file and puts > >>> all the information in the database. > >>> The problem is when the client goes again to edit the information, i > >>> always have to choose a file touploador else it will put blank the > >>> pdf column and he cant find the old one! > >>> i do a $_POST['file'] to the UPDATE statement but i think i need to do > >>> a if clause(and dont know what im going to put )...but where? i tried > >>> it in the UPDATE statement and i cant.. > >> Build your update statement dynamically. This is the sort of thing, > >> but you should sanitise the $_POST input. > > >> if($_POST['file']) > >> * $fileup = ",file = '{$_POST['file']}'"; > >> else > >> * $fileup = ''; > > >> $qry = " > >> INSERT INTO fred SET > >> * id = {$id}, > >> * info1 = '{$info1}', > >> * info2 = '{$info2} > >> * {$fileup} > >> ON DUPLICATE KEY UPDATE > >> * info1 = '{$info1}', > >> * info2 = '{$info2}' > >> * {$fileup} > >> "; > > > Hi Captain, > > > I tried what you ve done but with the update statment: > > > * * * * * * * * * * * * * * * * * *if($_POST['relatorio_pdf']){ > > * * * * * * * * * * * * * * * * * ** $fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'"; > > * * * * * * * * * * * * * * * * * *}else{ > > * * * * * * * * * * * * * * * * * ** $fileup = ''; > > > * * * * * * * * * * * * * * * * * *if (empty($error) ) { > > > * * * * * * * * * * * * * * * * * ** * * *$sql = "UPDATE relatorio SET > > * * * * * * * * * * * * * * * * * ** * * * * * * * * relatorio_nome = '{$_POST['relatorio_nome']}', > > * * * * * * * * * * * * * * * * * ** * * * * * * * * relatorio_ano = '{$_POST['relatorio_ano']}', > > * * * * * * * * * * * * * * * * * ** * * * * * * * * relatorio_pdf = '$fileup', > > * * * * * * * * * * * * * * * * * ** * * * * * * * * relatorio_activo = '{$_POST['relatorio_activo']}' > > * * * * * * * * * * * * * * * * * ** * * * * * * *WHERE relatorio_id = {$_GET['relatorio_id']}"; > > > * * * * * * * * * * * * * * * * * *} > > But it didnt worked.. > > > And i didnt quite understand this line: $fileup = ",relatorio_pdf = > > '{$_POST['relatorio_pdf']}'"; (why the comma, and then a variable name? > > That's because you use UPDATE instead of INSERT. > > INSERT adds a new row to the database (or, as a MySQL extension, updates > a current row). *UPDATE only changes a row which already exists; it does > not add a new row. > > Additionally, > > $fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'" > > is part of the SQL statement. *Do you have a column named > 'relatorio_pdf' in your table? *Also, is the field name in your form > 'relatorio_pdf'? *If the answer to both is yes, then this code is > correct. *Otherwise, this is a problem. > > And finally, when you get your code to what Paul showed you, "it's not > working" isn't much help. *What errors do you get? > > -- > ================== > Remove the "x" from my email address > Jerry Stuckle > JDS Computer Training Corp. > jstuck...@attglobal.net > ================== Thanks Jerry, yes everything was working in SQL. It was an error with PHP.ini about filesize ... Other question, an attacker can insert sql injection through an INSERT or UPDATE statement? Because im reading a book about security in SQL and he uses the secury method only to SELECT statements like in this example: $query = sprintf('SELECT field FROM table WHERE FIELD_ID = %d', $_POST['field_id']);
|
Linear Mode
