0

I'm not familiar with php, but... I have one form with two upload files filds, one for arhive, and other for thumbnail to it. It puts names into mysql table. At first, it be nice to rename files if they exists into dirs, and i can't do that. And second, it upload image, but i can't make it to make thumbnail with specific proportions.

My forms:

<form method="post" action="up.php" enctype="multipart/form-data">
        <p>
          Firstname:
        </p>
        <input type="text" name="firstname"/>
         <p>
          lastname:
        </p>
        <input type="text" name="lastname"/>
        <p>
          Please Upload a Photo.
        </p>
        <p>
          Photo:
        </p>
        <input type="hidden" name="size" value="350000">
        <input type="file" name="photo"> 
        <p>
         Arhiv:
        </p>
        <input type="hidden" name="size" value="350000">
        <input type="file" name="sub"> 
        <p>
          middlename:
        </p>

address:



and my upload.php

    <?php

//This is the directory where images will be saved
$arhiv = "files/";
$arhiv = $arhiv . basename( $_FILES['sub']['name']);
$target = "upl/";
$target = $target . basename( $_FILES['photo']['name']);

//This gets all the other information from the form
$firstname=$_POST['firstname'];
$lastname=$_POST['lastname'];
$poster=($_FILES['photo']['name']);
$middlename=$_POST['middlename'];
$address=$_POST['address'];
$arhiv=($_FILES['sub']['name']);

// Connects to your Database
mysql_connect("localhost", "root", "pass") or die(mysql_error()) ;
mysql_select_db("asc_desc") or die(mysql_error()) ;

//Writes the information to the database
mysql_query("INSERT INTO member (firstname,lastname,poster,middlename,address,arhiv)
VALUES ('$firstname', '$lastname', '$poster', '$middlename', '$address', '$arhiv')") ;

//Writes the photo to the server
if(move_uploaded_file($_FILES['photo']['tmp_name'], $target));
if(move_uploaded_file($_FILES['sub']['tmp_name'], $arhiv))
{

//Tells you if its all ok
echo "The file ". basename( $_FILES['photo']['name']). " has been uploaded, and your information has been added to the directory";
echo "<p>The file ". basename( $_FILES['sub']['name']). " is uploaded, too";
}
else {

//Gives and error if its not
echo "Sorry, there was a problem uploading your file.";
}

?>
<p>
<a href="1.php">Back to form</a>
user3503495
  • 1
  • Your code is vulnerable to SQL injections. You should read on [how to prevent them in PHP](http://stackoverflow.com/q/60174/53114). You should also check the file that is being uploaded, otherwise one could upload malicious files like a `.php` file. – Gumbo Apr 06 '14 at 12:32
  • Yes, i know, but at first i want to make this working, after that will check file and size – user3503495 Apr 06 '14 at 12:43

0 Answers0