Upload a file question

On Jun 20, 10:54*am, Pépê <josemariabar...@gmail.comwrote:

Hi all.

Im a newbie in PHP and im trying to upload a file to the server.

I use a form to upload a pdf file and some text information about it.

The client uploads the file and the system renames that file and puts
all the information in the database.

The problem is when the client goes again to edit the information, i
always have to choose a file to upload or else it will put blank the
pdf column and he cant find the old one!

i do a $_POST['file'] to the UPDATE statement but i think i need to do
a if clause(and dont know what im going to put )...but where? i tried
it in the UPDATE statement and i cant..

Build your update statement dynamically. This is the sort of thing,
but you should sanitise the $_POST input.

if($_POST['file'])
$fileup = ",file = '{$_POST['file']}'";
else
$fileup = '';

$qry = "
INSERT INTO fred SET
id = {$id},
info1 = '{$info1}',
info2 = '{$info2}
{$fileup}
ON DUPLICATE KEY UPDATE
info1 = '{$info1}',
info2 = '{$info2}'
{$fileup}
";

Thanks for the help Captain.

Ive had some problems recently with sql injection in ASP.

Im new in PHP. How can i protect the forms in PHP?

I will do a search in google in the meantime...

Once again, thanks

On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.comwrote:

On Jun 20, 10:54*am, Pépê <josemariabar...@gmail.comwrote:

Hi all.

Im a newbie in PHP and im trying to upload a file to the server.

I use a form to upload a pdf file and some text information about it.

The client uploads the file and the system renames that file and puts
all the information in the database.

The problem is when the client goes again to edit the information, i
always have to choose a file to upload or else it will put blank the
pdf column and he cant find the old one!

i do a $_POST['file'] to the UPDATE statement but i think i need to do
a if clause(and dont know what im going to put )...but where? i tried
it in the UPDATE statement and i cant..

Build your update statement dynamically. This is the sort of thing,
but you should sanitise the $_POST input.

if($_POST['file'])
* $fileup = ",file = '{$_POST['file']}'";
else
* $fileup = '';

$qry = "
INSERT INTO fred SET
* id = {$id},
* info1 = '{$info1}',
* info2 = '{$info2}
* {$fileup}
ON DUPLICATE KEY UPDATE
* info1 = '{$info1}',
* info2 = '{$info2}'
* {$fileup}
";

Pépê wrote:

Thanks for the help Captain.

Ive had some problems recently with sql injection in ASP.

Im new in PHP. How can i protect the forms in PHP?

Look up mysql_real_escape_string

On Jun 20, 11:33*am, Pépê <josemariabar...@gmail.comwrote:

On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.comwrote:

On Jun 20, 10:54*am, Pépê <josemariabar...@gmail.comwrote:

Hi all.

Im a newbie in PHP and im trying to upload a file to the server.

I use a form to upload a pdf file and some text information about it.

The client uploads the file and the system renames that file and puts
all the information in the database.

The problem is when the client goes again to edit the information, i
always have to choose a file to upload or else it will put blank the
pdf column and he cant find the old one!

i do a $_POST['file'] to the UPDATE statement but i think i need to do
a if clause(and dont know what im going to put )...but where? i tried
it in the UPDATE statement and i cant..

Build your update statement dynamically. This is the sort of thing,
but you should sanitise the $_POST input.

if($_POST['file'])
* $fileup = ",file = '{$_POST['file']}'";
else
* $fileup = '';

$qry = "
INSERT INTO fred SET
* id = {$id},
* info1 = '{$info1}',
* info2 = '{$info2}
* {$fileup}
ON DUPLICATE KEY UPDATE
* info1 = '{$info1}',
* info2 = '{$info2}'
* {$fileup}

Thanks for the help Captain.

Ive had some problems recently with sql injection in ASP.

Im new in PHP. How can i protect the forms in PHP?

I will do a search in google in the meantime...

Once again, thanks

Please do not top post (top posting fixed).

Your main tool for this is mysql_real_escape_string(), but you will
find lots of good threads about this subject in the archives of this
forum.

sheldonlg wrote:

Pépê wrote:

>Thanks for the help Captain.

Ive had some problems recently with sql injection in ASP.

Im new in PHP. How can i protect the forms in PHP?

Look up mysql_real_escape_string

I'm new to php also.

Wouldn't that be unnecessary with PDO and placeholders?

It is with perl DBI that strongly resembles PDO and I'd like to know
if I'm mistaken.

Jeff

On Fri, 20 Jun 2008 14:17:27 +0200, Jeff <jeff@spam_me_not.comwrote:

sheldonlg wrote:

>Pépê wrote:

>>Thanks for the help Captain.

Ive had some problems recently with sql injection in ASP.

Im new in PHP. How can i protect the forms in PHP?

Look up mysql_real_escape_string

I'm new to php also.

Wouldn't that be unnecessary with PDO and placeholders?

If you indeed use prepared statments, then yes, it is not necessary to use
mysql_real_escape_string(). It would be destructive even, as your
variables in the database could be polluted with unnecessary (and unused)
escaping characters.
--
Rik Wasmus
....spamrun finished

On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.comwrote:

On Jun 20, 10:54*am, Pépê <josemariabar...@gmail.comwrote:

Hi all.

Im a newbie in PHP and im trying touploada file to the server.

I use a form touploada pdf file and some text information about it.

The client uploads the file and the system renames that file and puts
all the information in the database.

The problem is when the client goes again to edit the information, i
always have to choose a file touploador else it will put blank the
pdf column and he cant find the old one!

i do a $_POST['file'] to the UPDATE statement but i think i need to do
a if clause(and dont know what im going to put )...but where? i tried
it in the UPDATE statement and i cant..

Build your update statement dynamically. This is the sort of thing,
but you should sanitise the $_POST input.

if($_POST['file'])
* $fileup = ",file = '{$_POST['file']}'";
else
* $fileup = '';

$qry = "
INSERT INTO fred SET
* id = {$id},
* info1 = '{$info1}',
* info2 = '{$info2}
* {$fileup}
ON DUPLICATE KEY UPDATE
* info1 = '{$info1}',
* info2 = '{$info2}'
* {$fileup}
";

Hi Captain,

I tried what you ve done but with the update statment:

if($_POST['relatorio_pdf']){
$fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'";
}else{
$fileup = '';

if (empty($error) ) {

$sql = "UPDATE relatorio SET
relatorio_nome = '{$_POST['relatorio_nome']}',
relatorio_ano = '{$_POST['relatorio_ano']}',
relatorio_pdf = '$fileup',
relatorio_activo = '{$_POST['relatorio_activo']}'
WHERE relatorio_id = {$_GET['relatorio_id']}";
}
But it didnt worked..

And i didnt quite understand this line: $fileup = ",relatorio_pdf =
'{$_POST['relatorio_pdf']}'"; (why the comma, and then a variable name?

Pépê wrote:

On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.comwrote:

>On Jun 20, 10:54 am, Pépê <josemariabar...@gmail.comwrote:

>>Hi all.
Im a newbie in PHP and im trying touploada file to the server.
I use a form touploada pdf file and some text information about it.
The client uploads the file and the system renames that file and puts
all the information in the database.
The problem is when the client goes again to edit the information, i
always have to choose a file touploador else it will put blank the
pdf column and he cant find the old one!
i do a $_POST['file'] to the UPDATE statement but i think i need to do
a if clause(and dont know what im going to put )...but where? i tried
it in the UPDATE statement and i cant..

Build your update statement dynamically. This is the sort of thing,
but you should sanitise the $_POST input.

if($_POST['file'])
$fileup = ",file = '{$_POST['file']}'";
else
$fileup = '';

$qry = "
INSERT INTO fred SET
id = {$id},
info1 = '{$info1}',
info2 = '{$info2}
{$fileup}
ON DUPLICATE KEY UPDATE
info1 = '{$info1}',
info2 = '{$info2}'
{$fileup}
";

Hi Captain,

I tried what you ve done but with the update statment:

if($_POST['relatorio_pdf']){
$fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'";
}else{
$fileup = '';

if (empty($error) ) {

$sql = "UPDATE relatorio SET
relatorio_nome = '{$_POST['relatorio_nome']}',
relatorio_ano = '{$_POST['relatorio_ano']}',
relatorio_pdf = '$fileup',
relatorio_activo = '{$_POST['relatorio_activo']}'
WHERE relatorio_id = {$_GET['relatorio_id']}";
}
But it didnt worked..

And i didnt quite understand this line: $fileup = ",relatorio_pdf =
'{$_POST['relatorio_pdf']}'"; (why the comma, and then a variable name?

That's because you use UPDATE instead of INSERT.

INSERT adds a new row to the database (or, as a MySQL extension, updates
a current row). UPDATE only changes a row which already exists; it does
not add a new row.

Additionally,

$fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'"

is part of the SQL statement. Do you have a column named
'relatorio_pdf' in your table? Also, is the field name in your form
'relatorio_pdf'? If the answer to both is yes, then this code is
correct. Otherwise, this is a problem.

And finally, when you get your code to what Paul showed you, "it's not
working" isn't much help. What errors do you get?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

On 24 Jun, 12:46, Jerry Stuckle <jstuck...@attglobal.netwrote:

Pépê wrote:

On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.comwrote:

On Jun 20, 10:54 am, Pépê <josemariabar...@gmail.comwrote:

>Hi all.
Im a newbie in PHP and im trying touploada file to the server.
I use a form touploada pdf file and some text information about it.
The client uploads the file and the system renames that file and puts
all the information in the database.
The problem is when the client goes again to edit the information, i
always have to choose a file touploador else it will put blank the
pdf column and he cant find the old one!
i do a $_POST['file'] to the UPDATE statement but i think i need to do
a if clause(and dont know what im going to put )...but where? i tried
it in the UPDATE statement and i cant..
Build your update statement dynamically. This is the sort of thing,
but you should sanitise the $_POST input.

if($_POST['file'])
* $fileup = ",file = '{$_POST['file']}'";
else
* $fileup = '';

$qry = "
INSERT INTO fred SET
* id = {$id},
* info1 = '{$info1}',
* info2 = '{$info2}
* {$fileup}
ON DUPLICATE KEY UPDATE
* info1 = '{$info1}',
* info2 = '{$info2}'
* {$fileup}
";

Hi Captain,

I tried what you ve done but with the update statment:

* * * * * * * * * * * * * * * * * *if($_POST['relatorio_pdf']){
* * * * * * * * * * * * * * * * * ** $fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'";
* * * * * * * * * * * * * * * * * *}else{
* * * * * * * * * * * * * * * * * ** $fileup = '';

* * * * * * * * * * * * * * * * * *if (empty($error) ) {

* * * * * * * * * * * * * * * * * ** * * *$sql = "UPDATE relatorio SET
* * * * * * * * * * * * * * * * * ** * * * * * * * * relatorio_nome = '{$_POST['relatorio_nome']}',
* * * * * * * * * * * * * * * * * ** * * * * * * * * relatorio_ano = '{$_POST['relatorio_ano']}',
* * * * * * * * * * * * * * * * * ** * * * * * * * * relatorio_pdf = '$fileup',
* * * * * * * * * * * * * * * * * ** * * * * * * * * relatorio_activo = '{$_POST['relatorio_activo']}'
* * * * * * * * * * * * * * * * * ** * * * * * * *WHERE relatorio_id = {$_GET['relatorio_id']}";

* * * * * * * * * * * * * * * * * *}
But it didnt worked..

And i didnt quite understand this line: $fileup = ",relatorio_pdf =
'{$_POST['relatorio_pdf']}'"; (why the comma, and then a variable name?

That's because you use UPDATE instead of INSERT.

INSERT adds a new row to the database (or, as a MySQL extension, updates
a current row). *UPDATE only changes a row which already exists; it does
not add a new row.

Additionally,

$fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'"

is part of the SQL statement. *Do you have a column named
'relatorio_pdf' in your table? *Also, is the field name in your form
'relatorio_pdf'? *If the answer to both is yes, then this code is
correct. *Otherwise, this is a problem.

And finally, when you get your code to what Paul showed you, "it's not
working" isn't much help. *What errors do you get?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================

Thanks Jerry, yes everything was working in SQL. It was an error with
PHP.ini about filesize ...

Other question, an attacker can insert sql injection through an INSERT
or UPDATE statement?

Because im reading a book about security in SQL and he uses the secury
method only to SELECT statements like in this example:

$query = sprintf('SELECT field FROM table WHERE FIELD_ID = %d',
$_POST['field_id']);

Pépê wrote:

On 24 Jun, 12:46, Jerry Stuckle <jstuck...@attglobal.netwrote:

>Pépê wrote:

>>On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.comwrote:
On Jun 20, 10:54 am, Pépê <josemariabar...@gmail.comwrote:
Hi all.
Im a newbie in PHP and im trying touploada file to the server.
I use a form touploada pdf file and some text information about it.
The client uploads the file and the system renames that file and puts
all the information in the database.
The problem is when the client goes again to edit the information, i
always have to choose a file touploador else it will put blank the
pdf column and he cant find the old one!
i do a $_POST['file'] to the UPDATE statement but i think i need to do
a if clause(and dont know what im going to put )...but where? i tried
it in the UPDATE statement and i cant..
Build your update statement dynamically. This is the sort of thing,
but you should sanitise the $_POST input.
if($_POST['file'])
$fileup = ",file = '{$_POST['file']}'";
else
$fileup = '';
$qry = "
INSERT INTO fred SET
id = {$id},
info1 = '{$info1}',
info2 = '{$info2}
{$fileup}
ON DUPLICATE KEY UPDATE
info1 = '{$info1}',
info2 = '{$info2}'
{$fileup}
";
Hi Captain,
I tried what you ve done but with the update statment:
if($_POST['relatorio_pdf']){
$fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'";
}else{
$fileup = '';
if (empty($error) ) {
$sql = "UPDATE relatorio SET
relatorio_nome = '{$_POST['relatorio_nome']}',
relatorio_ano = '{$_POST['relatorio_ano']}',
relatorio_pdf = '$fileup',
relatorio_activo = '{$_POST['relatorio_activo']}'
WHERE relatorio_id = {$_GET['relatorio_id']}";
}
But it didnt worked..
And i didnt quite understand this line: $fileup = ",relatorio_pdf =
'{$_POST['relatorio_pdf']}'"; (why the comma, and then a variable name?

That's because you use UPDATE instead of INSERT.

INSERT adds a new row to the database (or, as a MySQL extension, updates
a current row). UPDATE only changes a row which already exists; it does
not add a new row.

Additionally,

$fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'"

is part of the SQL statement. Do you have a column named
'relatorio_pdf' in your table? Also, is the field name in your form
'relatorio_pdf'? If the answer to both is yes, then this code is
correct. Otherwise, this is a problem.

And finally, when you get your code to what Paul showed you, "it's not
working" isn't much help. What errors do you get?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================

Thanks Jerry, yes everything was working in SQL. It was an error with
PHP.ini about filesize ...

Other question, an attacker can insert sql injection through an INSERT
or UPDATE statement?

Because im reading a book about security in SQL and he uses the secury
method only to SELECT statements like in this example:

$query = sprintf('SELECT field FROM table WHERE FIELD_ID = %d',
$_POST['field_id']);

Yes, UPDATE and INSERT statements are even more dangerous - SELECT
allows him to possibly see things he couldn't. INSERT/UPDATE allows him
to CHANGE things to what he shouldn't.

For instance - I had a customer about 2-3 years ago who was running
PHPBB2 on his site. He didn't keep up with the security fixes, and one
day a hacker went in and defaced the entire BBS. Fortunately, no data
was lost and after a couple of hours determining just what had been
changed, I was able to get into the database and fix it, with no loss of
data. Then I upgraded his PHPBB2 to the latest version. He now keeps
it updated.

But because of a security breach in an UPDATE statement, someone was
able to hack it.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================