468,772 Members | 2,318 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,772 developers. It's quick & easy.

Upload a file question

Hi all.

Im a newbie in PHP and im trying to upload a file to the server.

I use a form to upload a pdf file and some text information about it.

The client uploads the file and the system renames that file and puts
all the information in the database.

The problem is when the client goes again to edit the information, i
always have to choose a file to upload or else it will put blank the
pdf column and he cant find the old one!

i do a $_POST['file'] to the UPDATE statement but i think i need to do
a if clause(and dont know what im going to put )...but where? i tried
it in the UPDATE statement and i cant..
Jun 27 '08 #1
10 1236
On Jun 20, 10:54*am, Pépê <josemariabar...@gmail.comwrote:
Hi all.

Im a newbie in PHP and im trying to upload a file to the server.

I use a form to upload a pdf file and some text information about it.

The client uploads the file and the system renames that file and puts
all the information in the database.

The problem is when the client goes again to edit the information, i
always have to choose a file to upload or else it will put blank the
pdf column and he cant find the old one!

i do a $_POST['file'] to the UPDATE statement but i think i need to do
a if clause(and dont know what im going to put )...but where? i tried
it in the UPDATE statement and i cant..
Build your update statement dynamically. This is the sort of thing,
but you should sanitise the $_POST input.

if($_POST['file'])
$fileup = ",file = '{$_POST['file']}'";
else
$fileup = '';

$qry = "
INSERT INTO fred SET
id = {$id},
info1 = '{$info1}',
info2 = '{$info2}
{$fileup}
ON DUPLICATE KEY UPDATE
info1 = '{$info1}',
info2 = '{$info2}'
{$fileup}
";

Jun 27 '08 #2
Thanks for the help Captain.

Ive had some problems recently with sql injection in ASP.

Im new in PHP. How can i protect the forms in PHP?

I will do a search in google in the meantime...

Once again, thanks

On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.comwrote:
On Jun 20, 10:54*am, Pépê <josemariabar...@gmail.comwrote:
Hi all.
Im a newbie in PHP and im trying to upload a file to the server.
I use a form to upload a pdf file and some text information about it.
The client uploads the file and the system renames that file and puts
all the information in the database.
The problem is when the client goes again to edit the information, i
always have to choose a file to upload or else it will put blank the
pdf column and he cant find the old one!
i do a $_POST['file'] to the UPDATE statement but i think i need to do
a if clause(and dont know what im going to put )...but where? i tried
it in the UPDATE statement and i cant..

Build your update statement dynamically. This is the sort of thing,
but you should sanitise the $_POST input.

if($_POST['file'])
* $fileup = ",file = '{$_POST['file']}'";
else
* $fileup = '';

$qry = "
INSERT INTO fred SET
* id = {$id},
* info1 = '{$info1}',
* info2 = '{$info2}
* {$fileup}
ON DUPLICATE KEY UPDATE
* info1 = '{$info1}',
* info2 = '{$info2}'
* {$fileup}
";
Jun 27 '08 #3
Pépê wrote:
Thanks for the help Captain.

Ive had some problems recently with sql injection in ASP.

Im new in PHP. How can i protect the forms in PHP?
Look up mysql_real_escape_string
Jun 27 '08 #4
On Jun 20, 11:33*am, Pépê <josemariabar...@gmail.comwrote:
On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.comwrote:
On Jun 20, 10:54*am, Pépê <josemariabar...@gmail.comwrote:
Hi all.
Im a newbie in PHP and im trying to upload a file to the server.
I use a form to upload a pdf file and some text information about it.
The client uploads the file and the system renames that file and puts
all the information in the database.
The problem is when the client goes again to edit the information, i
always have to choose a file to upload or else it will put blank the
pdf column and he cant find the old one!
i do a $_POST['file'] to the UPDATE statement but i think i need to do
a if clause(and dont know what im going to put )...but where? i tried
it in the UPDATE statement and i cant..
Build your update statement dynamically. This is the sort of thing,
but you should sanitise the $_POST input.
if($_POST['file'])
* $fileup = ",file = '{$_POST['file']}'";
else
* $fileup = '';
$qry = "
INSERT INTO fred SET
* id = {$id},
* info1 = '{$info1}',
* info2 = '{$info2}
* {$fileup}
ON DUPLICATE KEY UPDATE
* info1 = '{$info1}',
* info2 = '{$info2}'
* {$fileup}
Thanks for the help Captain.

Ive had some problems recently with sql injection in ASP.

Im new in PHP. How can i protect the forms in PHP?

I will do a search in google in the meantime...

Once again, thanks
Please do not top post (top posting fixed).

Your main tool for this is mysql_real_escape_string(), but you will
find lots of good threads about this subject in the archives of this
forum.
Jun 27 '08 #5
sheldonlg wrote:
Pépê wrote:
>Thanks for the help Captain.

Ive had some problems recently with sql injection in ASP.

Im new in PHP. How can i protect the forms in PHP?

Look up mysql_real_escape_string

I'm new to php also.

Wouldn't that be unnecessary with PDO and placeholders?

It is with perl DBI that strongly resembles PDO and I'd like to know
if I'm mistaken.

Jeff
Jun 27 '08 #6
On Fri, 20 Jun 2008 14:17:27 +0200, Jeff <jeff@spam_me_not.comwrote:
sheldonlg wrote:
>Pépê wrote:
>>Thanks for the help Captain.

Ive had some problems recently with sql injection in ASP.

Im new in PHP. How can i protect the forms in PHP?
Look up mysql_real_escape_string


I'm new to php also.

Wouldn't that be unnecessary with PDO and placeholders?
If you indeed use prepared statments, then yes, it is not necessary to use
mysql_real_escape_string(). It would be destructive even, as your
variables in the database could be polluted with unnecessary (and unused)
escaping characters.
--
Rik Wasmus
....spamrun finished
Jun 27 '08 #7
On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.comwrote:
On Jun 20, 10:54*am, Pépê <josemariabar...@gmail.comwrote:
Hi all.
Im a newbie in PHP and im trying touploada file to the server.
I use a form touploada pdf file and some text information about it.
The client uploads the file and the system renames that file and puts
all the information in the database.
The problem is when the client goes again to edit the information, i
always have to choose a file touploador else it will put blank the
pdf column and he cant find the old one!
i do a $_POST['file'] to the UPDATE statement but i think i need to do
a if clause(and dont know what im going to put )...but where? i tried
it in the UPDATE statement and i cant..

Build your update statement dynamically. This is the sort of thing,
but you should sanitise the $_POST input.

if($_POST['file'])
* $fileup = ",file = '{$_POST['file']}'";
else
* $fileup = '';

$qry = "
INSERT INTO fred SET
* id = {$id},
* info1 = '{$info1}',
* info2 = '{$info2}
* {$fileup}
ON DUPLICATE KEY UPDATE
* info1 = '{$info1}',
* info2 = '{$info2}'
* {$fileup}
";
Hi Captain,

I tried what you ve done but with the update statment:

if($_POST['relatorio_pdf']){
$fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'";
}else{
$fileup = '';

if (empty($error) ) {

$sql = "UPDATE relatorio SET
relatorio_nome = '{$_POST['relatorio_nome']}',
relatorio_ano = '{$_POST['relatorio_ano']}',
relatorio_pdf = '$fileup',
relatorio_activo = '{$_POST['relatorio_activo']}'
WHERE relatorio_id = {$_GET['relatorio_id']}";
}
But it didnt worked..

And i didnt quite understand this line: $fileup = ",relatorio_pdf =
'{$_POST['relatorio_pdf']}'"; (why the comma, and then a variable name?
Jun 27 '08 #8
Pépê wrote:
On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.comwrote:
>On Jun 20, 10:54 am, Pépê <josemariabar...@gmail.comwrote:
>>Hi all.
Im a newbie in PHP and im trying touploada file to the server.
I use a form touploada pdf file and some text information about it.
The client uploads the file and the system renames that file and puts
all the information in the database.
The problem is when the client goes again to edit the information, i
always have to choose a file touploador else it will put blank the
pdf column and he cant find the old one!
i do a $_POST['file'] to the UPDATE statement but i think i need to do
a if clause(and dont know what im going to put )...but where? i tried
it in the UPDATE statement and i cant..
Build your update statement dynamically. This is the sort of thing,
but you should sanitise the $_POST input.

if($_POST['file'])
$fileup = ",file = '{$_POST['file']}'";
else
$fileup = '';

$qry = "
INSERT INTO fred SET
id = {$id},
info1 = '{$info1}',
info2 = '{$info2}
{$fileup}
ON DUPLICATE KEY UPDATE
info1 = '{$info1}',
info2 = '{$info2}'
{$fileup}
";

Hi Captain,

I tried what you ve done but with the update statment:

if($_POST['relatorio_pdf']){
$fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'";
}else{
$fileup = '';

if (empty($error) ) {

$sql = "UPDATE relatorio SET
relatorio_nome = '{$_POST['relatorio_nome']}',
relatorio_ano = '{$_POST['relatorio_ano']}',
relatorio_pdf = '$fileup',
relatorio_activo = '{$_POST['relatorio_activo']}'
WHERE relatorio_id = {$_GET['relatorio_id']}";
}
But it didnt worked..

And i didnt quite understand this line: $fileup = ",relatorio_pdf =
'{$_POST['relatorio_pdf']}'"; (why the comma, and then a variable name?
That's because you use UPDATE instead of INSERT.

INSERT adds a new row to the database (or, as a MySQL extension, updates
a current row). UPDATE only changes a row which already exists; it does
not add a new row.

Additionally,

$fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'"

is part of the SQL statement. Do you have a column named
'relatorio_pdf' in your table? Also, is the field name in your form
'relatorio_pdf'? If the answer to both is yes, then this code is
correct. Otherwise, this is a problem.

And finally, when you get your code to what Paul showed you, "it's not
working" isn't much help. What errors do you get?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Jun 27 '08 #9
On 24 Jun, 12:46, Jerry Stuckle <jstuck...@attglobal.netwrote:
Pépê wrote:
On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.comwrote:
On Jun 20, 10:54 am, Pépê <josemariabar...@gmail.comwrote:
>Hi all.
Im a newbie in PHP and im trying touploada file to the server.
I use a form touploada pdf file and some text information about it.
The client uploads the file and the system renames that file and puts
all the information in the database.
The problem is when the client goes again to edit the information, i
always have to choose a file touploador else it will put blank the
pdf column and he cant find the old one!
i do a $_POST['file'] to the UPDATE statement but i think i need to do
a if clause(and dont know what im going to put )...but where? i tried
it in the UPDATE statement and i cant..
Build your update statement dynamically. This is the sort of thing,
but you should sanitise the $_POST input.
if($_POST['file'])
* $fileup = ",file = '{$_POST['file']}'";
else
* $fileup = '';
$qry = "
INSERT INTO fred SET
* id = {$id},
* info1 = '{$info1}',
* info2 = '{$info2}
* {$fileup}
ON DUPLICATE KEY UPDATE
* info1 = '{$info1}',
* info2 = '{$info2}'
* {$fileup}
";
Hi Captain,
I tried what you ve done but with the update statment:
* * * * * * * * * * * * * * * * * *if($_POST['relatorio_pdf']){
* * * * * * * * * * * * * * * * * ** $fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'";
* * * * * * * * * * * * * * * * * *}else{
* * * * * * * * * * * * * * * * * ** $fileup = '';
* * * * * * * * * * * * * * * * * *if (empty($error) ) {
* * * * * * * * * * * * * * * * * ** * * *$sql = "UPDATE relatorio SET
* * * * * * * * * * * * * * * * * ** * * * * * * * * relatorio_nome = '{$_POST['relatorio_nome']}',
* * * * * * * * * * * * * * * * * ** * * * * * * * * relatorio_ano = '{$_POST['relatorio_ano']}',
* * * * * * * * * * * * * * * * * ** * * * * * * * * relatorio_pdf = '$fileup',
* * * * * * * * * * * * * * * * * ** * * * * * * * * relatorio_activo = '{$_POST['relatorio_activo']}'
* * * * * * * * * * * * * * * * * ** * * * * * * *WHERE relatorio_id = {$_GET['relatorio_id']}";
* * * * * * * * * * * * * * * * * *}
But it didnt worked..
And i didnt quite understand this line: $fileup = ",relatorio_pdf =
'{$_POST['relatorio_pdf']}'"; (why the comma, and then a variable name?

That's because you use UPDATE instead of INSERT.

INSERT adds a new row to the database (or, as a MySQL extension, updates
a current row). *UPDATE only changes a row which already exists; it does
not add a new row.

Additionally,

$fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'"

is part of the SQL statement. *Do you have a column named
'relatorio_pdf' in your table? *Also, is the field name in your form
'relatorio_pdf'? *If the answer to both is yes, then this code is
correct. *Otherwise, this is a problem.

And finally, when you get your code to what Paul showed you, "it's not
working" isn't much help. *What errors do you get?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================
Thanks Jerry, yes everything was working in SQL. It was an error with
PHP.ini about filesize ...

Other question, an attacker can insert sql injection through an INSERT
or UPDATE statement?

Because im reading a book about security in SQL and he uses the secury
method only to SELECT statements like in this example:

$query = sprintf('SELECT field FROM table WHERE FIELD_ID = %d',
$_POST['field_id']);

Jun 27 '08 #10
Pépê wrote:
On 24 Jun, 12:46, Jerry Stuckle <jstuck...@attglobal.netwrote:
>Pépê wrote:
>>On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.comwrote:
On Jun 20, 10:54 am, Pépê <josemariabar...@gmail.comwrote:
Hi all.
Im a newbie in PHP and im trying touploada file to the server.
I use a form touploada pdf file and some text information about it.
The client uploads the file and the system renames that file and puts
all the information in the database.
The problem is when the client goes again to edit the information, i
always have to choose a file touploador else it will put blank the
pdf column and he cant find the old one!
i do a $_POST['file'] to the UPDATE statement but i think i need to do
a if clause(and dont know what im going to put )...but where? i tried
it in the UPDATE statement and i cant..
Build your update statement dynamically. This is the sort of thing,
but you should sanitise the $_POST input.
if($_POST['file'])
$fileup = ",file = '{$_POST['file']}'";
else
$fileup = '';
$qry = "
INSERT INTO fred SET
id = {$id},
info1 = '{$info1}',
info2 = '{$info2}
{$fileup}
ON DUPLICATE KEY UPDATE
info1 = '{$info1}',
info2 = '{$info2}'
{$fileup}
";
Hi Captain,
I tried what you ve done but with the update statment:
if($_POST['relatorio_pdf']){
$fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'";
}else{
$fileup = '';
if (empty($error) ) {
$sql = "UPDATE relatorio SET
relatorio_nome = '{$_POST['relatorio_nome']}',
relatorio_ano = '{$_POST['relatorio_ano']}',
relatorio_pdf = '$fileup',
relatorio_activo = '{$_POST['relatorio_activo']}'
WHERE relatorio_id = {$_GET['relatorio_id']}";
}
But it didnt worked..
And i didnt quite understand this line: $fileup = ",relatorio_pdf =
'{$_POST['relatorio_pdf']}'"; (why the comma, and then a variable name?
That's because you use UPDATE instead of INSERT.

INSERT adds a new row to the database (or, as a MySQL extension, updates
a current row). UPDATE only changes a row which already exists; it does
not add a new row.

Additionally,

$fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'"

is part of the SQL statement. Do you have a column named
'relatorio_pdf' in your table? Also, is the field name in your form
'relatorio_pdf'? If the answer to both is yes, then this code is
correct. Otherwise, this is a problem.

And finally, when you get your code to what Paul showed you, "it's not
working" isn't much help. What errors do you get?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================

Thanks Jerry, yes everything was working in SQL. It was an error with
PHP.ini about filesize ...

Other question, an attacker can insert sql injection through an INSERT
or UPDATE statement?

Because im reading a book about security in SQL and he uses the secury
method only to SELECT statements like in this example:

$query = sprintf('SELECT field FROM table WHERE FIELD_ID = %d',
$_POST['field_id']);

Yes, UPDATE and INSERT statements are even more dangerous - SELECT
allows him to possibly see things he couldn't. INSERT/UPDATE allows him
to CHANGE things to what he shouldn't.

For instance - I had a customer about 2-3 years ago who was running
PHPBB2 on his site. He didn't keep up with the security fixes, and one
day a hacker went in and defaced the entire BBS. Fortunately, no data
was lost and after a couple of hours determining just what had been
changed, I was able to get into the database and fix it, with no loss of
data. Then I upgraded his PHPBB2 to the latest version. He now keeps
it updated.

But because of a security breach in an UPDATE statement, someone was
able to hack it.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Jun 27 '08 #11

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

3 posts views Thread by dave | last post: by
1 post views Thread by joshbeall | last post: by
1 post views Thread by Marko Vuksanovic | last post: by
7 posts views Thread by pbd22 | last post: by
6 posts views Thread by =?ISO-8859-1?Q?J=F8rn?= Dahl-Stamnes | last post: by
2 posts views Thread by will.smothers | last post: by
12 posts views Thread by GuangXiN | last post: by
1 post views Thread by CARIGAR | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.