problem with submitting pictures and text from the same php script

sander_ESP

hello,

i am working on a hall of fame, wich contains information about people, like a blog and pictures..

the users can upload pictures and write comments about them selves.. there is also a list of questions they can answer.

now the problem is that when i press submit for a picture.. a record for the blog gets also entered.. so i gues i am looking for a way to distinct these two upload funtions..

this is the code, dont comment on how messy it is please :-) i am not a php programmer..

<?
ob_start();
include "include/session.php";
ini_set('error_reporting', E_ALL);
ini_set('display_errors', 'ON');
?>
<!doctype html public "-//w3c//dtd html 3.2//en">
<html>
<head>
<title>HALL OF FAME</title>
<link rel="stylesheet" href="style.css">
<style type="text/css">
<!--
body {
background-color: #4A6B84;
}
-->
</style>
<link rel="stylesheet" href="styles.css" type="text/css">

<meta name="GENERATOR" content="Arachnophilia 4.0">
<meta name="FORMATTER" content="Arachnophilia 4.0">
</head>


</body>
</html>
<?
$host = "localhost";
$user = "*******";
$pass = "*********";
$db = "********_hallfame";


$conn = mysql_connect($host, $user, $pass)
OR DIE (mysql_error());
@mysql_select_db ($db, $conn) OR DIE (mysql_error());


// Do this process if user has browse the
// file and click the submit button
$table= "image";
$sqll = "select plus_signup.person_ID from plus_signup where plus_signup.userid = '".$session['userid'] . "'";
//echo " sqll = $sqll<br>";
$user = mysql_query($sqll);
//echo "username = $user<br>";
list ($UserName) = mysql_fetch_array ($user);
$query = "select * from people where people.firstname = '".$session['userid'] . "'";
$result = mysql_query($query);

while ($row = mysql_fetch_array($result))
{
	echo "<TR>";
	echo "<b> first name :</b>";
	echo $row["firstname"];
	echo "<br>\n";
	echo "<b> last name :</b>";
	echo $row["lastname"];
	echo "<br>\n";
	echo "<b> A.K.A :</b>";
	echo $row["AKA"];
	echo "<br>\n";
	echo "<b> status :</b>";
	echo $row["status"];
	echo "<br>\n";
	echo "<b> nationality :</b>";
	echo $row["nationality"];
	echo "<br>\n";
	echo "</TR>";
}
mysql_free_result($result);


if ($_FILES)
{
$image_types = Array (
"image/bmp",
"image/jpeg",
"image/pjpeg",
"image/gif",
"image/x-png",
"application/octet-stream");

if (is_uploaded_file ($_FILES['userfile']['tmp_name']))
{
$userfile = addslashes (fread
(fopen ($_FILES["userfile"]["tmp_name"], "r"),
filesize ($_FILES["userfile"]["tmp_name"])));
$file_name = $_FILES["userfile"]["name"];
$file_size = $_FILES["userfile"]["size"];
$file_type = $_FILES["userfile"]["type"];


if (in_array (strtolower ($file_type), $image_types))
{
$sql = "INSERT INTO ".$table." "
. "(image_type, image, image_size, image_name, image_date, person_ID) ";
$sql.= "VALUES (";
$sql.= "'{$file_type}', '{$userfile}', '{$file_size}', '{$file_name}', NOW(), $UserName)";
@mysql_query ($sql, $conn);
Header("Location:".$_SERVER["PHP_SELF"]);
exit();
}
}
}

// Do this process of user has click
// a file name to view or remove
if ($_GET)
{
$iid = $_GET['iid'];
$act = $_GET['act'];

switch ($act)
{
case 'view':

$sql = "select * from ".$table." where image_id=" .$iid;
$result = mysql_query($sql,$conn);
if (mysql_num_rows ($result)>0)
{
$row = @mysql_fetch_array($result);
$image_type = $row["image_type"];
$image = $row["image"];
Header("Content-type: $image_type");
print $image;
}
break;

case 'rem':
$sql = "DELETE FROM ".$table." WHERE image_id=" .$iid;
@mysql_query ($sql, $conn);
Header("Location:".$_SERVER["PHP_SELF"]);
exit();
break;

default:
print "<img src=\"image.php?iid=$iid\">";
break;
}
}

#
#FUNCTIONS
#
function get_filesize ($dsize)
{
if (strlen($dsize) <= 9 && strlen($dsize) >= 7)
{
$dsize = number_format($dsize / 1048576,1);
return "$dsize MB";
}
elseif (strlen($dsize) >= 10)
{
$dsize = number_format($dsize / 1073741824,1);
return "$dsize GB";
}
else
{
$dsize = number_format($dsize / 1024,1);
return "$dsize KB";
}
}
?>
<html>
<body>
<form method="post" enctype="multipart/form-data">
voeg een foto toe:
<input type="file" name="userfile" size="40">
<input type="submit" value="submit">
</form>
<?php
// storing the images in the database
//echo "$session[userid]<br>";
$tabletwo = "plus_signup";
$sqll = "select plus_signup.person_ID from plus_signup where plus_signup.userid = '".$session['userid'] . "'";
//echo " sqll = $sqll<br>";
$user = mysql_query($sqll);
//echo "username = $user<br>";
list ($UserName) = mysql_fetch_array ($user);
//echo" $UserName<br>";
$sql = "SELECT * FROM ".$table." where person_ID = ".$UserName." ORDER BY image_id";
$result = mysql_query ($sql, $conn);
//echo " sql = $sql<br>";

$i=0;
$str='';
if (mysql_num_rows($result)>0)
{
while ($row = mysql_fetch_array($result, MYSQL_ASSOC))
{
$i++;
$str .= $i.". ";
$str .= "<a href=\"welcome.php?act=view&iid=".$row["image_id"]."\">";
$str .= "<img border=\"0\" height=\"90\" width=\"100\" src=\"image.php?act=view&iid=".$row["image_id"]."\"></a> ";
$str .= "[Name: ".$row["image_name"]."] ";
$str .= "[Date: ".$row["image_date"]."] ";
$str .= "[Size: ". get_filesize($row["image_size"])."] ";
$str .= "[<a href=\"welcome.php?act=rem&iid=".$row["image_id"]."\">Remove</a>]<br>";
}
print $str;
}


?>
<table border="1" cellspacing="2" cellpadding="2">
<tr>
<th><font face="Arial, Helvetica, sans-serif">ID</font></th>
<th><font face="Arial, Helvetica, sans-serif">Question</font></th>
<th><font face="Arial, Helvetica, sans-serif">answer</font></th>

</tr>

<?

//$questionquery="SELECT * FROM hundred_questions, hundred_questions_answers where hundred_questions.question_ID = hundred_questions_answers.question_ID and hundred_questions_answers.person_ID = ".$UserName;
$questionquery="select * from hundred_questions";
$result=mysql_query($questionquery);
$num=mysql_num_rows($result);
//$answerquery="select * from hundred questions_answers where hundred questions_answers.person_ID = ".$UserName;
$q = "SELECT * FROM hundred_questions_answers WHERE hundred_questions_answers.person_ID = ".$UserName;
$answerresult=mysql_query($q);
//$resultcount=mysql_query($q);
$mysql_num_rowss=mysql_num_rows($answerresult);
echo $num;
echo $mysql_num_rowss;
$j = 0;
if ($mysql_num_rowss < $num) {
while ($j < $num) {
$questionaddquery = "INSERT INTO hundred_questions_answers"
. "(person_ID, answer) ";
$questionaddquery.= "VALUES (";
$questionaddquery.= "'{$UserName}', 'unanswered')";
$resultanswer = mysql_query($questionaddquery);
$j++;
}
}
echo "<b><center>100 question</center></b><br><br>";
$i=0;

while ($i < $num) {
$answer=mysql_result($answerresult,$i,"answer");
$question=mysql_result($result,$i,"question");
$ID=mysql_result($result,$i,"question_ID");
//$answer=mysql_result($result,$i,"answer");
//$edit="<input type="Submit" name="submit" value="Enter information">; 


?>

<tr>
<td><font face="Arial, Helvetica, sans-serif"><? echo $ID; ?></font></td>
<td><font face="Arial, Helvetica, sans-serif"><? echo $question; ?></font></td>
<form action="welcome.php" method="post">
<td><font face="Arial, Helvetica, sans-serif"> <form action="edit.php" method="post"><input type="text" name="answer" value="<? echo $answer; ?>"></font></td>

<td><input type="Submit" value="Update"></td>
</tr>
</form>

</tr>

<?
$i++;
}


echo "</table><br>";

echo "<b><center>blog</center></b><br><br>";
ob_end_flush();
?>


<?
//if ($submit=="Post it!!")
//{




# this is processed when the form is submitted 
# back on to this page (POST METHOD) 
if ($_SERVER['REQUEST_METHOD'] == "POST")  
{ 


$blogquery = "INSERT INTO self_comment"
. "(person_ID, self_comment_text, date) ";
$blogquery.= "VALUES (";
$blogquery.= "'{$UserName}', '{$blog_entry}', NOW())";
        #execute SQL statement 
        $result = mysql_query($blogquery); 

    # check for error 
    if (mysql_error()) { print "Database ERROR: " . mysql_error(); } 

print "<h3><font color=red>your crap has been saved!></font></h3>"; 
} 

?> 

<form name="fa" action="welcome.php" method="POST">      
<table>                                                                                                         
<tr><td valign=top><b>enter your crap here </b> </td><td> <textarea name="blog_entry" rows=4 cols=30></textarea></td></tr> 
<tr><th colspan=2><p><input type="submit" value="post it!!"></p></th></tr>  
</table> 
</form>   






<table border="1" cellspacing="2" cellpadding="2">
<tr>
<th><font face="Arial, Helvetica, sans-serif">DATE</font></th>
<th><font face="Arial, Helvetica, sans-serif">POST</font></th>


</tr>

<?

$blogshowquery="SELECT * FROM self_comment where self_comment.person_ID =  ".$UserName;
$result=mysql_query($blogshowquery);
$num=mysql_num_rows($result);


echo "<b><center>your posts so far :</center></b><br><br>";
$i=0;

while ($i < $num) {
//$answer=mysql_result($answerresult,$i,"answer");
$date=mysql_result($result,$i,"date");
$self_comment_text=mysql_result($result,$i,"self_comment_text");
//$answer=mysql_result($result,$i,"answer");

?>

<tr>
<td><font face="Arial, Helvetica, sans-serif"><? echo $date; ?></font></td>
<td><font face="Arial, Helvetica, sans-serif"><? echo $self_comment_text; ?></font></td>

</tr>

<?
$i++;
}


echo "</table><br>";

?>

</body>
</html>
</body>
</html>

messy like i said.. but where my knowledge ends yours starts i hope..

i think the problem sits here

 if ($_SERVER['REQUEST_METHOD'] == "POST")  

    {

wich basically sais that it should react to any submit action..

how do i distinct between the different upload/update/post blog buttons?

liquorvicar

As an educated guess I'd say it's because in your form submission for uploading images you're setting the REQUEST_METHOD to POST:

<html>
<body>
<form method="post" enctype="multipart/form-data">
voeg een foto toe:
<input type="file" name="userfile" size="40">
<input type="submit" value="submit">
</form>

I'd strongly suggest going away and reading some tutorials and books (lots of them!) about writing PHP code before you go any further. As you pointed out this code is a serious mess. You may say you're not a PHP programmer, but you are as you're writing this script. There are some potentially massive security risks in this script and it will also cause you very large headaches in the future when you need to expand or change it.

sander_ESP

thanks for replying.

i am working on extending my knowledge of php.

nevertheless i need this script to work..
i am aware of some of the security risks in here and i will work on them in the future. the login procedure is far from safe and i am aware of this.. as i am aware of the fact that people can inject code in the script in its current version.

right now i need a way of dealing with this problem of posting the pictures and blogs from the same script.. is there not a way i can can create uniqe id´s for the submits?

liquorvicar

You can have multiple submit buttons on one page, that's an HTML question.

To get round your problem, why not just direct each form to a separate processing script?