File upload from member's area

toni_p

Hi all and thank you in advance. I am developing a website where the client wants her customers to be able to upload files without using an FTP client. I have the login and upload system working EXCEPT for one detail, which I can't seem to find anywhere:

How do you upload files to "your" folder? Is it possible to direct these uploads using $username or something of that sort? Then the site administrator can find files by folder--plus they don't want file uploads mixing between customers.

Does that make sense?

Thanks again,

toni

djjjozsi

uploaded file should uploaded into an upper folder then your wwwroot, to make these files blocked from the internet.

the users should have primary key for identify. Then you need to store the uploaded file names in a table and save the uploader's ID in this files table.

on upload, these files renamed to its (files_id) primary key.

on download, readfile() php function can send the slected file to the browser in that case the user has logged in.

toni_p

thanks djjjozsi for quick answer. i already have a table 'users' for login authentication with id as primary key auto-increment. are you saying i can use that db table, or create another table for uploads? or do i need a second db?

thank you for the help
toni

djjjozsi

for example:
i'm the user:
jjozsi with primary key 33

then i upload a file to your system, i have a $_SESSION["userid"] number from the login. You can store the uploaded file name in a files table,
files table:
fileID , userid , filename , type, size, date_of_upload, active_4_download ....

After you insert the new file name into the database, you get its new primary number, rename the uploaded file to that number. Then you could solve the special charater and duplication problems.

When you need a file list of a user, you just need to select the names and IDs from the database.
On download, you can use readfile() php function as i mentioned before.
might this help.

lisa99

Hi.

I got some help in these forums while developing this...

It's probably not very secure, so I wouldn't make it "public" per se, but it may give you a basis to work from...

All of my users have a "stickernumber" that is a unique 10 character alpha-numeric code. You could use anything that would work as a directory name, I guess.

Lines 72-81 are where it makes the decision that if a user's stickernumber is already a directory under user_uploads, go ahead and upload the file there, otherwise create a directory named with that user's stickernumber and then upload the file there.

When you need to provide this file back to your user -- or to an admin that is looking at that user's data, simply look to see if a directory exists named with their unique id, and if so, loop through that directory as needed.

This was just a testing version that I did, so you can still see the comments, error reporting is turned on, and file permissions are set to 0777 when a file is uploaded or a folder is created. You at the very least change the file permissions.

Hope this helps...

<?php
session_start();

ini_set("display_errors","1");
ERROR_REPORTING(E_ALL);

//connect to the database
mysql_connect('', '', '') or die (mysql_error());
mysql_select_db('') or die (mysql_error());

$camefrom=$_SERVER['HTTP_REFERER'];
$workingon=$_SESSION['workingon'];
$stickernumber=$_SESSION['workingon'];


if ($userfilename=="")
{
$_SESSION['uploadermsg']="Please name your file.";
header("location:$camefrom");
exit;
}
else{
	//remove spaces...
	$userfilename = str_replace(" ", "_", "$userfilename");
	// Clean bad characters...
	$badchars = array('!', '@', '#', '$', '%', '^', '&', '*', '+', '=', '-');
	$userfilename = str_replace($badchars, "", "$userfilename");
	}

$category=trim(mysql_real_escape_string($_POST['category'])); //echo"category:$category<br>";/*

$filename = $_FILES["filetoupload"]["name"];
	if ($filename!="")
{
	$filename = str_replace('.', '.', $filename, $numofdots);
	if ($numofdots>=2)
					{
					$_SESSION['err']="Upload failed because it had more than one file type ending!";
					header('location:$camefrom');
					exit;
					}
	$filename = explode('.', $filename);
		//now find file type depending on $filename[1]
		$fileend=strtolower($filename[1]); //put it in lower case...
			if ($fileend=="jpg"){$filetype=".jpg";}
			if ($fileend=="jpeg"){$filetype=".jpeg";}
			if ($fileend=="png"){$filetype=".png";}
			if ($fileend=="gif"){$filetype=".gif";}
			if ($fileend=="bmp"){$filetype=".bmp";}
			if ($fileend=="txt"){$filetype=".txt";}
			if ($fileend=="doc"){$filetype=".doc";}
			if ($fileend=="docx"){$filetype=".docx";}
			if ($fileend=="xls"){$filetype=".xls";}
			if ($fileend=="xlsx"){$filetype=".xlsx";}
			if ($fileend=="pdf"){$filetype=".pdf";}

			if ($fileend!="jpg" && $fileend!="jpeg" && $fileend!="png" && $fileend!="gif" && $fileend!="bmp" && $fileend!="txt" && $fileend!="doc" && $fileend!="docx" && $fileend!="xls" && $fileend!="xlsx" && $fileend!="pdf")
			{
			$_SESSION['err']="Upload failed: Unsupported File Type!";
			$_SESSION['errrpt']="You tried to upload a \".$fileend\" file.";
			$_SESSION['errsol']="The following files are supported <br>
			                     IMAGES: .jpg | .jpeg | .png | .bmp | .gif <br>
								 FILES:  .txt | .doc | .docx | .xls | .xlsx | .pdf <br>";
			header("location:$camefrom");
			exit;
			}
$filenamearray = array($filename[0], $filename[1]);
$filename = implode('.', $filenamearray);

$filesize=$_FILES['filetoupload']['size'];

if (is_dir("../user_uploads/$usersfile"))
{
//$_SESSION['uploadermsg']="Found your storage space...";
$dir = "../user_uploads/$usersfile";
}else{
	  mkdir("../user_uploads/$stickernumber", 0777);
	  chmod("../user_uploads/$stickernumber", 0777);	
	  $dir = "../user_uploads/$usersfile";
	  //$_SESSION['uploadermsg']="Created a directory for you...";
	 }
		$size_in_bytes = disk_total_space($dir);
		$total_bytes_to_use=2097152;
		$filesizeavail="$total_bytes_to_use" - "$filesize";

	$target = "../user_uploads/$usersfile/$userfilename"."$filetype";

if ($filesize>$filesizeavail)
{
$_SESSION['err']="Upload failed: You don't have enough space!";
$_SESSION['errrpt']="Your file size was $filesize bytes";
$_SESSION['errsol']="You have $filesizeavail bytes available.";
header ("location:$camefrom");
exit;
} 
if ($filesize==0)
{
$_SESSION['err']="Image upload failed: Error during security checks.";
$_SESSION['errrpt']="For client security, the specific error can not be shown.";
$_SESSION['errsol']="Try reducing your file size to less than than your available file size.";
header ("location:$camefrom");
exit;
} 
//If everything is ok we try to save it to the server
$tmp_name=$_FILES['filetoupload']['tmp_name'];
if(move_uploaded_file($tmp_name, $target))
{
//upload was ok//write to mysql
$tstamp=date('Y-m-d @ H:i:s')." CST";
$query="INSERT INTO `myviewableuploads` (`owner`, `file`, `category`, `tstamp`) VALUES('$stickernumber', '$userfilename$filetype', '$category', '$tstamp')";
$result=mysql_query($query)or die(mysql_error());
$_SESSION['uploadermsg']="Upload Successful.";
header("location:$camefrom");
exit;	
}
else
{
$_SESSION['err']="Image upload failed: Error moving or renaming file.";
$_SESSION['errrpt']="An unspecified error occured while moving or renaming your image.";
$_SESSION['errsol']="Please try again before emailing this error and your file to ***EDITED***.";
header("location:$camefrom");
exit;
}
header("location:$camefrom");//this ends if($filename)
exit;
}
header("location:$camefrom");//this ends the rest of the page...
exit;

//echo for debugging
/*
echo $_SESSION['uploadermsg'];
echo $_SESSION['err'];
echo $_SESSION['errrpt'];
echo $_SESSION['errsol'];
*/
?>