uploaded image not updating

Smudly

I've got a page where the user can upload an avatar/photo. Once it uploads, it isn't updated for the user. It either shows the old image that was already there, or shows a broken image. What is wrong with my code. How can I get it to update the most recent image uploaded upon hitting submit?

Thanks.

<?php
session_start();

if (isset($_SESSION['username'])){

$username = $_SESSION['username'];
$upload = $_POST['upload'];


include('inc/connect.php');
$uploadsql = mysql_query("SELECT * FROM `users` WHERE `username`='$username'"); 
$uploadrow = mysql_fetch_assoc($uploadsql); 

$id = $uploadrow['id']; 
$avatar = $uploadrow['avatar'];
$folder = "avatars/";


$avatarshow = '<img src="avatars/' . $avatar . '" width="65" height="65" />';
if ($upload)
{

// Name of file
$name = $_FILES["image"]["name"];
	// Type of file (video/avi) or image/jpg, etc
$type = $_FILES["image"]["type"];
	//size of file
$size = $_FILES["image"]["size"];
	//stores file in a temporary location
$temp = $_FILES["image"]["tmp_name"];
	// if there is an error
$error = $_FILES["image"]["error"];


// function genRandomString() {
    // $characters = '0123456789abcdefghijklmnopqrstuvwxyz';
    // $length = 10;
    // $string = '';    

// for ($p = 0; $p < $length; $p++) {
    // $string .= $characters[mt_rand(0, strlen($characters))];
// }

// return $string;
// }

if ($error > 0)
{
	$uploaderror = "An error occured. Please try again.";
}
else
{

if ($type=="image/jpg" || $type=="image/png" || $type=="image/gif" || $type=="image/bmp" || $type=="image/jpeg")
{
	if ($size <= 1048576)
	{
		//if(file_exists("avatars/".$name)){
			if ($type=="image/jpeg"){
				$extension = ".jpg";
			}
			if ($type=="image/jpg"){
				$extension = ".jpg";
			}
			if ($type=="image/png"){
				$extension = ".png";
			}
			if ($type=="image/bmp"){
				$extension = ".bmp";
			}
			if ($type=="image/gif"){
				$extension = ".gif";
			}
		//$name1 = genRandomString($string);


	$ext = $extension;
	$name = $id.$ext;
	//}

		// unlink deletes the file so a new file can be uploaded in its place
		unlink('avatars/' . $avatar);

		$uploadquery = mysql_query("UPDATE users SET avatar='$name' WHERE username='$username'");

		move_uploaded_file($temp, "avatars/".$name);

		$success = "Upload Complete!";

}
else{
	$uploaderror = "Your image must be less than 1 megabytes.";
}
}
else
{
die("That format is not allowed!");

}
}
}
}
else{

header("Location: index.php");

}
?>
<html>
<h1>Upload a File</h1>
<form action="upload.php" method="POST" enctype="multipart/form-data">
	<input type="file" name="image"><br />
	<input type="submit" name="upload" value="Upload"><br />
	<?php $avatarshow = '<img src="avatars/' . $avatar . '" width="65" height="65" />'; ?>
	<?php echo $success, $uploaderror."<br />".$avatarshow; ?>

</form>
</html>

dagon

you could add a lot of error checking for example the return value of move_uploaded_file()

igorek

// I likes comments =))
// comments deserve ++
// 1.)
echo  '<input type="hidden" name="MAX_FILE_SIZE" value="1000000" />';
// above your <input type="file" /> ....

here gl.

<?php
// In an application, this could be moved to a config file
$upload_errors = array(
	// http://www.php.net/manual/en/features.file-upload.errors.php
	UPLOAD_ERR_OK 				=> "No errors.",
	UPLOAD_ERR_INI_SIZE  	=> "Larger than upload_max_filesize.",
  UPLOAD_ERR_FORM_SIZE 	=> "Larger than form MAX_FILE_SIZE.",
  UPLOAD_ERR_PARTIAL 		=> "Partial upload.",
  UPLOAD_ERR_NO_FILE 		=> "No file.",
  UPLOAD_ERR_NO_TMP_DIR => "No temporary directory.",
  UPLOAD_ERR_CANT_WRITE => "Can't write to disk.",
  UPLOAD_ERR_EXTENSION 	=> "File upload stopped by extension."
);

session_start();

if (isset($_SESSION['username'])) {

$username = $_SESSION['username']; // some ahole
// $upload   = $_POST['submit']; // <input type="file" name="upload" />


require_once('inc/connect.php'); // get the -h -u -p -d
$result = mysql_query("SELECT * FROM `users` WHERE `username`='{$username}'");
$row    = mysql_fetch_assoc($result);

$id     = $row['id'];
$avatar = $row['avatar'];
$dir    = "./avatars/";

$avatarshow = '<img src="'.$dir.$avatar.'" width="65" height="65" border="0" />';

if (isset($_POST['submit'])) { // checking to see if the form has been submitted....

	// Type of file (video/avi) or image/jpg, etc
	$type = $_FILES["image"]["type"];
	//size of file
	$size = $_FILES["image"]["size"];
	//stores file in a temporary location
	$temp = $_FILES["image"]["tmp_name"];
	// if there is an error
	$error = $_FILES["image"]["error"]; // returns an ******* 1-8 (5 deprecated.)

	if ($error > 0) {  

		$message = $upload_error[$error];

	} else {
			$types = array("image/jpg","image/png","image/gif","image/bmp","image/jpeg");
			// bool in_array  (  mixed $needle  ,  array $haystack  [,  bool $strict  ] )
		if (in_array($type,$types)) {
			 if ($size <= 1048576) { // wtf is that a MB?
    		 	if (is_file($dir.$avatar)){
					if ($type=="image/jpeg"){ $ext = ".jpg"; }
					if ($type=="image/jpg") { $ext = ".jpg"; }
					if ($type=="image/png") { $ext = ".png"; }
					if ($type=="image/bmp") { $ext = ".bmp"; }
					if ($type=="image/gif") { $ext = ".gif"; }               

					$name = $id.$ext;
    			}

			    // if the file exists it overwrites it anyway

			    $result = mysql_query("UPDATE users SET avatar='{$name}' WHERE username='{$username}'");

			    $uploaded = move_uploaded_file($temp, $dir.$name);
			    $uploadedfiles[] = $name;
			    if($uploaded) {
					$message .= "File(s): ";
					foreach ($uploadedfiles as $value) {
						$message .= "{$value}, ";
					}
					$message .= " uploaded successfully!<br /><br />";
				} else {
				$i = 0;
					foreach($_FILES as $key => $file_array) {
						$errors[] = $_FILES[$key]['error'];
						if ($errors[$i] > 0) {
							$message .= $upload_errors[$errors[$i]].'<br /><br />';
						}
						$i++;
					}		
				}

			} // close if size
			else { $message = "Your image must be less than 1 megabyte."; }
		} // close ext check if
		else { die( $message = "That format is not allowed!"); }
	} // close if no errors
} // close if form is not submitted
} else { header("Location: index.php"); }
?>
<html>
	<head>
		<title>Upload a File :: Word!</title>
		<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
	</head>
	<body>
	<?php if (isset($message)) { echo $message; } ?>
		<form action="?" method="POST" enctype="multipart/form-data">
			<fieldset>
				<legend>Upload a File</legend>
				<input type="hidden" name="MAX_FILE_SIZE" value="1000000" />
				<input type="file" name="image" />
				<br />
				<input type="submit" name="submit" value="Upload" />
				<br />
				<?php echo $avatarshow; ?>
			</fieldset>
		</form>
	</body>
</html>
<?php // remember to Ctrl+S ?>

bradgrafelman

Also note that the value of $_FILES["image"]["type"]; is user-supplied, meaning I could easily upload a .exe virus and tell you it's an image/jpeg.

Smudly

bradgrafelman;10957372 wrote:
Also note that the value of $_FILES["image"]["type"]; is user-supplied, meaning I could easily upload a .exe virus and tell you it's an image/jpeg.

How would I prevent this from happening?

igorek

<?php
// see:
// http://us3.php.net/manual/en/ref.fileinfo.php

$finfo = finfo_open(FILEINFO_MIME_TYPE); // return mime type ala mimetype extension
foreach (glob("*") as $filename) {
    echo finfo_file($finfo, $filename) . "\n";
}
finfo_close($finfo);
?>

DeadlySin3

Smudly;10957402 wrote:
How would I prevent this from happening?

<?php
# vars.php
/*
 *  Maximum Size an image may be
 *
 *  $maxImageSize
 *
 *  51200 = 50 KB
 *  512000 = 500 KB
 *
 */

$maxImageSize = "2048000"; 



/*
 *  Path Information
 *
 *  1.) $file_dir
 *
 *  2.)$file_url
 *
 *  1.) full path ex /home/user/public_html/images
 *
 *  2.) full url ex http://www.site.com/images
 *
 *  NO TRAILING SLASH!!
 * Directory to move images to should be chmod 777
 *
 */

$file_dir = "/home/paul/public_html/FREE/upload/images";
$file_url = "http://localhost/~paul/FREE/upload/images";

/*
 *  Defining accepted Image Types
 *
 *  Add more like shown below: 
 *
 *  $acceptedImageType[] = "type";
 *
 */


$acceptedImageType = array ( "pjpeg", "pjpg", "jpg", "jpeg", "gif", "png", "x-png", "PNG", "x-xbitmap" );
$acceptedImageType[] = "x-bmp";

/*
 *  Defining a Page's Own URL
 *
 *  $self=$_SERVER['PHP_SELF'];
 *
 */

$self=$_SERVER['PHP_SELF'];
?>

<?php
# upLoadForm.php

include("vars.php");
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.

foreach( $_FILES as $file_name => $file_array ) 
{
echo "name: ".$file_array['name']."<br />\n";
echo "type: ".$file_array['type']."<br />\n";
echo "tmp_name: ".$file_array['tmp_name']."<br />\n";
echo "error: ".$file_array['error']."<br />\n";
echo "size: ".$file_array['size']."<br />\n";
// print_r($_FILES);

$tmp_name = $file_array['tmp_name'];

if( strstr( $tmp_name, "/tmp/" ) ) {
    $tmp_name = str_replace("/tmp/", "", $tmp_name); # strip location from name
}

foreach ( $acceptedImageType as $acceptThis ) {
if(is_uploaded_file( $file_array['tmp_name'] ) && $file_array['type'] == "image/$acceptThis" ) {

$size=$file_array['size'];
if($size > $maxImageSize)
{
exit("The image is too large in size.");
}

move_uploaded_file( $file_array['tmp_name'], "$file_dir/".$tmp_name)
or die("Couldn't Copy");
echo "<img src=\"$file_url/".$tmp_name."\">";
echo "<br />\n\n";

} // End Foreach loop 2

} // End IF statement

} // End Foreach loop 1

?>

<form action="<?php echo "$self"; ?>" enctype="multipart/form-data" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="<?php echo "$maxImageSize"; ?>">
<input type="file" name="fupload">
<br /><br />
<input type="submit" value="Upload">
<br />
</form>

SImple upload that I wrote a long while back, but it works! You can test to see if the type is what you would like. If it's anything else, it won't get moved after upload.

igorek

brad said that $files['file_input']['type'] is user supplied.

so from that I guess I would mime_content_type($files['file_input']['name']); // but its deprecated so the other method would be to use the finfo functions