[RESOLVED] Upload an avatar to match the user

Mahngiel

Greetings,

I've managed to write the bit of code that allows a user to upload a file to a dir and have it renamed to said user. I've become stuck at calling the image back into the page. Like many of my coding problems, when I spend too much time bashing codes and trying different scenarios, everything get mixed and I need a break. So during my break, please take a peek at my codes and offer any insight on how to make it saner and safer.

Basic Form for uploading the image:

[COLOR="Blue"]<?php[/COLOR]
include('[COLOR="DeepSkyBlue"]header.php[/COLOR]');echo
'<html>
<body>
Change '.[COLOR="Red"]$name[/COLOR].'s avatar. <br />
[COLOR="DarkOrange"]<form action="[/COLOR][COLOR="DeepSkyBlue"]upload_file.php[/COLOR]"[COLOR="DarkOrange"] method="post" enctype="multipart/form-data">[/COLOR]<br />
	[COLOR="DarkOrange"]<label for="file">[/COLOR]Test Upload:[COLOR="DarkOrange"]</label>[/COLOR]<br />
	[COLOR="DarkOrange"]<input type="file" name="[/COLOR]';echo [COLOR="Red"]$name[/COLOR];echo'[COLOR="DarkOrange"] "/>[/COLOR]<br />
	[COLOR="DarkOrange"]<input type="submit" name="submit" value="Upload File" />
</form>'[/COLOR];
[COLOR="Blue"]?>[/COLOR]

The only thing 'special' i did here was to assign the name of the file being uploaded to that of the name carried over by $_COOKIE. My intent was to ensure any uploader was supposed to be there , and hopefully eliminate XSS.

Variables used to process (contained in header.php):

[COLOR="Red"]$name[/COLOR] =$_COOKIE['user'];
[COLOR="Red"]$avatar_dir[/COLOR] = 'avatars/';
[COLOR="Red"]$tmp_name[/COLOR] = $_FILES[$name]["tmp_name"];
[COLOR="Red"]$avatarftype[/COLOR] = $_FILES[$name]["type"];
[COLOR="Red"]$fext[/COLOR] = explode("image", $avatarftype);
[COLOR="Red"]$fext[/COLOR] = str_replace("/", ".", $fext);
[COLOR="Red"]$myavatar[/COLOR] = [COLOR="Blue"]???[/COLOR]

I set these vars up in the header for ease of access and global use. I'll comment on their usage after this next code-block.

Processing Script (upload-file.php):

[COLOR="Blue"]<?php[/COLOR]
include([COLOR="DeepSkyBlue"]'header.php[/COLOR]');

[COLOR="Silver"]// Determine file types and size[/COLOR]
if ((([COLOR="Red"]$_FILES[$name][/COLOR][COLOR="Green"]["type"][/COLOR] == "image/gif")
|| ([COLOR="Red"]$_FILES[$name][/COLOR][COLOR="Green"]["type"][/COLOR] == "image/jpeg")
|| ([COLOR="Red"]$_FILES[$name][/COLOR][COLOR="Green"]["type"][/COLOR] == "image/pjpeg")
|| ([COLOR="Red"]$_FILES[$name][/COLOR][COLOR="Green"]["type"][/COLOR] == "image/png"))
&& ([COLOR="Red"]$_FILES[$name][/COLOR][COLOR="Green"]["size"][/COLOR] < 60000)){

[COLOR="Silver"]//Notify if error[/COLOR]
if ([COLOR="Red"]$_FILES[$name][/COLOR]["error"] > 0){
    	echo "Return Code: " . [COLOR="Red"]$_FILES[$name][/COLOR][COLOR="Green"]["error"][/COLOR] . "<br />";
}else{

[COLOR="Silver"]// Echo the file information for debugging[/COLOR]
    	echo "Upload: " . [COLOR="Red"]$_FILES[$name][/COLOR][COLOR="Green"]["name"][/COLOR] . "<br />";
    	echo "Type: " . [COLOR="Red"]$_FILES[$name][/COLOR][COLOR="Green"]["type"][/COLOR] . "<br />";
	echo 'Test: '.[COLOR="Red"]$fext[/COLOR][1].'<br />';
	echo [COLOR="Red"]$temp_name[/COLOR].[COLOR="Red"]$avatar_dir[/COLOR].[COLOR="Red"]$name[/COLOR].[COLOR="Red"]$fext[/COLOR][1];

[COLOR="Silver"]// Upload it[/COLOR]
    move_uploaded_file([COLOR="Red"]$tmp_name[/COLOR], [COLOR="Red"]$avatar_dir[/COLOR].[COLOR="Red"]$name[/COLOR].[COLOR="Red"]$fext[/COLOR][1]);
	}    

[COLOR="Silver"]// Or kick out[/COLOR]
}else{
  echo 'Invalid file,';
   }

[COLOR="Blue"]?> [/COLOR]

Instead of having the image uploaded into the server as it was named, I wanted to rename it according to the user. This (IMO) is an easy way to call back to it, and eliminate disk waste by people uploading all kinds of crap. You get one username, so you get one uploaded avatar. To do this, I had to create several vars.

$_FILES['type'] produces image/typeofimg, so in order to upload the file with the actual extension, I had to explode and replace the string. Then move_upload_file was easy, because I could just plug in the variables I just defined. This creates a file in the proper directory named after the user who uploaded it.

The problem:
Where I've hit a wall is in calling the image. The page is set up where all i need to do is echo $myavatar, but I have yet to be able to define it. My thought process at this point is to use opendir(). From there I could do a preg_match on the files to match $name and then assign the stdout of that into a new variable, which I could in turn name $myavatar.

Here is the code I have to go on with opendir, which outputs all files.

if (is_dir([COLOR="Red"]$avatar_dir[/COLOR])) {
    if ($dh = opendir([COLOR="Red"]$avatar_dir[/COLOR])) {
        while (($file = readdir($dh)) !== false) {
        echo [COLOR="Red"]$file[/COLOR]. "\n";
        }
        closedir($dh);
    }
}

Any thoughts?

Mahngiel

I cannot edit my post, so I am double posting to clarify the problem.

Because .gif, .jpg, and .png are all allowable image extensions, I cannot pre-set the page statically. I need to dynamically find the file extension, which lead me to writing a script to look in the avatar folder, grep an image that contains the user's name (since the file the user uploads is name after himself), and spits out the file name WITH the extension.

Thx again.

Mahngiel

Well, got it to work. Took 6 lines of code and a new table entry. Here are the files (wrapped in PHP block this time):

upload.php:

<?php
include('header.php');echo
'<html>
<body>
Change '.$name.'s avatar. <br />
<form action="upload_file.php" method="post" enctype="multipart/form-data"><br />
	<label for="file">toast:</label><br />
	<input type="file" name="';echo $name;echo'" /><br />
	<input type="submit" name="submit" value="Upload File" />
</form>';
?>

upload-file.php:

<?php
include('header.php');

// Determine file types and size
if ((($_FILES[$name]["type"] == "image/gif")
|| ($_FILES[$name]["type"] == "image/jpeg")
|| ($_FILES[$name]["type"] == "image/pjpeg")
|| ($_FILES[$name]["type"] == "image/png"))
&& ($_FILES[$name]["size"] < 60000)){

//Notify if error
if ($_FILES[$name]["error"] > 0){
    	echo "Return Code: " . $_FILES[$name]["error"] . "<br />";
}else{

// Upload it to server and log into database
    move_uploaded_file($tmp_name, $avatar_dir.$name.$ava);
    mysql_query("UPDATE content SET avatar = '$ava2' WHERE uname = '$name'");
	}    

//Kick out
}else{
  echo 'Invalid file,';
   }

?>

resource variables from my header.php:

$name = $_COOKIE['user'];
$avatar_dir = 'avatars/';
$tmp_name = $_FILES[$name]["tmp_name"];
$avatarftype = $_FILES[$name]["type"];
$fext = explode("image", $avatarftype);
$fext = str_replace("/", ".", $fext);
$ava = $fext[1];
$ava2 = str_replace(".", "", $ava);
$avatarpull = mysql_query("SELECT avatar FROM content WHERE uname = '$name'");
$avatype = mysql_fetch_assoc($avatarpull);
$aext = $avatype["avatar"];

inline placement:

<img src="'.$avatar_dir.$name.'.'.$aext.'" height="100px" width="100px" />