Home/ Questions/Q 6885031
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T05:35:01+00:00

I am writing a code that will let me upload files. The code is

  • 0

I am writing a code that will let me upload files. The code is to convert the file to all lowercase .Check to make sure the filename is not already inserted into the database and if the user uploads a .png or .jpg file, resize the image to a thumbnail and keep a copy of both the thumbnail and regular size image in a folder named: uploads. I am still a bit confusing cause there is something that aint right I went over and over it. I dont know if maybe I been working on it for days or what not but I can not see anything. Not only that I am still a newbie working on this.

Here is my code:

$aryImages=array("image/jpeg","image/png");
$aryDocs=array("application/msword","application/pdf","video/x-msvideo");
$filename=filenameSafe($_FILES['upload']['name']);
$fileType=$_FILES["upload"]["type"];
if (in_array($_FILES["upload"]["type"],$aryImages)){
    createThumb($fileType,$_FILES['upload']['tmp_name'],$filename,100,100);
}
elseif (in_array($_FILES["upload"]["type"],$aryDocs)){
    move_uploaded_file($_FILES['upload']['tmp_name'],
"../imagefolder/".$filename);


$aryColumns=array("sessionID"=>$curSess,"fileName"=>$filename,"fileType"=>$fileType,"thumbFileName"=>$thumbFilename,"dateCreated"=>date('Y-m-d H:i:s'));
    dbInsert($filename,$aryColumns,$_FILES["upload"]["type"]);
}


    else{

    echo "File Uploaded";
  }
 }



function createThumb($type,$tmpname,$filename,$new_w,$new_h){
    $thumbFilename="tmb-".$filename;
    if (is_numeric(strpos($type,"jpeg"))){
        $src_img=imagecreatefromjpeg($tmpname);
    }
    if (is_numeric(strpos($type,"png"))){
        $src_img=imagecreatefrompng($tmpname);
    }
    $old_x=imageSX($src_img);
    $old_y=imageSY($src_img);
    if ($old_x > $old_y) {
        $thumb_w=$new_w;
        $thumb_h=$old_y*($new_h/$old_x);
    }
    if ($old_x < $old_y) {
        $thumb_w=$old_x*($new_w/$old_y);
        $thumb_h=$new_h;
    }
    if ($old_x == $old_y) {
        $thumb_w=$new_w;
        $thumb_h=$new_h;
    }

    $dst_img=imagecreatetruecolor($thumb_w,$thumb_h);
    imagecopyresampled($dst_img,$src_img,0,0,0,0,$thumb_w,$thumb_h,$old_x,$old_y);
    if (is_numeric(strpos($type,"jpeg"))){
        imagejpeg($dst_img,"../upload/".$thumbFilename);
        imagejpeg($src_img,"../upload/".$filename);
    }
    if (is_numeric(strpos($type,"png"))){
        imagepng($dst_img,"../upload/".$thumbFilename);
        imagepng($src_img,"../upload/".$filename);
    }
    imagedestroy($dst_img);
    imagedestroy($src_img);
    dbInsert($filename,$thumbFilename,$type);
}


function filenameSafe($filename) {
    $temp = $filename;
    // Lower case
    $temp = strtolower($temp);
    // Replace spaces with a ’_’
    $temp = str_replace(" ", "_", $temp);
    // Loop through string
    $result = "";
    for ($i=0; $i<strlen($temp); $i++) {
        if (preg_match('([0-9]|[a-z]|_|.)', $temp[$i])) {
            $result = $result.$temp[$i];
        }
    }



    dbConnect();
    $SQL="SELECT fileID FROM upload WHERE fileName='".$result."'";
    //echo $SQL;
    $rs=mysql_query($SQL);
    echo mysql_num_rows($rs);
    if(mysql_num_rows($rs)!=0){
        $extension=strrchr($result,'.');
        $result=str_replace($extension,time(),$result);
        $result=$result.$extension;
    }
    return $result;
}




function dbInsert($filename,$thumbFilename,$type){
    dbConnect();
    $SQL="INSERT Into tblFile (fileName,thumbFileName,fileType) values('".$filename."','".$thumbFilename."','".$type."')";
    echo $query;
    exit;
    mysql_query($SQL);


}

I am thinking it is looping somewhere and I just cant catch it. When i click the upload button after the browse buttton the page comes up with nothing on it no picture or anything. I am not getting no error or nothing. Can someone please help me out. If i try to put some of the code out it will start giving me errors and fatal errors too. Thanks for looking.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You have several issues here so I’m only going to focus on one area right now that will (hopefully) help you write better code in the future.

    Your filenameSafe() function is terribly inefficient. Using a regex on each character of a string inside a loop is like breaking an egg with a sledgehammer with dynamite strapped to the handle. Also, if your goal is to sanitize data before saving it to the database you should be using mysql_real_escape_string() on the data before queries to the db.

    Additionally, by simply finding the first occurrence of a period in your filename to determine where the extension starts is dubious … what if multiple periods made it into the filename somehow? Instead, try pathinfo() to get the extension.

    Finally, I assume that by appending the current timestamp you’re trying to avoid filename collisions in the filesystem. This is not an adequate solution because it is very possible for two files to be saved at the same second in time. While there are whole books on subjects like hashing, for the sake of time I’ll just say you’d be better served by dropping a quick md5() or uniqid() on the filename.

    So, an example of how to better handle that particular part of the code:

    function filenameSafe($filename)
{
    // Lower case
    $filename = strtolower($filename);
    
    // get extension
    $ext = pathinfo($filename, PATHINFO_EXTENSION);
    
    // Replace spaces with a ’_’
    $filename = str_replace(" ", "_", $filename);

    // Replace non-alphanumerics (except underscores)
    $filename = preg_replace('/\W/', '', $filename);
    
    // append the timestamp
    $filename = $filename . time();
    
    // create an md5 hash
    $result = md5($filename);
    
    // ensure the string is safe for the db query
    $result = mysql_real_escape_string($result);
    
    dbConnect();
    
    $SQL="SELECT fileID FROM upload WHERE fileName='".$result.".$ext'";
    
    $rs = mysql_query($SQL);
    if (mysql_num_rows($rs) > 0) {
        $result = str_replace(".$ext", time(), $result);
        $result = "$result.$ext";
    }
    return $result;
}
    • 0