Sorry if this is something stupid but just looking for some genuine help. Struggling with this.
I have a HTML script that uploads a file called minegem.html which when submitted calls minegem.php This script uploads the data from the form into the table, uploads a file to a directory, and gives the user a table to view said data. It all works quite nicely.
<?php
//define variables to be used
$db_host = 'localhost';
$db_user = 'root';
$db_pwd = '';
$database = 'minetech';
$table = 'minegem';
$directory = 'uploads/minegem/';
//This gets all the other information from the form
$name=$_POST['docname'];
$version=$_POST['docver'];
$date=$_POST['docdate'];
$type=$_POST['doctype'];
$author=$_POST['docauth'];
//target directory is assigned
$target = $directory;
$target = $target . basename( $_FILES['uploaded']['name']) ;
//if everything is ok upload the file
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
echo "The file ". basename( $_FILES['uploaded']['name']). " has been uploaded";
}
else {
echo "Sorry, there was a problem uploading your file.";
}
//connect to sql
$con = mysql_connect("$db_host","$db_user","$db_pwd");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
//connect to database
mysql_select_db("$database", $con);
//insert data from form to database
$sql="INSERT INTO $table (DocName, DocVer, DocDate, DocType, DocAuth, DocLoc)
VALUES
('$name','$version','$date','$type','$author','$target')";
//confirm data entry
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo " and new record added. How cool is that.";
//the following script displays the data for test purposes
//this script will show table data
//retrieve tables values
$result = mysql_query("SELECT * FROM {$table}");
if (!$result) {
die("Query to show fields from table failed");
}
//build table and define headings
echo "<table border='1'>
<tr>
<th>Name</th>
<th>Version</th>
<th>Upload Date</th>
<th>Type</th>
<th>Uploader</th>
<th>Location</th>
</tr>";
// printing table rows
while($row = mysql_fetch_array($result))
{
echo "<tr>";
echo "<td>" . $row['DocName'] . "</td>";
echo "<td>" . $row['DocVer'] . "</td>";
echo "<td>" . $row['DocDate'] . "</td>";
echo "<td>" . $row['DocType'] . "</td>";
echo "<td>" . $row['DocAuth'] . "</td>";
echo "<td>" . $row['DocLoc'] . "</td>";
echo "</tr>";
}
echo "</table>";
mysql_free_result($result);
//close connecition to database
mysql_close($con)
?>`
Both of the files are located in C:/wamp/www/ so when I run them via web browser it shows as localhost/minegem.php
I have a final script which will be the one I actually run to show the end user the results.
<?php
//define variables to be used
$db_host = 'localhost';
$db_user = 'root';
$db_pwd = '';
$database = 'minetech';
$table = 'minegem';
$type = 'Guideline';
//connect to sql
$con = mysql_connect("$db_host","$db_user","$db_pwd");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
//connect to database
mysql_select_db("$database", $con);
//this script will show table data
//retrieve tables values
$result = mysql_query("SELECT * FROM $table
WHERE DocType='Guideline'");
if (!$result) {
die("Query to show fields from table failed");
}
//build table and define headings
echo "<table border='1'>
<tr>
<th>Document Name</th>
<th>Version</th>
</tr>";
// printing table rows
while($row = mysql_fetch_array($result))
{
$docname=$row['DocName'];
$docver=$row['DocVer'];
$doctype=$row['DocType'];
$docloc=$row['DocLoc'];
echo "<tr>";
echo '<td><a href='.urlencode($docloc).'>'.$docname.'</a></td>';
echo "<td>$docver</td>";
echo "</tr>";
}
echo "</table>";
mysql_free_result($result);
//close connecition to database
mysql_close($con)
?>
My first table shows the file location as uploads/minegem/test document.pdf
The second table that display that as a link shows in the address bar http://localhost/uploads%2Fminegem%2Ftest+document.pdf
And on the page is says
The requested URL /uploads/minegem/test+document.pdf was not found on this server.
I assume this is a stupid file structure problem but its crucial. I will end up putting this on a server so being able to store the complete file patch and recall that as a link would be great. I’m hoping someone can help point me in the right direction with setting up correct file structures. Thanks.
Use rawurlencode instead. This replaces the space with a %20 and not a plus sign.
The + is used for transfer of data, the %20 for URLs that are displayed for clicking on. Although you can always user %20 for data transfer, you can only sometimes use +, if browsers incorrectly support it. So stick with rawurlencode.
Also, rawurlencode the basename part only before insertion into the database. This leaves the path not urlencoded. I don’t think this but is breaking your code, but it’s a lot neater.
Answering Q) how to rawurlencode just the basename.
A) Just store the basename in the database. You know the path ($directory) and so you can use move_uploaded_file(…, $directory . $target); and then when outputting the file location, use a href=”http://localhost/’.$directory.rawurlencode($target) . ‘”
But a couple of other “issues” that are also very important.
When you output the text to screen for display, make sure you use httpspecialchars() on it.
[a href=”http://localhost/’.$directory.rawurlencode($target).'”]’.$directory.httpspecialchars($target).'[/a] // Replace square brackets with angle brackets – can’t enter angle brackets here.
When saving to database at a minimum use “mysql_real_escape_string” to make it safe for entering into the database. But is it STRONGLY recommended to use PDO or mysqli (mysql functions are being depreciated, where as PDO and mysqli are both safer to use by design)