current community

your communities

more stack exchange communities

Stack Exchange
tour help
careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite

I am trying to upload things to a database. I went through a few tutorials and none of them worked. I want to upload files such as images and text documents (including PowerPoint presentations) to the database.

This is my form

<form action="upload.php" method="post" enctype="multipart/form-data" name="uploadform">
    <input type="hidden" name="MAX_FILE_SIZE" value="350000">
    <input name="picture" type="file" id="picture" size="50">
    <input name="upload" type="submit" id="upload" value="Upload Picture!">
</form>

This is upload.php

<?php
// if something was posted, start the process...
if(isset($_POST['upload']))
{
    // define the posted file into variables
    $name = $_FILES['picture']['name'];
    $tmp_name = $_FILES['picture']['tmp_name'];
    $type = $_FILES['picture']['type'];
    $size = $_FILES['picture']['size'];

    // get the width & height of the file (we don't need the other stuff)
    list($width, $height, $typeb, $attr) = getimagesize($tmp_name);

    // if width is over 600 px or height is over 500 px, kill it    
    if($width>600 || $height>500)
    {
        echo $name . "'s dimensions exceed the 600x500 pixel limit.";
        echo '<a href="form.html">Click here</a> to try again.';
        die();
    }

    // if the mime type is anything other than what we specify below, kill it    
    if(!($type=='image/jpeg' || $type=='image/png' || $type=='image/gif')) 
    {
        echo $type .  " is not an acceptable format.";
        echo '<a href="form.html">Click here</a> to try again.' ;
        die();
    }

    // if the file size is larger than 350 KB, kill it
    if($size>'350000') {
        echo $name . " is over 350KB. Please make it smaller.";
        echo '<a href="form.html">Click here</a> to try again.' ;
        die();
    } 

    // if your server has magic quotes turned off, add slashes manually
    if(!get_magic_quotes_gpc()){
        $name = addslashes($name);
    }

    // open up the file and extract the data/content from it
    $extract = fopen($tmp_name, 'r');
    $content = fread($extract, $size);
    $content = addslashes($content);
    fclose($extract);  

    // connect to the database
    include "inc/db.inc.php";

    // the query that will add this to the database
    $addfile = "INSERT INTO files (name, size, type, content ) ".
        "VALUES ('$name', '$size', '$type', '$content')";

    mysql_query($addfile) or die(mysql_error());

    // get the last inserted ID if we're going to display this image next
    $inserted_fid = mysql_insert_id();

    mysql_close(); 

    echo "Successfully uploaded your picture!";

    // we still have to close the original IF statement. If there was nothing posted, kill the page.
}
else{
    die("No uploaded file present");
}
?>

I know there is restriction on type -> if(!($type=='image/jpeg' || $type=='image/png' || $type=='image/gif')) on this. When I upload small photos, the error I am getting is "No database selected".

The database is configured correctly as other things that I have are able to connect to it.

share|improve this question
    
What is the content of inc/db.inc.php? Are you certain that that file's being included properly? Does your code still work if you change the include to require? –  andrewsi Jun 25 '13 at 16:59
1  
well the above code seems to be ok, i thinks the error might be with in include "inc/db.inc.php"; no database selected usually mean you did not select database –  Neta Meta Jun 25 '13 at 17:01
    
The error means you never called mysql_select_db() after calling mysql_connect(). –  Barmar Jun 25 '13 at 17:01
    
A good tutorial would be helpful... –  Fresz Jun 26 '13 at 8:28

2 Answers 2

up vote 4 down vote accepted

Your code is fundamentally broken:

1) You simply assume an upload was performed, and never check for failure. At minimum you should have

if ($_FILES['picture']['error'] !== UPLOAD_ERR_OK) {
   die("Upload failed with error code " . $_FILES['picture']['error']);
}

The error codes are defined here: http://php.net/manual/en/features.file-upload.errors.php

2) addslashes() provides about as much defense against SQL injection attacks as using a single square of wet toiler paper does to drying up a lake. Since you're using the mysql library, you MUST use mysql_real_escape_string() to do a PROPER job of escaping the data

3) You're using the mysql library, which is obsolete and deprecated. STOP USING IT. Switch to mysqli or PDO instead.

4) Your actual error message indicates that you never did a mysql_select_db() call to set your default database. You could get around it by simply modifying your query to be INSERT INTO name_of_db.name_of_table ....

share|improve this answer
up vote 1 down vote

Make sure that you correctly called mysql_select_db() in your inc/db.inc.php file.

In the code below you are simply echoing the text without performing any check. The success message will be displayed irrespective of success or failure.

echo "Successfully uploaded your picture!";
share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.