file upload trouble

xadrieth

New Member
Messages
62
Reaction score
1
Points
0
I'm using "Headfirst PHP and MySQL" right now, and kin chapter 5, we need to create an script that allows us to upload a screenshot.

But i keep on getting this error that all the info is no inputed when i enter score w/ screenshot.

try it youself, http://twewy-fan.com/php/guitarwars/addscore.php

Here is the code that is being used for it:
Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <title>Guitar Wars - Add Your High Score</title>
  <link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>
  <h2>Guitar Wars - Add Your High Score</h2>

<?php
    // Define the upload path and the maximum file size contents
    define('GW_UPLOADPATH', 'images/');

  if (isset($_POST['submit'])) {
    // Grab the score data from the POST
    $name = $_POST['name'];
    $score = $_POST['score'];
    $screenshot = $_FILES['screenshot']['name'];

    if (!empty($name) && !empty($score) && !empty($screenshot)) {
      // Move the file to the target upload folder
      $target = GW_UPLOADPATH . $screenshot;
      // Connect to the database
      $dbc = mysqli_connect('localhost', '*******', '*******', '*******');

      // Write the data to the database
      $query = "INSERT INTO guitarwars VALUES (0, NOW(), '$name', '$score', '$screenshot')";
      mysqli_query($dbc, $query);
      move_uploaded_file($_FILES['screenshot']['tmp_name'], $target);

      // Confirm success with the user
      echo '<p>Thanks for adding your new high score!</p>';
      echo '<p><strong>Name:</strong> ' . $name . '<br />';
      echo '<strong>Score:</strong> ' . $score . '<br />';
      echo '<img src="' . GW_UPLOADPATH . $screenshot . '" alt="Score image" /></p>';
      echo '<p><a href="index.php">&lt;&lt; Back to high scores</a></p>';

      // Clear the score data to clear the form
      $name = "";
      $score = "";

      mysqli_close($dbc);
    }
    else {
      echo '<p class="error">Please enter all of the information to add your high score.</p>';
    }
  }
?>

  <hr />
  <form enctpye="multipart/form-data" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
    <input type="hidden" name="MAX_FILE_SIZE" value="32768" />
    <label for="name">Name:</label>
    <input type="text" id="name" name="name" value="<?php if (!empty($name)) echo $name; ?>" /><br />
    <label for="score">Score:</label>
    <input type="text" id="score" name="score" value="<?php if (!empty($score)) echo $score; ?>" />
    <br />
    <label for="screenshot">Screen shot:</label>
    <input type="file" id="screenshot" name="screenshot" />
    <hr />
    <input type="submit" value="Add" name="submit" />
  </form>
</body> 
</html>

I already asked the Oreilly help forums, but i haven't gotten a good answer.

Any help is appreciated.
 

misson

Community Paragon
Community Support
Messages
2,572
Reaction score
72
Points
48
Typo: you set the enctpye, rather than enctype, attribute on the form.

Also, sanitize your form input. As it stands, a malicious user could inject arbitrary SQL. The handling of file input should be safe as is.
 

xadrieth

New Member
Messages
62
Reaction score
1
Points
0
thank you, ill have to check it in the morning though (i have loads of typos).

Also, ill be sure to sanitize it later, the book says it will cover i later.
 

misson

Community Paragon
Community Support
Messages
2,572
Reaction score
72
Points
48
I was too terse in my first post. The typo is causing the problem, preventing the file from being uploaded. Correct it and the script will work.
 
Last edited:

xav0989

Community Public Relation
Community Support
Messages
4,467
Reaction score
95
Points
0
BTW, xadrieth,
posting publicly those test scripts is not such a good idea. Very often, scripts that you are asked to write in beginner/intermediate tutorials and books are not prepared for the real world. There is very little security on those scripts. I would recommend that you setup a developing server on your computer to test and try scripts. I recommend XAMPP if you run on Windows, as it is a great development environment.

Concerning security, always treat data as dangerous, until cleaned. So always sanitize your data. You might want to skip to the security part to read about that then come back where you were.
 
Last edited:
Top