Hello! My code is the ad handler. On the test server, everything worked well, but as it was uploaded to the hosting, checks for the size and format of the loaded photo do not work, and the photo itself is not loaded into the folder and is not recorded in the database. Please write in more detail what is wrong. I php recently engaged.

include("blocks/bd.php"); $result = mysql_query("SELECT sum FROM comments_setting", $db); $myrow = mysql_fetch_array($result); if (isset($_POST['title'])) { $title = $_POST['title']; $title = stripslashes($title); $title = htmlspecialchars($title); $title = trim($title); if ($title == '') { unset($title); } } if (isset($_POST['meta_d'])) { $meta_d = $_POST['meta_d']; $meta_d = stripslashes($meta_d); $meta_d = htmlspecialchars($meta_d); $meta_d = trim($meta_d); if ($meta_d == '') { unset($meta_d); } } if (isset($_POST['meta_k'])) { $meta_k = $_POST['meta_k']; $meta_k = stripslashes($meta_k); $meta_k = htmlspecialchars($meta_k); $meta_k = trim($meta_k); if ($meta_k == '') { unset($meta_k); } } if (isset($_POST['date'])) { $date = $_POST['date']; $date = stripslashes($date); $date = htmlspecialchars($date); $date = trim($date); if ($date == '') { unset($date); } } if (isset($_POST['text'])) { $text = $_POST['text']; $text = stripslashes($text); $text = htmlspecialchars($text); $text = trim($text); if ($text == '') { unset($text); } } if (isset($_POST['pochta'])) { $pochta = $_POST['pochta']; $pochta = stripslashes($pochta); $pochta = htmlspecialchars($pochta); $pochta = trim($pochta); if ($pochta == '') { unset($pochta); } } if (isset($_POST['tel'])) { $tel = $_POST['tel']; $tel = stripslashes($tel); $tel = htmlspecialchars($tel); $tel = trim($tel); } if (isset($_POST['gorod'])) { $gorod = $_POST['gorod']; $gorod = stripslashes($gorod); $gorod = htmlspecialchars($gorod); $gorod = trim($gorod); if ($gorod == '') { unset($gorod); } } if (isset($_FILES['foto'])) { $foto = $_FILES['foto']; } if (isset($_POST['pr'])) { $pr = $_POST['pr']; $pr = stripslashes($pr); $pr = htmlspecialchars($pr); $pr = trim($pr); } if (isset($_POST['sub_ob'])) { $sub_ob = $_POST['sub_ob']; } function isSecurity($foto) { $name = $_FILES['foto']['name']; $type = $_FILES['foto']['type']; $size = $_FILES['foto']['size']; $blacklist = array( ".php", ".phtml", ".php3", ".php4" ); foreach ($blacklist as $item) { if (preg_match("/$item\$/i", $name)) exit("<p>Такие типы файлов недопустимы! <input name='back' type='button' value='Вернуться назад' onclick='javascript:self.back();'></p>"); } if (($type != "image/gif") && ($type != "image/png") && ($type != "image/jpg") && ($type != "image/jpeg") && ($type != "")) exit("<p>Такие форматы недопустимы! Можно загружать изображения в формате: gif, png, jpg, jpeg. <input name='back' type='button' value='Вернуться назад' onclick='javascript:self.back();'></p>"); if ($size > 100 * 1024) { exit("<p>Такие размеры недопустимы! Размер фотографии должен быть меньше 100 кб. <input name='back' type='button' value='Вернуться назад' onclick='javascript:self.back();'></p>"); } return true; } function LoadFoto($foto) { $type = $_FILES['foto']['type']; $name = $_FILES['foto']['name']; $uploaddir = "avatars/"; $name = md5(microtime()) . "." . substr($type, strlen("image/")); if (move_uploaded_file($_FILES['foto']['tmp_name'], $uploaddir . $name)) { return $name; } else return false; } if ($name = LoadFoto($foto)) { // Использовать переменную $name } else { // Не удалось сохранить файл } if (isSecurity($foto)) LoadFoto($foto); else $message = "Ошибка при загрузке фото!";
  • one
    Check the rights to the folder "avatars /" - most likely there is no write permission. And at the expense of saving to the database I will not say anything - I don’t see any hints in the code to insert a record. - Indifferent
  • Thanks, why don't the size and format checks work? On php file verification passes. - Regina
  • one
    @ReinRaus, from this "optimization" only readability deteriorated, and the possibility of sql-injection remained. It would be better to suggest this code in the function to collapse - it would be more useful to comment. @ Regina, what code gives $_FILES["foto"]["error"] ? - Indifferent
  • one
    And your code is vulnerable to shell fills or arbitrary any content. The simplest example: you can send an html file with Content-Type: image / png, your script will save it to the avatars folder and now if the site has a link like “View Avatar”, then the user who navigates through it will become a victim of the vulnerability. And if the server in PHP pages performs PHP, then everything is generally terrible. - ReinRaus
  • one
    @ReinRaus, I only say that your comment is useless: it has nothing to do with the question and does not solve any of the problems of the proposed code. @Regina, to display the value of a variable on the screen, quotes are not needed, i.e. needed to be written: echo $_FILES["foto"]["error"]; In general, BEFORE the LoadFoto() function, write die(print_r($_FILES["foto"])); And copy the result after downloading the file. - Indifferently

2 answers 2

Have you heard anything about optimization?

11 identical pieces of code take up almost 100 lines when you can fit it all in just 10 using 1 array with keys and 1 for or foraech loop

 $mas=array("title","tel","foto" etc); foreach ($mas as $key) { if (isset($_POST[$key])) { $name = $_POST[$key]; $name = stripslashes($gorod); $name = htmlspecialchars($gorod); $name = trim($gorod); if ($name == '') { unset($name ); } // ну а переменную $name можно так же заюзать как массив с ключами и значениями и записать все массивом! } }
  • Thanks, I'll keep it in mind. - Regina

Ha, I can not write comments anymore ...)

But, error 6 means that there is no temporary folder, i.e. file to load nowhere. Conclusion - a problem on the side of hosting.

  • one
    You helped me a lot! - Regina