Upload script (php-mysql)

[vinnieza]

Ok would it be possible to create an upload script so using php and mysql so it's easier than manually adding the files to the pages?

What i mean is on my site at the moment i upload the files manually by editing the html. So would it be possible to create an upload script that has themename, size, comments etc and uploads the info into a database. Then use php to make it so that there is a page full of 25 previews and names, then when you click the preview you goto a theme info page which has the name, comment, file size etc on it?

I don't mind uploading the files my self so it doesn't need to do that.

Anyway all i want to know is if it's possible, not asking anyone to do it for me as it's a challenege for me . May need a hell of a lot of help though .

Ok first stage done i have completed the upload script, it's the displaying bit now. Well my question really was suppose to be for displaying the info. Would the whole thing work e.g will i be able to display the info.

Maybe somthing like

$name="SELECT name FROM table";
$url="SELECT url FROM table;"
echo "$name";
echo "<br>";
echo 'a href="'
echo "$url";
echo '">click here to download</a>';

Ok this is going to be alot of work. How do sites like mobile 9 do it though? As i can see you'll still have to add the pages manually.

Humm, need to research how to do the stuff like this: .../k700/index.php?id=1

even bigger security issue

Edit: ok, idealy i'd like somthing like this:

Code: Select all

echo '<table width=720 border=0 style="border-collapse: collapse">';
echo '<tr><td width="130px height="122px""><a target="_blanc" href="./assets/images/large/$filenameVZ.jpg">
<img class="preview" src="./assets/images/
$filenameVZ.jpg" alt="$name Preview- 
Click here for a full size preview" 
width="128" height="160" border="0"></td><td><br><b>Name:</b> $name
<br><b>Date Created:</b> $date
<br><b>Animated:</b> $ani
<br><b>Size:</b> $size
<br><b>Comments:</b> $comment
<br><br><a href="http://members.lycos.co.uk/vthemes/k700/assets/themes/$name.thm">Click here 
to download</a></p><.td>';
$name=mysql_query(SELECT `name` FROM `themes`);
$flname=mysql_query(SELECT `filename` FROM `themes`);
$date=mysql_query(SELECT `date` FROM `themes`);
$ani=mysql_query(SELECT `animation` FROM `themes`);
$size=mysql_query(SELECT `size` FROM `themes`);
$comment=mysql_query(SELECT `comments` FROM `themesvz`);

and i want the 2 <td> bits to keep repeating 5 times then close the table.
However, i don't want it to be the same data in each field but instead the next row of the table, so $name isn't the name of the first line in the database but instead the second on the second line down in the table. If you understand what i mean?

Also is there a way of getting variables to appear in that one echo without having to go onto another one e.g at the moment i'd have to do this:

Code: Select all

echo '<table width=720 border=0 style="border-collapse: collapse">';
echo '<tr><td width="130px height="122px""><a target="_blanc" href="./assets/images/large/';
echo "$filename";
echo 'VZ.jpg"><img class="preview" src="./assets/images/';
...

Thanks in advanced

Edit 2: Second part complete (i have managed to find a way of displaying the results on the page). Now it's time to find a way of getting 5 on page one then getting the next 5 on page 2 etc. Humm

Edit 3: i think i've cracked it and will finnish it off tommorrow .

BTW forgot to say after edit 2 i'm using:

Code: Select all

$result1=mysql_query("SELECT `name` FROM `themes` ORDER BY `dateuploaded` DESC ");
$result2=mysql_query("SELECT `filename` FROM `themes` ORDER BY `dateuploaded` DESC ");
$result3=mysql_query("SELECT `date` FROM `themes` ORDER BY `dateuploaded` DESC ");
$result4=mysql_query("SELECT `animtaion` FROM `themes` ORDER BY `dateuploaded` DESC ");
$result5=mysql_query("SELECT `size` FROM `themes` ORDER BY `dateuploaded` DESC ");
$result6=mysql_query("SELECT `comments` FROM `themes` ORDER BY `dateuploaded` DESC ");

echo '<table width=720 border=0 style="border-collapse: collapse">';

/*change no.s below depending on which results i want e.g 5 < 10 for second page*/ 

$i=0;
$n=5;
while ($i < $n) {

$name=mysql_result($result1,$i);
$flname=mysql_result($result2,$i);
$date=mysql_result($result3,$i);
$ani=mysql_result($result4,$i);
$size=mysql_result($result5,$i);
$comment=mysql_result($result6,$i);

echo "<!--$name Theme-->";
echo '<tr><td width="130px" height="122px"><a target="_blanc" href="./assets/images/large/';
echo "$flname";
echo 'VZ.jpg">
<img class="preview" src="./assets/images/';
echo "$flname";
echo 'VZ.jpg" alt="';
echo "$name";
echo ' Preview- 
Click here for a full size preview" 
width="128" height="160" border="0"></a></td><td><br><b>Name:</b>'; 
echo " $name
<br><b>Date Created:</b> $date
<br><b>Animated:</b> $ani
<br><b>Size:</b> $size
<br><b>Comments:</b> $comment
<br><br><a href=";
echo '"http://members.lycos.co.uk/vthemes/k700/assets/themes/';
echo "$flname";
echo '.thm">Click here 
to download</a></td></tr>';
$i++;
}

[vinnieza]

Ok i got that working, but now i'm having 2 problems.

First is that the html is appearing above the php even though in the file it's the other way around, and the second is that stupid blue tripod ad is now displaying after the themes?

<sniped>

(don't want a crawler to follow the link)

Ps can you see any security threats for this? You may need to code to see the threats?

Edit 2: Fixed layout, i'm such an idiot, i forgot the end tags for </tr></a> and </table>

Next thing to find any security issues and fix them

PS changed code above to match new code (btw the </table> tag is after the php coding (not displayed)).

Edit 3: Ok here's the part of the coding can anyone see any security issues with people being able to change and view information from the database etc:

Code: Select all

<sniped>

<div class="right"> 
<h2 align="center">Themes</h2><br>
  <?php
$username="";
$password="";
$database="";
$ip=$_SERVER["REMOTE_ADDR"];

@mysql_pconnect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

$query="SELECT * FROM `themes`";
$result=mysql_query($query);
$num=mysql_num_rows($result);
$result1=mysql_query("SELECT `name` FROM `themes` ORDER BY `dateuploaded` DESC ");
$result2=mysql_query("SELECT `filename` FROM `themes` ORDER BY `dateuploaded` DESC ");
$result3=mysql_query("SELECT `date` FROM `themes` ORDER BY `dateuploaded` DESC ");
$result4=mysql_query("SELECT `animtaion` FROM `themes` ORDER BY `dateuploaded` DESC ");
$result5=mysql_query("SELECT `size` FROM `themes` ORDER BY `dateuploaded` DESC ");
$result6=mysql_query("SELECT `comments` FROM `themes` ORDER BY `dateuploaded` DESC ");

echo '<table width=720 border=0 style="border-collapse: collapse">';

$i=0;
$n=5;
while ($i < $n) {

$name=mysql_result($result1,$i);
$flname=mysql_result($result2,$i);
$date=mysql_result($result3,$i);
$ani=mysql_result($result4,$i);
$size=mysql_result($result5,$i);
$comment=mysql_result($result6,$i);

echo ""<!--$name Theme--><tr><td width='130px' height='122px'><a target='_blanc' 
href='./assets/images/large/$flname
VZ.jpg'>
<img class='preview' src='./assets/images/$flname
VZ.jpg' alt='$name Preview- 
Click here for a full size preview' 
width='128' height='160' border='0'></a></td><td><br><b>Name:</b> $name
<br><b>Date Created:</b> $date
<br><b>Animated:</b> $ani
<br><b>Size:</b> $size
<br><b>Comments:</b> $comment
<br><br><a href='./assets/themes/$flname.thm'>Click here 
to download</a></td></tr>";
$i++;
}

mysql_close();
?>
</table>

<sniped>

If you can please tell me what it is and how to fix it.

Thanks in advance

PS excuse my coding, i'm a beginner so there maybe stuff which it would have been easier to do it another way (e.g the echos?). Also i have some variables there which aren't used, this is because i removed them but left them encase i want to use them some time. Anyway, i've tried it out and it works i'm just worreied about security now.

Edit: Removed all the echos
Edit2: Following 2 people at hackthissite.org s comments, i have now got this:

Code: Select all

  <?php
$username="";
$password="";
$database="";
$ip=$_SERVER["REMOTE_ADDR"];

@mysql_pconnect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

echo '<table width=720 border=0 style="border-collapse: collapse">';

$numb=0; 
/*for page 2 use 5 instead of 0 and page 3 10 etc*/

$query="SELECT * FROM themes ORDER BY desc LIMIT $numb,5";
$result=mysql_query($query);

while ($theme_info = @mysql_fetch_array($result))
{
     $name=$theme_info["name"];
     $flname=$theme_info["filename"];
     $date=$theme_info["date"];
     $ani=$theme_info["animation"];
     $size=$theme_info["size"];
     $comment=$theme_info["comments"];

     echo "<!--$name Theme--><tr><td width='130px' height='122px'><a 
     target='_blanc' 
     href='./assets/images/large/$flname
     VZ.jpg'>
     <img class='preview' src='./assets/images/$flname
     VZ.jpg' alt='$name Preview- 
     Click here for a full size preview' 
     width='128px' height='160px' border='0'>
     </a></td><td>
     <b>Name:</b> $name
     <br><b>Date Created:</b> $date
     <br><b>Animated:</b> $ani
     <br><b>Size:</b> $size
     <br><b>Comments:</b> $comment
     <br><br><a href='.assets/themes/$flname.thm'>Click here 
     to download</a></td></tr>";
}

mysql_close();
?>
</table>

[vinnieza]

I'll tkae it it's safe as the querie's not really affected by a form. Anyhoo, on to making a search script. Now this i definately have to worry about security with.

[fac51]

dunno, where's young chris?

[Chris]

dunno, where's young chris?

I have been helping him on msn old Ed, And I have been having a lot of exams

[fac51]

ok i'll let yer off

[vinnieza]

Chris has helped me loads , hope it didn't affect his exams

[vinnieza]

Edit: Updated whole post

ok, here's another piece of horrible coding . Any help will be appreciated. However, the main reason i'm, posting this is to ask if anyoine can see any security exploits in this? If you can can you please tell me how to fix it.

Thanks in advance

OLD CODE:

Code: Select all

 <?php
$username="";
$password="";
$database="";
$ipaddress=$_SERVER["REMOTE_ADDR"];

@mysql_pconnect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

$date=date("d/m/y h:i:s A T");
$ip=( !isset($_POST['ip']) ) ? "0" : str_replace("\'", "''", $_POST['ip']);
$search=( !isset($_POST['search']) ) ? "0" : str_replace("\'", "''", $_POST['search']);

$log="INSERT INTO log0 (search,date,ipaddress) VALUES ('$search','$date','$ip')";

mysql_query($log);

echo '<table width=720 border=0 style="border-collapse: collapse">';

$query="SELECT * FROM themes WHERE name LIKE '%$search%' ORDER BY dateuploaded DESC LIMIT 0,5";
$result=mysql_query($query);
$numbr=mysql_num_rows($result);

if ($numbr>0)
{
   while ($theme_info = @mysql_fetch_array($result))
   {
   $name=$theme_info["name"];
   $flname=$theme_info["filename"];
   $date=$theme_info["date"];
   $ani=$theme_info["animation"];
   $size=$theme_info["size"];
   $comment=$theme_info["comments"];
   
   echo "<!--$name Theme--><tr><td width='130px' height='122px'><a target='_blanc' 
   href='./assets/images/large/$flname
   VZ.jpg'>
   <img class='preview' src='./assets/images/$flname
   VZ.jpg' alt='$name Preview- 
   Click here for a full size preview' 
   width='128px' height='160px' border='0'>
   </a></td><td>
   <b>Name:</b> $name
   <br><b>Date Created:</b> $date
   <br><b>Animated:</b> $ani
   <br><b>Size:</b> $size
   <br><b>Comments:</b> $comment
   <br><br><a href='./assets/themes/$flname.thm'>Click here 
   to download</a></td></tr>";
   }
}
else
{
   echo '<p>Sorry no results were found for your search click <a href="javascript:history.back()">here</a> 
   to go back.</p>';
}
?>
</table>
<?php
$query2="SELECT * FROM themes WHERE name LIKE '%$search%' LIMIT 0,6";
$result2=mysql_query($query2);
$numbr2=mysql_num_rows($result2);

echo "<form action='./search2.php' method='post' name='search2'>
<input type='hidden' name='search' value='$search'>";

if ($numbr2>5)
{
   echo "<p align='center'>Click <a href='javaScript:document.search2.submit()'>here</a> for more results
   </form></p>";
}

mysql_close();
?>

Edit: I've been now told that i should use html instead of echo in php where ever i can so i now have this:

Code: Select all

 <?php
$username="";
$password="";
$database="";
$ipaddress=$_SERVER["REMOTE_ADDR"];

@mysql_pconnect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

$date=date("d/m/y h:i:s A T");
$ip=( !isset($_POST['ip']) ) ? "0" : str_replace("\'", "''", $_POST['ip']);
$search=( !isset($_POST['search']) ) ? "0" : str_replace("\'", "''", $_POST['search']);

$log="INSERT INTO log0 (search,date,ipaddress) VALUES ('$search','$date','$ip')";

mysql_query($log);

echo '<table width=720 border=0 style="border-collapse: collapse">';

$query="SELECT * FROM themes WHERE name LIKE '%$search%' ORDER BY dateuploaded DESC LIMIT 0,5";
$result=mysql_query($query);
$numbr=mysql_num_rows($result);

if ($numbr>0)
{
     while ($theme_info = @mysql_fetch_array($result))
     {
     $name=$theme_info["name"];
     $flname=$theme_info["filename"];
     $date=$theme_info["date"];
     $ani=$theme_info["animation"];
     $size=$theme_info["size"];
     $comment=$theme_info["comments"];
     ?>
     <!--<?php echo "$name"; ?> Theme--><tr><td width='130px'
     height='122px'><a target='_blanc' 
     href='./assets/images/large/<?php echo "$flname"; ?>
     VZ.jpg'>
     <img class='preview' src='./assets/images/<?php echo "$flname"; ?>
     VZ.jpg' alt='$name Preview- 
     Click here for a full size preview' 
     width='128px' height='160px' border='0'>
     </a></td><td>
     <b>Name:</b> <?php echo "$name"; ?>
     <br><b>Date Created:</b> <?php echo "$date"; ?>
     <br><b>Animated:</b> <?php echo "$ani"; ?>
     <br><b>Size:</b> <?php echo "$size"; ?>
     <br><b>Comments:</b> <?php echo "$comment"; ?>
     <br><br><a href='./assets/themes/<?php echo "$flname.thm"; ?>'>Click
     here to download</a></td></tr>
     <?php
     }
}
else
{
     ?> <p>Sorry no results were found for your search click <a 
     href="javascript:history.back()">here</a> 
     to go back.</p>';
     <?php
}
?>
</table>
<?php
$query2="SELECT * FROM themes WHERE name LIKE '%$search%' LIMIT 0,6";
$result2=mysql_query($query2);
$numbr2=mysql_num_rows($result2);

?>
<form action='./search2.php' method='post' name='search2'>
<input type='hidden' name='search' value='<?php echo "$search"; ?>'>

<?php 
if ($numbr2>5)
{
     ?> <p align='center'>Click <a href='javaScript:document.search2.submit
     ()'>here</a> for more results
     </form></p>
     <?php 
}

mysql_close();
?>
<br><div class="bottom">
<?php 
include '../footer.htm';
?>

[vinnieza]

Sorry for the bump, have no changed the coding

New code thanks to chris:

Code: Select all

<?php
$username="";
$password="";
$database="";
$ipaddress=$_SERVER["REMOTE_ADDR"];

@mysql_pconnect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

$date=date("d/m/y h:i:s A T");
$ip=( !isset($_POST['ip']) ) ? "0" : str_replace("\'", "''", $_POST['ip']);
$get = ( !isset($_GET['search']) ) ? "0" : str_replace("\'", "''", $_GET['search']);
$search = ( !isset($_POST['search']) ) ? "$get" : str_replace("\'", "''", $_POST['search']);
$page = (isset($_GET['page'])) ? intval($_GET['page']) : "0";
$page = ($page < 0) ? 0 : $page;

$log="INSERT INTO log0 (search,date,ipaddress) VALUES ('$search','$date','$ip')";

mysql_query($log);

echo '<table width=720 border=0 style="border-collapse: collapse">';

$query="SELECT * FROM themes WHERE name LIKE '%$search%' ORDER BY dateuploaded DESC LIMIT $page,5";
$result=mysql_query($query);
$numbr=mysql_num_rows($result);
$page=$page+5; 

if ($numbr>0)
{
   while ($theme_info = @mysql_fetch_array($result))
   {
      $name=$theme_info["name"];
      $flname=$theme_info["filename"];
      $date=$theme_info["date"];
      $ani=$theme_info["animation"];
      $size=$theme_info["size"];
      $comment=$theme_info["comments"];
      ?>
      <!--<?php echo "$name"; ?> Theme--><tr><td width='130px' height='122px'><a target='_blank' 
      href='./assets/images/large/<?php echo "$flname"; ?>
      VZ.jpg'>
      <img class='preview' src='./assets/images/<?php echo "$flname"; ?>
      VZ.jpg' alt='$name Preview- 
      Click here for a full size preview' 
      width='128px' height='160px' border='0'>
      </a></td><td>
      <b>Name:</b> <?php echo "$name"; ?>
      <br><b>Date Created:</b> <?php echo "$date"; ?>
      <br><b>Animated:</b> <?php echo "$ani"; ?>
      <br><b>Size:</b> <?php echo "$size"; ?>
      <br><b>Comments:</b> <?php echo "$comment"; ?>
      <br><br><a href='./assets/themes/<?php echo "$flname.thm"; ?>'>Click here 
      to download</a></td></tr>
      <?php
   }
}
else
{
   ?> <p>Sorry no results were found for your search click <a href="javascript:history.back()">here</a> 
   to go back.</p>
   <?php
}
?>
</table>
<?php
$query2="SELECT * FROM themes WHERE name LIKE '%$search%' LIMIT $page,1";
$result2=mysql_query($query2);
$numbr2=mysql_num_rows($result2);
 
if ($numbr2>0)
{
   ?> <p align='center'>Click <a href='search.php?search=<?php echo "$search"; ?>
   &page=<?php echo "$page"; ?>'>here</a> for more results
   </form></p>
<?php 
}

mysql_close();
?>
<br><div class="bottom">
<?php 
include '../footer.htm';
?>