CODEWITHSUNDEEP
phpvariablesfile-io
ThatBenderGuy
ThatBenderGuy

Reputation: 307

Changing the file name of a tmp file uploaded through a form

Like the title say I want to change the file name of the file a user uploads through a form. here are codes

HTML 

    <form action="editprofile.php" method="POST" enctype="multipart/form-data">
         <p>Upload your image:<p /><input type="file" name="myfile"></p><br />
         <p><input type="radio" name="type" value="defaultDot">Use Default</p>
         <p><input type="submit" name="updateAvatar"></p>
    </form>

and here is my php script that moves the uploaded file to the correct directory
PHP 

    $name = $_FILES['myfile']['name'];
    $tmp_name = $_FILES['myfile']['tmp_name'];
    $size = getimagesize($_FILES['myfile']['tmp_name']);
    if($name){
        //start upload process
        if($size != FALSE){
            $location = "images/avatars/$name";
            move_uploaded_file($tmp_name, $location);
            $query = mysql_query("UPDATE users SET avatar='$location' WHERE id=$id");
            $avaMessage = '<p><font size=2 color=aqua face=Tahoma>Avatar Updated - Uploaded Image!.</font></p>';
        }else{
            $avaMessage = '<p><font size=2 color=red face=Tahoma>Please only submit image files!</font></p>';
        }
    }

How would I be able to give the image a custom name? for instance I have a variable called $username which stores a session variable of the user's name. What if I wanted to name the image to the $username variable with the same file extension?

EDIT:EDIT:EDIT:
Added your if statement lawrence and I swapped the vars in move_upload_files and it still does not work...
Code

if($_SERVER['REQUEST_METHOD']=='POST' && isset($username) && is_numeric($id)
&& isset($_FILES['myfile']['error']) && $_FILES['myfile']['error']=='UPLOAD_ERR_OK'){
if($_POST['type'] != "defaultDot"){
    //$avaURL = $_POST['url'];
    //$updateURL = mysql_query("UPDATE users SET avatar='$avaURL' WHERE id=$id");
    //$avaMessage = '<p><font size=2 color=aqua face=Tahoma>Avatar Uploaded!</font></p>';
    $name    = basename($_FILES['myfile']['name']);
    $ext     = end(explode('.', $name));
    $move_to = "images/avatars/".preg_replace('/[^a-zA-Z0-9.-]/s', '_',$username).'.'.$ext;
    $info    = getimagesize($_FILES['myfile']['tmp_name']);

    if($name){
        //start upload process
            $allowed = array('image/png','image/jpg','image/gif');
            if($info[0]>0 && $info[1] > 0 && in_array($info['mime'],$allowed)){
                if($info[0]>200 || $info[1] > 200){
                    //File dimensions too large
                    $avaMessage = '<p><font size=2 color=red face=Tahoma>File dimensions too large.</font></p>';
                }else{
                    //File put contents will over write if file exsist
                    move_uploaded_file($_FILES['myfile']['tmp_name'], $move_to);
                    mysql_query("UPDATE users
                                SET avatar='".mysql_real_escape_string($move_to)."' 
                                WHERE id=".$id." AND owner='".$_SESSION['username']."'");
                    $avaMessage = 'Avatar Updated - Uploaded Image!.';
                }
            }else{
                $avaMessage = '<p><font size=2 color=red face=Tahoma>Please only submit image files!</font></p>';
            }   
    }else{
        $avaMessage = '<p><font size=2 color=red face=Tahoma>Please select a file!</font></p>';
    }

}else{
$avaURL = 'images/avatars/default.png';
$updateURL = mysql_query("UPDATE users SET avatar='$avaURL' WHERE id=$id");
$avaMessage = '<p><font size=2 color=aqua face=Tahoma>Avatar Updated - Default.</font></p>';
}
}

Still not working even with the fixed 'POST' Lawrence...

Upvotes: 4

Views: 6938

Answers (2)

Lawrence Cherone
Lawrence Cherone

Reputation: 46610

Heres a secure & safe way todo it, a post request needs checking, just checking $name is not enough, $username needs any special chars stripped, $id needs checking its set and is numeric, file specific type extension needs finding, also allowed mime types need cross matching, plus width and height sizes need checking, lots to think about, uploads can be extremely insecure, not to mention images can have php injected into the file comments and if not handled correctly may get executed:

<?php 

if($_SERVER['REQUEST_METHOD']=='POST' && isset($username) && is_numeric($id)
&& isset($_FILES['myfile']['error']) && $_FILES['myfile']['error']=='UPLOAD_ERR_OK'){

    $name    = basename($_FILES['myfile']['name']);
    $ext     = end(explode('.', $name));
    $move_to = "images/avatars/".preg_replace('/[^a-zA-Z0-9.-]/s', '_',$username).'.'.$ext;
    $info    = getimagesize($_FILES['myfile']['tmp_name']);

    //not more then 200px
    if($info[0]>200 || $info[1] > 200){
        //file too large
    }

    $allowed = array('image/png','image/jpg','image/gif');
    if($info[0]>0 && $info[1] > 0 && in_array($info['mime'],$allowed)){
        move_uploaded_file($_FILES['myfile']['tmp_name'],$move_to);
        mysql_query("UPDATE users
                     SET avatar='".mysql_real_escape_string($move_to)."' 
                     WHERE id=".$id." AND owner='".$_SESSION['username']."'");
        $avaMessage = 'Avatar Updated - Uploaded Image!.';
    }else{
        //Not allowed
    }
}
?>

<form action="" method="POST" enctype="multipart/form-data">
     <!--1 MB = 1048576 bytes-->
     <input type="hidden" name="MAX_FILE_SIZE" value="1048576" />

     <p>Upload your image:<p /><input type="file" name="myfile"></p><br />
     <p><input type="radio" name="type" value="defaultDot">Use Default</p>
     <p><input type="submit" name="updateAvatar"></p>
</form>

UPDATE EDIT Here is an OOP version of the upload process, perhaps you will find it interesting, I added all possible errors too ;p

<?php 
Class updateUserAvatar{
    public $upload_path;
    public $full_path;
    public $name;
    public $size;
    public $ext;
    public $output;
    public $input;
    public $prefix;
    private $allowed;

    function upload(){
        if($_SERVER['REQUEST_METHOD'] == 'POST'){
            if(isset($_FILES[$this->input]['error'])){
                if($_FILES[$this->input]['error'] == 0){
                    $this->name      = basename($_FILES[$this->input]['name']);
                    $file_p          = explode('.', $this->name);
                    $this->ext       = end($file_p);
                    $this->full_path = rtrim($this->upload_path,'/').'/'.preg_replace('/[^a-zA-Z0-9.-]/s', '_', $this->prefix).'.'.$this->ext;
                    $info            = getimagesize($_FILES[$this->input]['tmp_name']);
                    $this->size      = filesize($_FILES[$this->input]['tmp_name']);

                    if($info[0]>$this->allowed['dimensions']['width'] || $info[1] > $this->allowed['dimensions']['height']){
                        $this->output = 'File dimensions too large!';
                    }else{
                        if($info[0] > 0 && $info[1] > 0 && in_array($info['mime'],$this->allowed['types'])){
                            move_uploaded_file($_FILES[$this->input]['tmp_name'],$this->full_path);
                            $this->output = 'Upload success!';
                        }else{
                            $this->output = 'File not supported!';
                        }
                    }
                }else{
                    if($_FILES[$this->input]['error']==1){$this->output = 'The uploaded file exceeds the upload_max_filesize directive!';}
                    if($_FILES[$this->input]['error']==2){$this->output = 'The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in our HTML form!';}
                    if($_FILES[$this->input]['error']==3){$this->output = 'The uploaded file was only partially uploaded!';}
                    if($_FILES[$this->input]['error']==4){$this->output = 'No file was uploaded!';}
                    if($_FILES[$this->input]['error']==6){$this->output = 'Missing a temporary folder!';}
                    if($_FILES[$this->input]['error']==7){$this->output = 'Failed to write uploaded file to disk!';}
                    if($_FILES[$this->input]['error']==8){$this->output = 'A PHP extension stopped the file upload!';}
                }
            }
        }
    }

    function setPath($var){
        $this->upload_path = $var;
    }
    function setAllowed($var=array()){
        $this->allowed = $var;
    }
    function setFilePrefix($var){
        $this->prefix = preg_replace('/[^a-zA-Z0-9.-]/s', '_', $var);
    }
    function setFormInput($var){
        $this->input = $var;
    }
}//END CLASS


if($_POST['type'] != "defaultDot"){
    //Setup
    $upload = new updateUserAvatar();
    $upload->setPath('./images/avatars/');
    $upload->setFilePrefix($username);
    $upload->setAllowed(array('dimensions'=>array('width'=>200,'height'=>200),
                              'types'=>array('image/png','image/jpg','image/gif')));
    $upload->setFormInput('myfile');
    $upload->upload();

    if($upload->output == 'Upload success!'){
        //do query
        $updateURL = mysql_query("UPDATE users SET avatar='$upload->full_path' WHERE id=$id");
    }
    //message
    $avaMessage = $upload->output;
}else{
    $avaURL = 'images/avatars/default.png';
    $updateURL = mysql_query("UPDATE users SET avatar='$avaURL' WHERE id=$id");
    $avaMessage = '<p><font size=2 color=aqua face=Tahoma>Avatar Updated - Default.</font></p>';
}
?>

Upvotes: 1

Julian
Julian

Reputation: 1542

I think http://php.net/manual/en/function.pathinfo.php will do what you need. parse the $location and rebuild it, replacing the basename field with your $username.

Upvotes: 1

Related Questions