File upload form

Hey guys, I am really a newbie at PHP but having gone through the online course and reading and studing Kevin’s book gave me the confidence to try to build a site for a file upload. Here is the basic thoughts for the site:

Select from 5 distinct stock pictures (figured a radio style of input here), or

Upload a custom image file for your card (the code from chapter 10 in Kevin’s book Building Website using PHP and Mysql works great here. Allows me to list and delete files as well as include a description), then

Provide your name and address for us to ship the cards you select to.

I have been able to get the form to do the file upload using Kevin’s script- no problem- also can get my script to add the name, etc to my database but I can’t get it to do both.

I have omitted the security parts of the code such as htmlspecialchars until I get the form to work. Also client-side and server-side validation will also come later. Thanks for the help.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
<html xmlns="" xml:lang="en" lang="en">
		<title>PHP/MySQL File Upload for LSU/SVM</title>
		<meta http-equiv="content-type"
				content="text/html; charset=utf-8" />
<link rel="stylesheet" href="scripts/upload_form.css" type="text/css" />
<script src="../jquery-1.3.2.min.js" type="text/javascript"></script>
<script src="../jquery.metadata.js" type="text/javascript"></script>
<script src="../jquery.validate.js" type="text/javascript"></script>
<script type="text/javascript"></script>
    <div id="container">
<div class="formcontainer">

   <form action="http://localhost/stocklist2.php" method="post" name="address" enctype="multipart/form-data" >
    <input type="radio" class="stockselect" name="stock" value="wild" /><img src="../water_lillies.jpg" />
	<input type="radio" class="stockselect2" name="stock" value="cat" /><img src="../water_lillies.jpg" />
	<input type="radio" class="stockselect2" name="stock" value="dog" /><img src="../water_lillies.jpg" />
	<input type="radio" class="stockselect" name="stock" value="horses" /><img src="../water_lillies.jpg" /><br />
    <div id="customform"><p>Click here to upload your pet's picture.</p>

   <input type="file" id="upload" name="upload" value="custom"  /></div>
     <p><h4 class="pictext">Thank you for your generous donation. If you would like to have your 			cards made with your favorite photo of your choosing pick the custom option. Otherwise just 	select one from our stock list that you like and we will get them out to you right away.
 <p><label for="firstname">First name</label>
    <input type="text" name="firstname" id="firstname" /></p>
    <p><label for="lastname">Last name</label>
    <input type="text" name="lastname" id="lastname"  /></p>
    <p><label for="street">Street</label>
    <input type="text" name="street" id="street"  /></p>
   <p class="rightside"><label for="city">City</label>
    <input type="text" name="city" id="city" /></p>
    <p class="rightside2"><label for="state">State</label>
    <input type="text" name="state" id="state" /></p>
    <p class="rightside3"><label for="zip">Zipcode</label>
    <input type="text" name="zip" id="zip" /></p>
	 	<input type="submit" value="Enter" name="address" class="enterbtn"/>
             <input type="hidden" name="action" value="upload"/>


and the PHP

 $dbcnx = @mysql_connect('localhost', 'root', 'print01');
 	if (!$dbcnx) {
		exit('<p>Unable to connect to the' . 'database server at this time.</p>');
	if (!@mysql_select_db('ijdb')) {
		exit('<p>Unable to locate the joke' . 'database at this time.</p>');
	if (isset($_GET['action'])) {
		$action = $_GET['action'];
		$action = '';
if (($action == 'view' or $action == 'dnld') and 
	isset($_GET['id'])) {
	$id = $_GET['id'];
//user is retrieving file
$sql = "SELECT filename, mimetype, filedata
	FROM filestore WHERE id = 'id'";
	$result = @mysql_query($sql);
if (!$result) {
	exit('Database error: ' . mysql_error());	
$file = mysql_fetch_array($result);
	if (!$file) {
	  exit ('File with given ID not found in database!');
	 $filename = $file['filename'];
	 $mimetype = $file['mimetype'];
	 $filedata = $file['filedata'];
	 $disposition = 'inline';
if ($action == 'dnld') {
	$disposition = 'attachment';
	if (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE 5') or
		strops($_SERVER['HTTP_USER_AGENT'], 'Opera 7')) {
		$mimetype = 'application/x-download';
header("content-disposition: $disposition; filename=$filename");
header("content-type: $mimetype");
header('content-length: ' . strlen($filedata));

echo $filedata;
} elseif ($action == 'del' and isset($_GET['id'])) {
	$id = $_GET['id'];
//user is deleting a file
$sql = "DELETE FROM filestore WHERE id = '$id'";
$ok = @mysql_query($sql);
if (!$ok) {
	exit('Database error: ' . mysql_error());
	header('location: ' . $_SERVER['PHP_SELF']);
} elseif (isset($_FILES['upload'])) {
	//bail out if the file isn't really an upload
	if (!is_uploaded_file($_FILES['upload']['tmp_name'])) {
	exit('There was no file uploaded!');
$uploadfile = $_FILES['upload']['tmp_name'];
$uploadname = $_FILES['upload']['name'];
$uploadtype = $_FILES['upload']['type'];
$uploaddesc = $_POST['desc'];

//open file for binary reading ('rb')
$tempfile = fopen($uploadfile, 'rb');

//read the entire file into memory using PHP's
//filesize function to get the file size
$filedata = fread($tempfile, filesize($uploadfile));

//prepare for database insert by adding backslashes
//before special characters.
$filedata = addslashes($filedata);

//create the sql query
$sql = "INSERT INTO filestore SET
	filename = '$uploadname',
	mimetype = '$uploadtype',
	description = '$uploaddesc',
	filedata = '$filedata'";
//perform the insert
$ok = @mysql_query($sql);
	if (!$ok) {
	exit('Database error storing file: ' . mysql_error());
	header('location: ' . $_SERVER['PHP_SELF']);
//default page view: list stored files
$sql = 'SELECT id, filename, mimetype, description
	FROM filestore';
$filelist = @mysql_query($sql);
if (!$filelist) {
	exit('Database error: ' . mysql_error());

//end of Kevin's code	
if (isset($_POST['add']))
	$firstname = $_POST['firstname'];	
	$lastname = $_POST['lastname'];
	$street = $_POST['street'];
	$street2 = $_POST['street2'];
	$city = $_POST['city'];
	$state = $_POST['state'];
	$zip = $_POST['zip'];
$add = "INSERT INTO address SET
	$ok = @mysql_query($add);
	if (!$ok) {
	exit('Database error storing file: ' . mysql_error());

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">
<html xmlns="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>

<p>Thanks for generous donation.</p>

					<th>File name</th>
				if (mysql_num_rows($filelist) > 0) {
				  while ($f = mysql_fetch_array($filelist)) {
				<tr valign="top">
						<a href="<?php echo $_SERVER['PHP_SELF'];
						?>?action=view&amp;id=<?php echo $f['id']; ?>">
                        <?php echo $f['filename']; ?></a>
                        <td><?php echo $f['mimetype']; ?></td>
                        <td><?php echo $f['description']; ?></td>
                        [<a href="<?php echo $_SERVER['PHP_SELF'];
						?>?action=dnld&amp;id=<?php echo $f['id']; ?>"
                        >Download</a> | 
                        <a href="<?php echo $_SERVER['PHP_SELF'];
						?>?action=del&amp;id=<?php echo $f['id']; ?>"
                        onclick="return confirm('Delete this file?');"
} else {
	<tr><td colspan="3">No Files!</td></tr>
echo "Thank you. Check your name and address.<p>Firstname:  $firstname</p><p>Lastname:  $lastname</p><p>Address:  $street<br> $street2<br>$city<br> $state<br>$zip</p>";