Multiple upload images PHP and Mysql

creeds · January 24, 2016, 5:40pm

Below code uploads images one by one. I want to upload multiple images!

    <?php
//config
        require("./configuration.php");
       
        	$id = $_GET['id'];
        	$q = mysql_query("SELECT * FROM books WHERE id='$id'") or die(mysql_error());
        	$row = mysql_fetch_array($q);
        	$name = $row['name'];
        	echo '<div class="center-top"> NAME: <strong style="font-size:22px;">'.$name.'</strong>  </div>';
        //begin upload
        if(isset($_POST['submit'])) 
        {
        	
        	$title = htmlspecialchars($_POST['title'],ENT_QUOTES);
        		$path = "./upload/images/";
        		$name_pic = $_FILES['file']['name'];
                $ext = strtolower(substr(strrchr($name_pic, "."), 1));
                $allow = array("jpg", "jpeg", "JPG", "JPEG", "png", "gif");
        	   $uptype = ($_FILES['file']['tmp_name']);
                if (in_array($ext, $allow))
        		{

//md5 hash for random image name

        			   $rand = rand(0,10000);
        			   $md5  = md5($rand);
        			   $new_file_name = "{$md5}.{$ext}";
        			   $move_file = move_uploaded_file($_FILES['file']['tmp_name'], $path.$new_file_name);
        			   if($move_file) {
        					mysql_query("INSERT INTO images (id, link, title, bid)
        					VALUES (NULL, '$new_file_name', '$title', '$id')") or die (mysql_error());
        					echo "<div class='yes'>succesfully added!</div>";	
        }}}
    
        echo '
    	//form uploads
        <form method="post" action="images.php?id='.$id.'"  enctype="multipart/form-data"> 
        <br />title: <br /><input type="text" name="title" value="'.$name.'"/><br />
        <br /><br/><input name="file" type="file" />
        <br /><input type="submit" name="submit" value="UPLOAD" /><br /><br />
        </form>

//end form
';
?>

With this code delete an image:

<?php
$id = $_GET['id']; 
$result = mysql_query("DELETE FROM images WHERE `id`='$id'");
echo "<div class='yes'>successfully deleted picture!</div>";
?>

SamA74 · January 24, 2016, 6:05pm

Then your form will want multiple inputs to create an array of files and tiles.

Plus, some words of warning.
Mysql is now extinct and has been removed from php. You should be using either Mysqli or PDO.
Also passing the id on as a url variable and inserting the un-sanitized $_GET into an sql statement is extremely insecure.
Better to pass it by $_POST via a hidden form field and then sanitize, before putting it into a statement. Using a prepared statement is another line of defence against sql injection.

creeds · January 24, 2016, 6:09pm

Yes I want to upload multiple files!
I know for that mysql is unsecure but I think I can’t use mysql and mysqli at same time in script.
Can you help?

felgall · January 24, 2016, 6:14pm

You need to get rid of the mysql and only use mysqli - the mysql interface no longer exists, it was deleted from PHP last year.

SamA74 · January 24, 2016, 6:17pm

You should not be using mysql at all. Use only mysqli or pdo.

It is not so much that mysql is insecure, but the way you are using it.

Php is not my area of expertise, I’m sure other can advise you better, but I do know enough to spot the huge security hole in the script.
If the id is an integer, which I imagine it will be, it can easily be sanitized to remove any unwanted characters.

$id = preg_replace('#[^0-9]#i', '', $_POST["id"]) ;

You should also check the string is not empty after this.

system · May 26, 2016, 12:59am

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.