Insert | updating photo problem

hello
152 Replies
NIMA
NIMAOP3mo ago
$file_name = $_FILES['image']['name'];
$tempname = $_FILES['image']['tmp_name'];
$folder = 'images/'.$file_name;
$query = mysqli_query($conn , "UPDATE user SET user_image='$file_name' WHERE user_id='$name_update_id'");
$file_name = $_FILES['image']['name'];
$tempname = $_FILES['image']['tmp_name'];
$folder = 'images/'.$file_name;
$query = mysqli_query($conn , "UPDATE user SET user_image='$file_name' WHERE user_id='$name_update_id'");
when i want to update my profile user photo { there is no insert photo beffor } nothing will happen and only name will chenge to data base and nothing gonna add to my photos folder and when i try this
$file_name = $_FILES['image']['name'];
$tempname = $_FILES['image']['tmp_name'];
$folder = 'images/'.$file_name;

$query = mysqli_query($con , "INSERT INTO user (user_image) values ('$file_name')");
$file_name = $_FILES['image']['name'];
$tempname = $_FILES['image']['tmp_name'];
$folder = 'images/'.$file_name;

$query = mysqli_query($con , "INSERT INTO user (user_image) values ('$file_name')");
it will make new tabel with empty stuff and only with photo how can i add photo when im updating it and now inserting
ἔρως
ἔρως3mo ago
use upload_file_move() after validating it is an actual image
NIMA
NIMAOP3mo ago
it will work in updating ? and add to photos folder?
ἔρως
ἔρως3mo ago
no, it will move the file to the folder
NIMA
NIMAOP3mo ago
let me test and see what will happen
ἔρως
ἔρως3mo ago
you have to validate the file first try to read it try to resize it try to save that copy to the folder you want, with a random name
NIMA
NIMAOP3mo ago
i cut all part cuse in first it should work and then i add them agine
ἔρως
ἔρως3mo ago
alright and you should use prepared statements
NIMA
NIMAOP3mo ago
nice it work if(move_uploaded_file($tempname,$folder)){ echo 'file uplode fix'; } else{ echo 'file not fix !!!!!!!'; } tnx for help i was stuck in this part for long time
ἔρως
ἔρως3mo ago
you're welcome but this is extremely unsafe and you can kill the server easily
NIMA
NIMAOP3mo ago
i dont add it to website yet and now its working i need to add the limits and prepared statements ...
ἔρως
ἔρως3mo ago
which server do you use? apache? nginx? something else? dont know?
NIMA
NIMAOP3mo ago
linux :linux:
ἔρως
ἔρως3mo ago
no, the server software
NIMA
NIMAOP3mo ago
hmm BISTON i think
ἔρως
ἔρως3mo ago
biston?
NIMA
NIMAOP3mo ago
i think yes i buy it from parshost
NIMA
NIMAOP3mo ago
پارس هاست
پارس هاست - خرید هاست, ثبت دامنه, سرور مجازی و اختصاصی ایران
ثبت دامنه و خرید هاست لینوکس و ویندوز با قیمت ارزان وسرعت بالا. خرید هاست نامحدود, وردپرس, دامنه و سرور مجازی, اختصاصی - خرید هاست با پشتیبانی 24/7.
ἔρως
ἔρως3mo ago
i tried to read that, but chrome translated it to a burchered portuguese-like mess :/ do you have an .htaccess file in your host?
NIMA
NIMAOP3mo ago
i dont think so i have cpannel
ἔρως
ἔρως3mo ago
i know, you showed it the other day
NIMA
NIMAOP3mo ago
No description
ἔρως
ἔρως3mo ago
and you have any files?
NIMA
NIMAOP3mo ago
yes
NIMA
NIMAOP3mo ago
No description
ἔρως
ἔρως3mo ago
no htaccess file if you create one and type gibberish, does the site stop working?
NIMA
NIMAOP3mo ago
ha ? i cant undestand i make a file name htaccess ?
ἔρως
ἔρως3mo ago
.htaccess and type something inaide inside any nonsense
NIMA
NIMAOP3mo ago
i cant create it
ἔρως
ἔρως3mo ago
thats fine
NIMA
NIMAOP3mo ago
what is thath ? what it will do ?
ἔρως
ἔρως3mo ago
.htaccess files are used by apache, to configure it the idea is to set the folder with images to only allow images to be served, and anything that might end up there will be sent as text
NIMA
NIMAOP3mo ago
ohh its only in apache ?
ἔρως
ἔρως3mo ago
yes
NIMA
NIMAOP3mo ago
its nice option
ἔρως
ἔρως3mo ago
yeah, if it worked this is an important security option, as it prevents that an image.jpeg.php is executed
NIMA
NIMAOP3mo ago
is it good now for saifty ?
if($row["user_ip"] == $user_ip){

$res = mysqli_query($conn, "SELECT user_image FROM user where user_id = '$name_update_id'");
while($row = mysqli_fetch_assoc($res) ){


$xxxx = $row["user_image"];
if( $xxxx == 'profile_pic_defult.png'){
unlink('images/');
$conn->query($sql) ;
}else{
unlink('images/'.$xxxx);
$conn->query($sql) ;
}



}

$file_name = $_FILES['image']['name'];
$tempname = $_FILES['image']['tmp_name'];
$folder = 'images/'.$file_name;
$imageFileType = strtolower(pathinfo($file_name,PATHINFO_EXTENSION));
if ($_FILES["image"]["size"] > 500000) {
header("Location: index.php");
exit();
}
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg" && $imageFileType != "gif" ) {
header("Location: index.php");
exit();
}

$stmt = $conn->prepare("UPDATE user SET user_image=(?) WHERE user_id='$name_update_id'");
$stmt->bind_param("s", $file_name);
$$file_name = $file_name;
$stmt->execute();
if(move_uploaded_file($tempname,$folder)){
echo 'file uplode fix';
} else{
echo 'file not fix !!!!!!!';
}
}
if($row["user_ip"] == $user_ip){

$res = mysqli_query($conn, "SELECT user_image FROM user where user_id = '$name_update_id'");
while($row = mysqli_fetch_assoc($res) ){


$xxxx = $row["user_image"];
if( $xxxx == 'profile_pic_defult.png'){
unlink('images/');
$conn->query($sql) ;
}else{
unlink('images/'.$xxxx);
$conn->query($sql) ;
}



}

$file_name = $_FILES['image']['name'];
$tempname = $_FILES['image']['tmp_name'];
$folder = 'images/'.$file_name;
$imageFileType = strtolower(pathinfo($file_name,PATHINFO_EXTENSION));
if ($_FILES["image"]["size"] > 500000) {
header("Location: index.php");
exit();
}
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg" && $imageFileType != "gif" ) {
header("Location: index.php");
exit();
}

$stmt = $conn->prepare("UPDATE user SET user_image=(?) WHERE user_id='$name_update_id'");
$stmt->bind_param("s", $file_name);
$$file_name = $file_name;
$stmt->execute();
if(move_uploaded_file($tempname,$folder)){
echo 'file uplode fix';
} else{
echo 'file not fix !!!!!!!';
}
}
ἔρως
ἔρως3mo ago
not really, no
NIMA
NIMAOP3mo ago
😳
ἔρως
ἔρως3mo ago
you have a mix of snake oil with an almost ok attempt at validating a file if($row["user_ip"] == $user_ip){ <-- this is horrible
NIMA
NIMAOP3mo ago
No
ἔρως
ἔρως3mo ago
yes, very
NIMA
NIMAOP3mo ago
i mean
ἔρως
ἔρως3mo ago
in terms of safety, it does absolutely nothing at all, and just causes problems for the users
NIMA
NIMAOP3mo ago
i do this so who care a profile can only edit it with the same ip
ἔρως
ἔρως3mo ago
here's how to change my ip in 3 seconds: - have a phone - turn off wifi
NIMA
NIMAOP3mo ago
ye ye i know thath but cuse i dont add login and register i just add this for test so other people dont remove other people post i dont make it for total security
ἔρως
ἔρως3mo ago
why aren't you developing locally?
NIMA
NIMAOP3mo ago
what u mean
ἔρως
ἔρως3mo ago
develop locally, not in an hosted server online
NIMA
NIMAOP3mo ago
for now yes i dont put in the host cuse im updating it after it finished i put it in my host
ἔρως
ἔρως3mo ago
ok, but that's still just a case of cheeto security
NIMA
NIMAOP3mo ago
what that mean the security is bad for the ip thing ?
ἔρως
ἔρως3mo ago
No description
NIMA
NIMAOP3mo ago
🤣
ἔρως
ἔρως3mo ago
it looks safe, but it does nothing
NIMA
NIMAOP3mo ago
u mean the ip part or the uplode part
ἔρως
ἔρως3mo ago
yes that does absolutely nothing
NIMA
NIMAOP3mo ago
ye but other people cant remove each other post but if their ip chenge they cant get acces to their page too
ἔρως
ἔρως3mo ago
people can't remove their own post in this case, image which makes it pretty horrible in terms of usability
NIMA
NIMAOP3mo ago
No description
NIMA
NIMAOP3mo ago
the blue background mean this is match to ur ip and u can edit or dealet it
ἔρως
ἔρως3mo ago
also, what if you need to delete or edit someone else's image?
NIMA
NIMAOP3mo ago
u cant only me i can from data base or the user with hes ip [ the ip when he create hes user ]
ἔρως
ἔρως3mo ago
for example, someone puts rounchy images as the profile image as a platform provider, by the european law, you're required to moderate it
NIMA
NIMAOP3mo ago
i will dealet it very fast from data base i realy cant do anything about it until i chenge it to login and register system or i make report button for it if 5 people with diffrent ip report the photo it get dealet and only photo get dealet not the user this is only thing i can do for now with ip system
ἔρως
ἔρως3mo ago
that's why it's absolutely horrible you, as the owner, should have the possibility to do anything you need to do
NIMA
NIMAOP3mo ago
ye even if the user ip get cheange he cant acces to hes page anymore ...
ἔρως
ἔρως3mo ago
an user, a lowly one, should be allowed to only edit the profile of that user regardlress of the ip
NIMA
NIMAOP3mo ago
do u think is good to put the report button ?
ἔρως
ἔρως3mo ago
why? you made it so you can't edit anything
NIMA
NIMAOP3mo ago
u can edit ur own profile but people cant like other soical apps like instagram and ... the owner of page can but other people cant
ἔρως
ἔρως3mo ago
that is how it should work forget ip verification and bs you can use it to check the country and for logs, that's very important
NIMA
NIMAOP3mo ago
ye thats why no one use this ip system
ἔρως
ἔρως3mo ago
yes, because it sucks it's not safe, it's not user friendly, it's just ... a cheeto
NIMA
NIMAOP3mo ago
ye i bulid this project for test cuse i never do any other porject with php
ἔρως
ἔρως3mo ago
i noticed you arent using any session variables
NIMA
NIMAOP3mo ago
i only use POST
ἔρως
ἔρως3mo ago
how do you know the user is allowed to upload? how do you know the user exists at all? how do you know the user is logged in?
NIMA
NIMAOP3mo ago
i dont put any of this
ἔρως
ἔρως3mo ago
which is what you should have done
NIMA
NIMAOP3mo ago
if someone dealet the page it gonna gone for ever and dealet from tabel and all stuff
ἔρως
ἔρως3mo ago
that's not what im saying
NIMA
NIMAOP3mo ago
i put a serch button u can serch the id of the page if its not looding anything its mean its dealted or wrong
ἔρως
ἔρως3mo ago
im saying you're not validating if the user is logged in and which user uploaded the image
NIMA
NIMAOP3mo ago
and there is no login if u come to my page with the ip u create the user u can see ur profile with blue back ground
ἔρως
ἔρως3mo ago
you're not listening to me point me to the line where you update the image of the user that is logged in
NIMA
NIMAOP3mo ago
No description
NIMA
NIMAOP3mo ago
is ip match and click in edit button he come in this page
ἔρως
ἔρως3mo ago
so, the script is just for you, and not for the user itself?
NIMA
NIMAOP3mo ago
it is if user ip = the old ip at the first create of account = u can enter this page for update ONLY ur account
ἔρως
ἔρως3mo ago
then this is missing code
NIMA
NIMAOP3mo ago
i will finish the part and put in the website
ἔρως
ἔρως3mo ago
no, at the top there's code missing
NIMA
NIMAOP3mo ago
YES its long i think i cant send it hear let me try
ἔρως
ἔρως3mo ago
you can split it into multiple messages
NIMA
NIMAOP3mo ago
ok
ἔρως
ἔρως3mo ago
or send the file
NIMA
NIMAOP3mo ago
ἔρως
ἔρως3mo ago
that's a mess and a security nightmare because you're receiving the user id from POST
NIMA
NIMAOP3mo ago
🤣 i put very IF i need use sesions right ?
ἔρως
ἔρως3mo ago
yes, you do
NIMA
NIMAOP3mo ago
i totaly forget about it can people chenge the value and put sql injecshen code at my code rn ? cuse it getting for input
ἔρως
ἔρως3mo ago
probably
NIMA
NIMAOP3mo ago
i think thats the only part i need to put sessions cuse other part user need to send
ἔρως
ἔρως3mo ago
the first query has security issues you don't use prepared statements
NIMA
NIMAOP3mo ago
ohhh even SELECT need prepared statements ?
ἔρως
ἔρως3mo ago
EVERYTHING
NIMA
NIMAOP3mo ago
i only use them for INSERT i will cheange all of them to prepared statements
ἔρως
ἔρως3mo ago
you know what i can do? '"; drop table user; this this is enough to ruin your website
NIMA
NIMAOP3mo ago
😭 in all inputs?
ἔρως
ἔρως3mo ago
in the id
NIMA
NIMAOP3mo ago
or only the qurry with no prepared statements
ἔρως
ἔρως3mo ago
any and every single query you didn't use protected statements
NIMA
NIMAOP3mo ago
ohhh the id will be connect to data base
ἔρως
ἔρως3mo ago
anything you put into the query, is a possible hole
NIMA
NIMAOP3mo ago
ye i just understand it if i put session and protected statements it will be good for now ?
ἔρως
ἔρως3mo ago
no, not even close
NIMA
NIMAOP3mo ago
what other thing u can recommend to fix
ἔρως
ἔρως3mo ago
fix this, then we talk
NIMA
NIMAOP3mo ago
Aright tnx for helping
ἔρως
ἔρως3mo ago
you're welcome by the way, why did you do ... this:
$name_update_id = $_POST['name_update_id'];

$username_update = $_POST['username_update'];
$userage_update = $_POST['userage_update'];
$userphone_update = $_POST['userphone_update'];

$usergmail_update = $_POST['usergmail_update'];
$usercountry_update = $_POST['usercountry_update'];

$usercountry_job = $_POST['usercountry_job'];

$telgram_user = $_POST['telgram_user'];
$instagram_user = $_POST['instagram_user'];
$twiter_user = $_POST['twiter_user'];
$website_user = $_POST['website_user'];
$name_update_id = $_POST['name_update_id'];

$username_update = $_POST['username_update'];
$userage_update = $_POST['userage_update'];
$userphone_update = $_POST['userphone_update'];

$usergmail_update = $_POST['usergmail_update'];
$usercountry_update = $_POST['usercountry_update'];

$usercountry_job = $_POST['usercountry_job'];

$telgram_user = $_POST['telgram_user'];
$instagram_user = $_POST['instagram_user'];
$twiter_user = $_POST['twiter_user'];
$website_user = $_POST['website_user'];
NIMA
NIMAOP3mo ago
hmm so i can use them
ἔρως
ἔρως3mo ago
🤦 you can use them already you also misspelled telegram and twitter
NIMA
NIMAOP3mo ago
its will be eazyer
ἔρως
ἔρως3mo ago
also, why do you have separated fields for each social network?
NIMA
NIMAOP3mo ago
No description
NIMA
NIMAOP3mo ago
there is a eye button it will direct people at this page and they can see more stuff about the user
ἔρως
ἔρως3mo ago
that's not what i mean
NIMA
NIMAOP3mo ago
oh
ἔρως
ἔρως3mo ago
why isn't it in a different table? some people don't have any some people have 1 or 2 some people have others
NIMA
NIMAOP3mo ago
they can put it empty
ἔρως
ἔρως3mo ago
that's not the point
NIMA
NIMAOP3mo ago
i put all the stuff only in 1 tabel
ἔρως
ἔρως3mo ago
the point is ... in 5 years, you will have 5000 columns for every single social network and that doesn't work normalize the table, and create 2 tables: social_networks and user_social_networks
NIMA
NIMAOP3mo ago
im thnking about remove all and add more photo of each soical networks so people can select each one they want
ἔρως
ἔρως3mo ago
inside social_network, you put all the information about the networks: logo, name, label, something else inside user_social_networks, you put the user id, the social network id and the url and that is how you do a proper normalization of the social networks for users
NIMA
NIMAOP3mo ago
ye i should do thath cuse there is soo many stuff in only 1 tabel rn
NIMA
NIMAOP3mo ago
No description
ἔρως
ἔρως3mo ago
you're putting too much because you're not following the normalization rules for the database
NIMA
NIMAOP3mo ago
at first it was only 4 row and then i add more and i dont add more tabel only put all in 1
ἔρως
ἔρως3mo ago
do you need to store the ip there? the ip should be in a log, not there
NIMA
NIMAOP3mo ago
in log ?
ἔρως
ἔρως3mo ago
image, job, country, phone, age and name can be in a separate table
NIMA
NIMAOP3mo ago
ye i will fix all after i fix the prepared statements
ἔρως
ἔρως3mo ago
alright
NIMA
NIMAOP3mo ago
i store the first ip [ the ip user create the first page ] and ip wont updated
ἔρως
ἔρως3mo ago
that is even worse, and doesn't belong there
NIMA
NIMAOP3mo ago
if i put the $user_id in session i wont need prepared statements anymore ? cuse it wont get anything from input anymore
ἔρως
ἔρως3mo ago
yes, you do let me explain this straight prepared statements are NOT optional
NIMA
NIMAOP3mo ago
:agree:
ἔρως
ἔρως3mo ago
if you don't send any inputs, or manually enter the input, then you may skip prepared statements by the way, you really should use pdo
Want results from more Discord servers?
Add your server