I have my form: <form name="subir_archivo" action="process.php" method="POST" enctype="multipart/form-data"> <input type="hidden" name="MAX_FILE_SIZE" value="2097152"></input> <input type="file" name="archivo"></input> <input type="submit" value="Cargar Archivo"></input> </form> HTML: It is possible to know the file path before to use move_uploaded_file() for to upload that file?
Eh...? What? There won't BE any path, until you've actually uploaded the file - which will be uploaded to whatever temp-folder you've configured on your server, from which it can be moved when other checks is passed. None of which is happening in the form itself, but in the processing php-file.
okay. I upload my file and read the records. If the structure is not correct, how valid that? I use this for reading my csv file. while (($data = fgetcsv($registro, 200, ",")) !== FALSE) { $sth = $BD->prepare("INSERT INTO tabla (codigo, nombre, cantidad) VALUES (:codigo, :nombre, :cantidad)"); $codigo = $data[0]; $nombre = $data[1]; $cantidad = $data[2]; $sth->bindParam(':codigo', $codigo); $sth->bindParam(':nombre', $nombre); $sth->bindParam(':cantidad', $cantidad); $sth->execute(); } PHP:
you will have to put some checks for values in data[0],data[1],data[2]. Do some sanity checks like values should not have bare single quotes or SQL injections attacks. PHP has a builtin function to cleanse such data just before inserting into DB.
To validate the content, you have to do quite a bit more than just check for file type. First, you should know what the expected values should be - text, numeric, float and so on. If it's text, then it's hard to validate the actual content without very strict definitions of what it's supposed to be, but if it's okay as long as it fits some generic criteria, and/or isn't empty, then it's not too hard to validate each value. Also, there is no need to create variables for something only used once (at least that's how it looks in the example): $sth = $BD->prepare("INSERT INTO tabla (codigo, nombre, cantidad) VALUES (:codigo, :nombre, :cantidad)"); //declare the query outside the loop while (($data = fgetcsv($registro, 200, ",")) !== false) { //no need to use caps on "false", caps are usually only used for constants and for mysql-queries (the actual SQL command words, not the content) //$codigo = $data[0]; // these are all unneccessary //$nombre = $data[1]; //$cantidad = $data[2]; //$sth->bindParam(':codigo', $data[0]); //$sth->bindParam(':nombre', $data[1]); //$sth->bindParam(':cantidad', $data[2]); //these can also be cut, if you're using PDO, by changing the execute to the following: $sth->execute([':codigo'=>$data[0],':nombre'=>$data[1],':cantidad'=>$data[2]]); } PHP: That way you reduce 9 lines of code to 3 lines of code However, this does not check the content in any way, which you might want to do - however, depending on what you expect, there are different ways you can verify the content of each variable, or array-value.
You're using PDO, you're mostly secure against direct injection attacks by using prepared statements. Always good to do extra validation on variables being input into the database, but for simple functions like this you're mostly safe. Depends a bit on who's gonna upload these CSV-files. If it's inhouse / controled uploads, you're fine. If it's user-uploaded, then you might want to do a bit more. As for your question about more or less fields in the CSV, you will have to make sure that every CSV you upload has the correct amount of "containers" (each content-bit between each divisor). If you have less, and no error-check, the script will fail because the value won't be present. If you have more, or missing elements, you might insert the wrong bits in the wrong parts of the database.