I'm a little stuck and am writing the last page in a Property Maintenance CMS. Any chance of some help: <?php define("access",true); require('database.php'); if(status() == false) { header('Location: index.php'); exit; } access(); if(!empty($_GET['action'])) { $action = html($_GET['action']); } switch ($action) { case report: head($_SESSION['access']); $size = 2*1048576; // first number is number of mb to upload if(!empty($_POST['add'])){ $errors = ''; if(isset($_FILES['files'])) { $errors= array(); foreach($_FILES['files']['tmp_name'] as $key => $tmp_name ){ $file_name = $key.$_FILES['files']['name'][$key]; $file_size =$_FILES['files']['size'][$key]; $file_tmp =$_FILES['files']['tmp_name'][$key]; $file_type=$_FILES['files']['type'][$key]; if($file_size > $size){ $errors[]='File size must be less than 2 MB'; } $desired_dir = mysql_query("SELECT `houseid` FROM users WHERE `username` = '".$_SESSION['username']."';"); $desired_dir = mysql_fetch_array($location); $desired_dir = 'uploads/'.$desired_dir['houseid']; $photos = $photos.'||'.$file_name.$file_type; if(empty($errors)==true){ if(is_dir($desired_dir)==false){ mkdir("$desired_dir", 0700); } if(is_dir("$desired_dir/".$file_name)==false){ move_uploaded_file($file_tmp,"user_data/".$file_name); }else{ $new_dir="user_data/".$file_name.time(); rename($file_tmp,$new_dir) ; } } } } if(empty($errors)) { $issue = html($_POST['issue']); $notes = html($_POST['notes']); $priority = html($_POST['priority']); $date = date("d.m.y"); $user = $_SESSION['username']; $location = mysql_query("SELECT * FROM `users` WHERE `username` = '$user'"); $location = mysql_fetch_array($location); $locid = $location['houseid']; mysql_query("INSERT INTO `work` (`id`, `contractor`, `location`, `issue`, `dateraised`, `datestart`, `datefinish`, `status`, `priority`, `notes`, `confirmed`, `photos`) VALUES (NULL, '', '$locid', '$issue', '$date', '', '', '0', '$priority', '$notes', '0', '$photos');") or die(mysql_error()); echo "<tr><td>Work added. Please note this will display as unconfirmed and will be updated by Maintenace.<br/>To Report another issue please complete the form below.<br/><a href='home.php'>Click here</a> to view all reported maintenance.</td></tr>"; $issue = ''; $notes = ''; $priority ='1'; } } if(!empty($error)) { echo '<tr><td colspan="2">The following errors occured:<br/>'.$error.'</td></tr>'; } echo '<form method="post" action="home.php?action=report"> <tr> <td>Issue<br/><span class="small">Please report issues individually.</span></td> <td><textarea name="issue" id="issue" cols="45" rows="5">'.$issue.'</textarea></td> </tr> <tr> <td>Notes</td> <td><textarea name="notes" id="notes" cols="45" rows="5">'.$notes.'</textarea></td> </tr> <tr> <td>Priority</td> <td><select name="priority" id="priority">'; for ($i=1; $i<=5; $i++) { if($i == $priority) { echo "<option value='$i' selected='selected'>$i</option>"; } else { echo "<option value='$i'>$i</option>"; } } echo ' </select></td> </tr> <tr><td colspan="2">If you wish to add photos, please select and upload below:</tr> <tr> <td>Upload Photos</td> <td><input type="file" name="files[]" multiple/></td> </tr> <tr> <td colspan="2" align="center"><input type="hidden" name="add" id="add" value="1"/><input type="submit" name="button" id="button" class="reset" value="Report Maintenance!" /></td> </tr> </form>'; foot($_SESSION['access']); break; } ?> PHP: Thanks in advance
Change the following: <td><input type="file" name="files[]" multiple/></td> HTML: To: <td><input type="file" name="files" multiple/></td> HTML: Although, "multiple" doesn't work in older versions of IE. crivion, it should be 0755. World-writable files are not a good idea.
You say it's for image uploading, but I see no checks in the code to verify it's an image. Looking briefly it seems I can upload any file type I want to your server. I'd recommend checking out http://hungred.com/useful-information/secure-file-upload-check-list-php/
Thanks for the answers, I will edit the php and try on monday, I will set the chmod to 755. And change the input type. Kulik, cheers for that, I will add a security check for the file type, limiting it to images.
I have updated the html and php, added a security check, although it still fails to work: <?php define("access",true); require('database.php'); require('functions.php'); if(status() == false) { header('Location: index.php'); exit; } if(!empty($_GET['action'])) { $action = html($_GET['action']); } switch ($action) { case report: head($_SESSION['access']); $size = $filesize*1048576; // first number is number of mb to upload if(!empty($_POST['add'])){ $errors = ''; if(isset($_FILES['files'])) { $errors= array(); foreach($_FILES['files']['tmp_name'] as $key => $tmp_name ){ $file_name = $key.$_FILES['files']['name'][$key]; $file_size =$_FILES['files']['size'][$key]; $file_tmp =$_FILES['files']['tmp_name'][$key]; $file_type=$_FILES['files']['type'][$key]; if(in_array($file_type,$types)) { $errors[]='This type of file cannot be uploaded.'; } if($file_size > $size){ $errors[]="File size must be less than $filesize MB"; } $desired_dir = mysql_query("SELECT `houseid` FROM users WHERE `username` = '".$_SESSION['username']."';"); $desired_dir = mysql_fetch_array($location); $desired_dir = 'uploads/'.$desired_dir['houseid']; $photos = $photos.'||'.$file_name.$file_type; if(empty($errors)==true){ if(is_dir($desired_dir)==false){ mkdir("$desired_dir", 755); } if(is_dir("$desired_dir/".$file_name)==false){ move_uploaded_file($file_tmp,"user_data/".$file_name); }else{ $new_dir="user_data/".$file_name.time(); rename($file_tmp,$new_dir) ; } } } } if(empty($errors)) { $issue = html($_POST['issue']); $notes = html($_POST['notes']); $priority = html($_POST['priority']); $date = date("d.m.y"); $user = $_SESSION['username']; $location = mysql_query("SELECT * FROM `users` WHERE `username` = '$user'"); $location = mysql_fetch_array($location); $locid = $location['houseid']; mysql_query("INSERT INTO `work` (`id`, `contractor`, `location`, `issue`, `dateraised`, `datestart`, `datefinish`, `status`, `priority`, `notes`, `confirmed`, `photos`) VALUES (NULL, '', '$locid', '$issue', '$date', '', '', '0', '$priority', '$notes', '0', '$photos');") or die(mysql_error()); echo "<tr><td>Work added. Please note this will display as unconfirmed and will be updated by Maintenace.<br/>To Report another issue please complete the form below.<br/><a href='home.php'>Click here</a> to view all reported maintenance.</td></tr>"; $issue = ''; $notes = ''; $priority ='1'; } } if(!empty($error)) { echo '<tr><td colspan="2">The following errors occured:<br/>'.$error.'</td></tr>'; } echo '<form method="post" action="home.php?action=report"> <tr> <td>Issue<br/><span class="small">Please report issues individually.</span></td> <td><textarea name="issue" id="issue" cols="45" rows="5">'.$issue.'</textarea></td> </tr> <tr> <td>Notes</td> <td><textarea name="notes" id="notes" cols="45" rows="5">'.$notes.'</textarea></td> </tr> <tr> <td>Priority</td> <td><select name="priority" id="priority">'; for ($i=1; $i<=5; $i++) { if($i == $priority) { echo "<option value='$i' selected='selected'>$i</option>"; } else { echo "<option value='$i'>$i</option>"; } } echo ' </select></td> </tr> <tr><td colspan="2">If you wish to add photos, please select and upload below:</tr> <tr> <td>Upload Photos</td> <td><input type="file" name="files" multiple/></td> </tr> <tr> <td colspan="2" align="center"><input type="hidden" name="add" id="add" value="1"/><input type="submit" name="button" id="button" class="reset" value="Report Maintenance!" /></td> </tr> </form>'; foot($_SESSION['access']); break; ?> PHP: Thanks!
hmm though the code seems to be ok..you can try this code also http://www.codeloopers.com/php-f4/how-to-do-multiple-file-upload-in-php-t2.html