file or image upload php problem

Question

I having problems with the download code of this script, I have modified it and added other features to it that work. Just the download part of the script does not work, I will provide the full code for all the files.

upload.php

<?php
require_once 'dbc.php';
page_protect();

$client_ID = mysql_query("SELECT id
    FROM clients WHERE user_name='".$_SESSION['user_name']."'")or die(mysql_error());
$client_ID = mysql_fetch_array($client_ID);
$client_ID = $client_ID['id'];


$uploadDir = 'uploads/';

if(isset($_POST['upload']))
{
$fileName = $_FILES['userfile']['name'];
$tmpName = $_FILES['userfile']['tmp_name'];
$fileSize = $_FILES['userfile']['size'];
$fileType = $_FILES['userfile']['type'];

$filePath = $uploadDir . $fileName;

$result = move_uploaded_file($tmpName, $filePath);
if (!$result) {
echo "Error uploading file";
exit;
}

$hostname_conndb = "localhost";
$database_conndb = "uploads";
$username_conndb = "root";
$password_conndb = "";
$conndb = mysql_connect($hostname_conndb, $username_conndb, $password_conndb) or trigger_error(mysql_error(),E_USER_ERROR);

if(!get_magic_quotes_gpc())
{
$fileName = addslashes($fileName);
$filePath = addslashes($filePath);
} 

$date = date('Y-m-d H:i:s');

$sql = "INSERT INTO upload2 (name, client, size, type, path, date ) ".
"VALUES ('$fileName', '$client_ID', '$fileSize', '$fileType', '$filePath', '$date')";
mysql_select_db($database_conndb, $conndb);
$result = mysql_query($sql, $conndb) or die(mysql_error());

echo "<br>File $fileName uploaded<br>";

}
?>
<html>
<head>
<title>Download File From MySQL</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="styles.css" rel="stylesheet" type="text/css">
</head>

<body>
<?php
$hostname_conndb = "localhost";
$database_conndb = "uploads";
$username_conndb = "root";
$password_conndb = "";
$conndb = mysql_connect($hostname_conndb, $username_conndb, $password_conndb) or trigger_error(mysql_error(),E_USER_ERROR);

$sql = "SELECT * FROM upload2 WHERE client='".$client_ID."' ORDER BY date DESC";
mysql_select_db($database_conndb, $conndb);
$result = mysql_query($sql, $conndb) or die(mysql_error());
$rows = mysql_fetch_assoc($result);
$total_rows = mysql_num_rows($result);
?>
Welcome <?php echo $_SESSION['user_name'];?>
<form method="post" enctype="multipart/form-data">
<table width="350" border="0" cellpadding="1" cellspacing="1" class="box">
<tr> 
<td width="246">
<input type="hidden" name="MAX_FILE_SIZE" value="2000000">
<input name="userfile" type="file" id="userfile"> 
</td>
<td width="80"><input name="upload" type="submit" class="box" id="upload" value=" Upload "></td>
</tr>
</table>
</form>

<?php if($total_rows > 0) { ?>
          <table border="0" cellpadding="0" cellspacing="0" id="tbl_repeat">
        <tr>
          <th scope="col">FIle/Image Name</th>
          <th scope="col" style="width:15%">Date</th>
          <th scope="col" style="width:10%">Size</th>
          <th scope="col" style="width:10%">Download</th>
        </tr>
        <?php do { ?>
        <tr>
          <td><?php echo $rows['name']; ?></td>
          <td><?php echo $rows['date']; ?></td>
          <td><?php echo $rows['size']; ?></td>
          <td><a href="downloads.php?id=<?php echo $rows['id']; ?>">Download</a></td>
        </tr>
        <?php } while($rows = mysql_fetch_assoc($result)); ?>
      </table> 
      <?php } else { echo "<p class="warn">Sorry there are no records available.</p>"; } ?>
<p><br />
  <a href="logout.php">Logout </a></p>
</body>
</html>

This code works fine. The download code is: downloads.php

<?php
require_once 'dbc.php';
page_protect();

$client_ID = mysql_query("SELECT id
    FROM clients WHERE user_name='".$_SESSION['user_name']."'")or die(mysql_error());
$client_ID = mysql_fetch_array($client_ID);
$client_ID = $client_ID['id'];


$uploadDir = 'uploads/';

if(isset($_POST['upload']))
{
$fileName = $_FILES['userfile']['name'];
$tmpName = $_FILES['userfile']['tmp_name'];
$fileSize = $_FILES['userfile']['size'];
$fileType = $_FILES['userfile']['type'];

$filePath = $uploadDir . $fileName;

$result = move_uploaded_file($tmpName, $filePath);
if (!$result) {
echo "Error uploading file";
exit;
}

$hostname_conndb = "localhost";
$database_conndb = "uploads";
$username_conndb = "root";
$password_conndb = "qaasim11";
$conndb = mysql_connect($hostname_conndb, $username_conndb, $password_conndb) or trigger_error(mysql_error(),E_USER_ERROR);

if(!get_magic_quotes_gpc())
{
$fileName = addslashes($fileName);
$filePath = addslashes($filePath);
} 

$date = date('Y-m-d H:i:s');

$sql = "INSERT INTO upload2 (name, client, size, type, path, date ) ".
"VALUES ('$fileName', '$client_ID', '$fileSize', '$fileType', '$filePath', '$date')";
mysql_select_db($database_conndb, $conndb);
$result = mysql_query($sql, $conndb) or die(mysql_error());

echo "<br>File $fileName uploaded<br>";

}
?>

<html>
<head>
<title>Download File From MySQL</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="styles.css" rel="stylesheet" type="text/css">
</head>

<body>
<?php
$hostname_conndb = "localhost";
$database_conndb = "uploads";
$username_conndb = "root";
$password_conndb = "";
$conndb = mysql_connect($hostname_conndb, $username_conndb, $password_conndb) or trigger_error(mysql_error(),E_USER_ERROR);

$sql = "SELECT * FROM upload2 WHERE client='".$client_ID."' ORDER BY date DESC";
mysql_select_db($database_conndb, $conndb);
$result = mysql_query($sql, $conndb) or die(mysql_error());
$rows = mysql_fetch_assoc($result);
$total_rows = mysql_num_rows($result);
?>
Welcome <?php echo $_SESSION['user_name'];?>
<form method="post" enctype="multipart/form-data">
<table width="350" border="0" cellpadding="1" cellspacing="1" class="box">
<tr> 
<td width="246">
<input type="hidden" name="MAX_FILE_SIZE" value="2000000">
<input name="userfile" type="file" id="userfile"> 
</td>
<td width="80"><input name="upload" type="submit" class="box" id="upload" value=" Upload "></td>
</tr>
</table>
</form>

<?php if($total_rows > 0) { ?>
          <table border="0" cellpadding="0" cellspacing="0" id="tbl_repeat">
        <tr>
          <th scope="col">FIle/Image Name</th>
          <th scope="col" style="width:15%">Date</th>
          <th scope="col" style="width:10%">Size</th>
          <th scope="col" style="width:10%">Download</th>
        </tr>
        <?php do { ?>
        <tr>
          <td><?php echo $rows['name']; ?></td>
          <td><?php echo $rows['date']; ?></td>
          <td><?php echo $rows['size']; ?></td>
          <td><a href="downloads.php?id=<?php echo $rows['id']; ?>">Download</a></td>
        </tr>
        <?php } while($rows = mysql_fetch_assoc($result)); ?>
      </table> 
      <?php } else { echo "<p class="warn">Sorry there are no records available.</p>"; } ?>
<p><br />
  <a href="logout.php">Logout </a></p>
</body>
</html>

Also this the code for my database:

CREATE TABLE IF NOT EXISTS `upload2` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`client` int(11) NOT NULL,
`name` varchar(30) NOT NULL,
`type` varchar(30) NOT NULL,
`size` int(11) NOT NULL,
`path` varchar(60) NOT NULL,
`date` datetime NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=10 ;

--
-- Dumping data for table `upload2`
--

INSERT INTO `upload2` (`id`, `client`, `name`, `type`, `size`, `path`, `date`) VALUES
(1, 1, 'back.gif', 'image/gif', 1997, 'uploads/back.gif', '2010-09-19 12:17:05'); 

When i click the download link in upload.php i get the following error Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in downloads.php on line 17 the fileis non exist in

I am not sure if the code works to download files/images if this error was not their as I cannot figure out how to fix this pronlem.

Answer 1

You don't connect to database for the first query (to get $client_ID )

$hostname_conndb = "localhost";
$database_conndb = "uploads";
$username_conndb = "root";
$password_conndb = "qaasim11";
$conndb = mysql_connect($hostname_conndb, $username_conndb, $password_conndb) or trigger_error(mysql_error(),E_USER_ERROR);

$client_ID = mysql_query("SELECT id
    FROM clients WHERE user_name='".$_SESSION['user_name']."'")or die(mysql_error());
$client_ID = mysql_fetch_array($client_ID);
$client_ID = $client_ID['id'];

Answer 2

Some things to consider:

1. Checking if a POST field is set is not the proper way to check if as POST was actually performed - it's entirely possible you may rename the field at some point and forget to change the if() , or the field is not submitted for some reason. A foolproof check is if ($_SERVER['REQUEST_METHOD'] == 'POST') { ... } . That will be true anytime the script is executed in response to a POST request, regardless of what fields (if any) were submitted.
2. You blindly assume the upload was successful, without checking for any of the MANY reasons an upload could fail (connection dies, file too large, out of disk space, etc...). The ['error'] parameter in the $_FILES array is there for a reason. if ($_FILES['somefile']['error'] === UPLOAD_ERR_OK) { ... upload was successful ... }
3. You don't sanitize the ['name'] parameter and blindly use it as part of the path in move_uploaded_file() . The name is COMPLETELY under control of the user, so a malicious user can easily name their file ../../../../../../windows/system32/kernel32.dll and your script will happily attempt to kill your machine
4. You don't check for file collisions, which follows from point 3). You blindly overwrite any file of the same name.
5. Without any kind of upload completion checking, you then attempt to save the data into a database. You use addslashes() on $filePath and $fileName, but you don't do the same for $fileType - that's the MIME type as provided BY THE CLIENT - so again it's fully under control of the user, and a malicious one can therefore easily perform an SQL injection attack.
6. You're connecting to your database as the root user. This is horribly bad practice. Create a dedicated account and grant it only "insert" privileges. A simple web application almost never requires create/drop/alter privileges, but this is what you're exposing to the world by using the root account. Combined with the SQL injection hole, and you've handed your database (and most likely the rest of your server) to an attacker on a silver platter.