How to upload image securely to a server?

Question

here is my simple HTML code...

<html>
    <body>
        <form action="photo.php" method="post" enctype="multipart/form-data">
            <label for="file">Filename:</label>
            <input type="file" name="file" id="file"><br>
            <input type="submit" name="submit" value="Submit">
        </form>
    </body>
</html> 

Here is my PHP code to upload a photo to a server....can anyone show me how to connect this code to the server and save the image path in the directory and insert the image information to database....I read that, inserting image directly to Database is not good and you should save the image path and insert image information to database...I'm using local host for the moment......Please Help Me

<?php
    #check for session
    if (isset($_POST['PHPSESSID']))
        session_id($_POST['PHPSESSID']);
    else if (isset($_GET['PHPSESSID']))
        session_id($_GET['PHPSESSID']);
    else
    {
        HandleError('No Session was found.');
    }

    session_start();
    // Check post_max_size (http://us3.php.net/manual/en/features.file-upload.php#73762)
    $POST_MAX_SIZE = ini_get('post_max_size');
    $unit = strtoupper(substr($POST_MAX_SIZE, -1));
    $multiplier = ($unit == 'M' ? 1048576 : ($unit == 'K' ? 1024 : ($unit == 'G' ? 1073741824 : 1)));

    if ((int)$_SERVER['CONTENT_LENGTH'] > $multiplier*(int)$POST_MAX_SIZE && $POST_MAX_SIZE)
        HandleError('POST exceeded maximum allowed size.');

    // Settings
    $save_path = getcwd() . '/uploads/';  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
    $upload_name = 'Filedata';  // change this accordingly
    $max_file_size_in_bytes = 2097152;  // 2MB in bytes
    $whitelist = array('jpg', 'png', 'gif', 'jpeg'); // Allowed file extensions
    $backlist = array('php', 'php3', 'php4', 'phtml','exe'); // Restrict file extensions
    $valid_chars_regex = 'A-Za-z0-9_-\s '; // Characters allowed in the file name (in a Regular Expression format)

    // Other variables     
    $MAX_FILENAME_LENGTH = 260;
    $file_name = '';
    $file_extension = '';
    $uploadErrors = array(
        0=>'There is no error, the file uploaded with success',
        1=>'The uploaded file exceeds the upload_max_filesize directive in php.ini',
        2=>'The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form',
        3=>'The uploaded file was only partially uploaded',
        4=>'No file was uploaded',
        6=>'Missing a temporary folder'
    );

    // Validate the upload
    if (!isset($_FILES[$upload_name]))
        HandleError('No upload found in \$_FILES for ' . $upload_name);
    else if (isset($_FILES[$upload_name]['error']) && $_FILES[$upload_name]['error'] != 0)
        HandleError($uploadErrors[$_FILES[$upload_name]['error']]);
    else if (!isset($_FILES[$upload_name]['tmp_name']) || !@is_uploaded_file($_FILES[$upload_name]['tmp_name']))
        HandleError('Upload failed is_uploaded_file test.');
    else if (!isset($_FILES[$upload_name]['name']))
        HandleError('File has no name.');

    // Validate the file size (Warning: the largest files supported by this code is 2MB)
    $file_size = @filesize($_FILES[$upload_name]['tmp_name']);
    if (!$file_size || $file_size > $max_file_size_in_bytes)
        HandleError('File exceeds the maximum allowed size');

    if ($file_size &amp;lt;= 0)
        HandleError('File size outside allowed lower bound'); // Validate its a MIME Images (Take note that not all MIME is the same across different browser, especially when its zip file)
    if(!eregi('image/', $_FILES[$upload_name]['type']))
        HandleError('Please upload a valid file!'); // Validate that it is an image

    $imageinfo = getimagesize($_FILES[$upload_name]['tmp_name']);
    if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/png' && isset($imageinfo))
        HandleError('Sorry, we only accept GIF and JPEG images');

    // Validate file name (for our purposes we'll just remove invalid characters)
    $file_name = preg_replace('/[^'.$valid_chars_regex.']|\.+$/i', '', strtolower(basename($_FILES[$upload_name]['name'])));
    if (strlen($file_name) == 0 || strlen($file_name) > $MAX_FILENAME_LENGTH)
        HandleError('Invalid file name');

    // Validate that we won't over-write an existing file
    if (file_exists($save_path . $file_name))
        HandleError('File with this name already exists');

    // Validate file extension
    if(!in_array(end(explode('.', $file_name)), $whitelist))
        HandleError('Invalid file extension');
    if(in_array(end(explode('.', $file_name)), $backlist))
        HandleError('Invalid file extension');

    // Rename the file to be saved 
    $file_name = md5($file_name. time());

    // Verify! Upload the file
    if (!@move_uploaded_file($_FILES[$upload_name]['tmp_name'], $save_path.$file_name)) 
        HandleError('File could not be saved.');

    exit(0);

    /* Handles the error output. */
    function HandleError($message) {
        echo $message;
        exit(0);
    }

?>

Here is my php code to connect and insert to MySQL database

<?php
    $con = mysql_connect("localhost","root","");
    if (!$con)
    {
        die('Could not connect: ' . mysql_error());
    }

    mysql_select_db("simple_login", $con);

    mysql_query("INSERT INTO Photo (Photo)
    VALUES ('file')");

    mysql_close($con);
?> 

Answer 1

$file_name = md5($file_name. time()); - You MD5 the file name and that means that you are also hashing the file extention.

You should do this:

$extention = end(explode('.', $file_name));

$file_name = md5($file_name. time()).$extention;

To save the file path:

You can do:

$file_name_2 = getcwd().'/uploads/'.$file_name

mysql_query("INSERT INTO Photo (Photo) VALUES ('$file_name_2')");