Edit uploaded file

Question

So I've made a file upload site, and the uploading of the file works good. But the problem is, later on, when I want to edit the file (replace), the file doesn't update like it should.

I face a problem, when I upload a file with capital letters, I use "strtolower". When I want to replace that file with "Edit", the "strtolower" doesn't seem to work, and I can't access the file. The filename is shown in the table, but when I click "View", it doesn't get the file, tho, it gets uploaded to the server.

Here is the code for upload, and edit.php.:

 if(isset($_POST['btn-upload']))
 {    

 $file = rand(1000,100000)."-".$_FILES['file']['name'];
 $file_loc = $_FILES['file']['tmp_name'];
 $file_size = $_FILES['file']['size'];
 $file_type = $_FILES['file']['type'];
 $first_name = $_POST['first_name'];
 $last_name = $_POST['last_name'];
 $user_city = $_POST['user_city'];
 $sifra = $_POST['sifra_izvoda'];
 $folder="uploads/";



 $new_size = $file_size/1024;  

 mb_internal_encoding('UTF-8');

 $new_file_name = mb_strtolower($file);


 $final_file = str_replace(' ','-',$new_file_name);

 if(move_uploaded_file($file_loc,$folder.$final_file))
 {
    $sql="INSERT INTO tbl_uploads(file,type,size,first_name,last_name,user_city,sifra) VALUES('$final_file','$file_type','$new_size','$first_name','$last_name','$user_city','$sifra')";
    mysql_query($sql);
    ?>
    <script>
    alert('Izvod je dodan');
    window.location.href='view.php?success';
    </script>
    <?php
}

Here the code when I want to edit the uploaded file:

 if(isset($_GET['edit_id']))
 {
 $sql_query="SELECT file, type, size, first_name, last_name, user_city,   sifra  FROM tbl_uploads WHERE id=".$_GET['edit_id'];
 $result_set=mysql_query($sql_query);
 $fetched_row=mysql_fetch_array($result_set);
}
if(isset($_POST['btn-update']))
{
  $file = rand(1000,100000)."-".$_FILES['file']['name'];
  $file_loc = $_FILES['file']['tmp_name'];
  $file_size = $_FILES['file']['size'];
  $file_type = $_FILES['file']['type'];
  $first_name = $_POST['first_name'];
  $last_name = $_POST['last_name'];
  $user_city = $_POST['user_city'];
  $sifra = $_POST['sifra_izvoda'];
  $folder="uploads/";

  $new_size = $file_size/1024;  

  mb_internal_encoding('UTF-8');

  $new_file_name = mb_strtolower($file);


  $final_file = str_replace(' ','-',$new_file_name);

  $tmp = move_uploaded_file($file_loc,$folder.$final_file);

  $insert_file = ($_FILES['file']['name'])?"file='$file', type='$file_type',     size='$file_size',":'';

 $sql_query = "UPDATE tbl_uploads SET $insert_file  first_name='$first_name', last_name='$last_name', user_city='$user_city', sifra='$sifra' WHERE id=".$_GET['edit_id'];


 if(mysql_query($sql_query))
 {
   header("Location: view.php");
 ?>

Every time you use [the `mysql_`](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) database extension in new code **[a Kitten is strangled somewhere in the world](http://2.bp.blogspot.com/-zCT6jizimfI/UjJ5UTb_BeI/AAAAAAAACgg/AS6XCd6aNdg/s1600/luna_getting_strangled.jpg)** it is deprecated and has been for years and is gone for ever in PHP7. If you are just learning PHP, spend your energies learning the `PDO` or `mysqli` database extensions. [Start here](http://php.net/manual/en/book.pdo.php) — RiggsFolly, Nov 14 '16 at 16:00
**You are wide open to [SQL Injections](http://php.net/manual/en/security.database.sql-injection.php)** and should really use [Prepared Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead of concatenating your queries. Specially since you're not escaping them at all! Prepared Statements can be used if you use MySQLi or PDO, instead of those, above mentioned, deprecated `mysql_*` functions. — M. Eriksson, Nov 14 '16 at 16:02
Why don't you actually use the $final_file-name on the update-query? For some reason, you're using the original file-name, instead of the updated filename? That is probably your problem... — junkfoodjunkie, Nov 14 '16 at 16:02
@RiggsFolly that was funny :) I know, but I'm not good with PHP and needed this for internal workings, no outsider would get there anyways. — amircisija, Nov 14 '16 at 16:08
The famous last words _"for internal workings"_... Then it get's copy/pasted into a real project without anyone realizing it and whoops, the whole database gets released on the dark web, before they drop all tables. — M. Eriksson, Nov 14 '16 at 16:12
@MagnusEriksson I understand what you are saying. I will of course try to learn the right way. Thanks. This is just what I could do in this short time. — amircisija, Nov 14 '16 at 17:37
@junkfoodjunkie your guess was correct I added the final file to the query. Thanks a lot m8 :) — amircisija, Nov 15 '16 at 08:16

score 0 · Answer 1 · answered Nov 15 '16 at 08:18

Ok the solution was as this:

$new_size = $file_size/1024;  

  mb_internal_encoding('UTF-8');
  $new_file_name = mb_strtolower($file);
  $final_file = str_replace(' ','-',$new_file_name);
  $tmp = move_uploaded_file($file_loc,$folder.$final_file);

  $insert_file = ($_FILES['file']['name'])?"file='$final_file', type='$file_type', size='$file_size',":'';


 $sql_query = "UPDATE tbl_uploads SET $insert_file  first_name='$first_name', last_name='$last_name', user_city='$user_city', sifra='$sifra' WHERE id=".$_GET['edit_id'];

I added the file='$final_file to the query, and now it updates correctly

Edit uploaded file

1 Answers1