1

Is it possible to upload images/files by sending the POST or REQUEST, parameters in the URL without HTML content?

I created a PHP file that gets a image from my someone, stores that file into the database, and a in a folder on my computer. It works fine but what I want to do now is remove the html content and only allow someone to send the images/files via the URL. I tried using $_GET but I received a lot of errors. I also researched this and read that only $_POST will work.

Here is my PHP source code with HTML but keep in mind, "I want the page blank and the only way for someone to send the images/files is through URL".

PHP:

if(isset($_POST['submit'])){

    if(@getimagesize($_FILES['image']['tmp_name']) ==FALSE){

        // Select an image
        echo "Please select an image.";
    }
    else{
    // THE PATH TO STORE THE UPLOAD IMAGE
    $target = "images/".basename($_FILES['image']['name']);

    //CONNECT TO DATABASE
    $db = mysqli_connect("localhost", "root", "");
    mysqli_select_db($db, "magicsever");

    if(mysqli_connect_error()){

        die ("Database connection error");
    }
    //GET ALL THE SUBMITTED DATA
    $image = $_FILES['image']['tmp_name'];
    $name = $_FILES['image']['name'];

    //Store te submitted data to database
    $sql = "INSERT INTO image_test (name, image)VALUES ('$name','$image')";
    $query = mysqli_query($db, $sql);


    //Now lets move the uploaded image into the folder

    $nullResult = array();
    $nullResult['Image'] = (move_uploaded_file($_FILES['image']['tmp_name'], $target))? "Successful": "Unsuccessful";
    echo json_encode($nullResult);                      


    }
}

HTML:

<form action="index.php" method="post" enctype="multipart/form-data">

<input type="file" name="image">
    <br></br>
<input type="submit" name="submit" value="Upload">




</form>
Paulie-C
  • 1,674
  • 1
  • 13
  • 29
Jagr
  • 484
  • 2
  • 11
  • 31
  • 1
    Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky May 26 '17 at 16:50
  • 1
    When your visitor POST an image, it does only include that image. What is HTML content? I can't see any reason, you should use GET, instead POST, to upload a file to server. – Оzgur May 26 '17 at 16:50
  • Thanks @AlexHowansky and i am trying to send it in the URL without the html content which is the upload button etc – Jagr May 26 '17 at 16:58

1 Answers1

1

$_POST['']; Parameters come from the usually the form that has the method set to POST, like yours has, that input type you have (file, named image) will be returned has $_POST['image'], $_REQUEST on the other hand is the "GET" method, it works in the same way, the only difference is it's not secure and it comes in the url. I would recommend using POST to be honest. Also use PDO because your code is vulnerable to SQL injection. (mentioned by Alex Howansky)

MrSanchez
  • 317
  • 4
  • 14
  • How would i send the parameters in the URL using POST? – Jagr May 26 '17 at 16:58
  • 1
    You don't, thats the thing, POST sends it to the $_POST['name'] superglobal, which then you can access from anywhere in the website. GET sends it to the url and is accesed trough $_REQUEST['name'] – MrSanchez May 26 '17 at 17:00
  • It's not possible to send an image file trough the url like you want, you really need some type of file upload, you can't just simply, inject an image from the url UNLESS its an image that comes from another url, which the you would have something like page.com/upload.php?file=www.imgur.com/image.png – MrSanchez May 26 '17 at 17:03
  • Oh so what i want to do is kinda impossible unless you have the image URL already in hand? So there is no way to send an uploaded image maybe with $_GET to the database etc etc? Like how snap and facebook store all the images in the server, thats what i want to do. – Jagr May 26 '17 at 17:12
  • Naah mate you need to do some type of way to receive the file and then send it to the database. Generally with a form and a post method. – MrSanchez May 26 '17 at 20:07