0

I am working on a login system which is working pretty good already. Now I decided to add the feature that on registering, a user is able to upload an image to set as his profile picture. My code is mostly done but it doesn't seem to work and I can't figure out why. In the code below I made 2 if statements regarding the image, first I am trying to check if the image is an actual image file and after that I am copying the uploaded image to a folder in my directory, the path gets stated in $avatar when the picture is uploaded and the form gets submitted. When I upload a picture I manage to pass the first if statement but then it gives me the else statement that the file did not got uploaded. When I try to upload a different extension then the ones which are allowed I get no error at all and the script returns a blank screen, no user data gets posted on any of these occasions.

<?php
require_once('../connect.php');

if(isset($_POST) AND !empty($_POST)){
 
 $firstname = mysqli_real_escape_string($connection, $_POST['firstname']);
 $lastname = mysqli_real_escape_string($connection, $_POST['lastname']);
 $email = mysqli_real_escape_string($connection, $_POST['email']);
 $username = mysqli_real_escape_string($connection, $_POST['username']);
 $password = password_hash($_POST['password'], PASSWORD_DEFAULT);
 $avatar = mysqli_real_escape_string($connection, 'avatars/'.$_FILES['avatar']['name']);

 $extension = pathinfo($avatar, PATHINFO_EXTENSION);
 if(in_array($extension, array('jpg', 'png', 'jpeg'))){

  if(copy($_FILES['avatar']['tmp_name'], $avatar)){

   $sql = "INSERT INTO `login` (Firstname, Lastname, Email, Username, Password, Avatar) VALUES ('$firstname', '$lastname', '$email', '$username', '$password', '$avatar')";



   $result = mysqli_query($connection, $sql);
   if($result){
    $url = "../index.php";
    $messageok = "User registration succesfull!";
    echo "<script type='text/javascript'>alert('$messageok');</script>";
    echo '<script>window.location = "'.$url.'";</script>';
    

   }else{
    $url = "../index.php";
    $messagenok = "User registration failed!";
    echo "<script type='text/javascript'>alert('$messagenok');</script>";
    echo '<script>window.location = "'.$url.'";</script>';
   }
  } else{
    $url = "../index.php";
    $messageok = "Picture was not uploaded to database! plz try again";
    echo "<script type='text/javascript'>alert('$messageok');</script>";
    echo '<script>window.location = "'.$url.'";</script>';
   }
 }else{
    $url = "../index.php";
    $messageok = "Uploaded images must have one of following extensions, jpg, jpeg, png. Please try again!";
    echo "<script type='text/javascript'>alert('$messageok');</script>";
    echo '<script>window.location = "'.$url.'";</script>';
  }
   
}?>
<?php session_start(); ?>




<div class="popupscreen" id="registerpopup">
 <div class="formwrapper">
  <div class="login-form">
  <form action="includes/register.php" method="POST" enctype="multipart/form-data">
   <label class="popuplabel">First-name</label>
   <input name="firstname" placeholder="first-name" class="popupinput" required />

   <label class="popuplabel">Last-name</label>
   <input name="lastname" placeholder="last-name" class="popupinput" required />

   <label class="popuplabel">Email</label>
   <input name="email" placeholder="email" class="popupinput" required />

   <label class="popuplabel">Username</label>
   <input name="username" placeholder="username" class="popupinput" required />

   <label class="popuplabel">Password</label>
   <input name="password" placeholder="password" class="popupinput" required/>

   <label class="popuplabel">Upload profile picture</label>
   <input type="file" name="avatar" accept="image/*" />

   <button class="popupbutton" type="submit">Register</button>
  </form>
   <button onclick="closeregister()" class="popupbutton">Close</button>
 </div>
  
 </div>
</div>
Pieter
  • 359
  • 3
  • 14
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Sep 29 '17 at 20:29
  • `if(copy($_FILES['avatar']['tmp_name'], $avatar)){` is this "copy" supose to be mkdir? – Jurick Pastechi Genaro Sep 29 '17 at 20:30
  • @JurickPastechiGenaro no te directory already exists and the path get's stated in $avatar. Did I miss something there perhaps? – Pieter Sep 29 '17 at 20:32
  • 2
    have a look at http://php.net/manual/en/function.move-uploaded-file.php and double check your path inside `$avatar` – Michael M. Sep 29 '17 at 20:33
  • I'll have a look thx :) – Pieter Sep 29 '17 at 20:34
  • @Pieter well ye but what i mean is that, but what i meant is. well let me ask it another way. Where is the code that puts the picture into the folder? – Jurick Pastechi Genaro Sep 29 '17 at 20:45
  • I was under the assumption that was what the copy() did ... – Pieter Sep 29 '17 at 20:59
  • I also tried using move_uploaded_file instead of copy didn't work either :/ – Pieter Sep 29 '17 at 21:03
  • @JurickPastechiGenaro when I var_dump($_FILES['avatar']); var_dump($avatar); I get following output : array(5) { ["name"]=> string(15) "fenderstrat.jpg" ["type"]=> string(10) "image/jpeg" ["tmp_name"]=> string(36) "/Applications/MAMP/tmp/php/phpz2CmUB" ["error"]=> int(0) ["size"]=> int(48398) } string(23) "avatars/fenderstrat.jpg" – Pieter Sep 29 '17 at 21:06

0 Answers0