1

hi guys i am uploading the images using the @PhP file upload Method @ If i upload 10 Images at a time (Each Images is 2000 /3000 dimension). then the on click save function is not working. if i upload 5 images or less than five images then its working fine wats wrong with my coding i just include my php code with this post <input value="Save" type="submit" name="SubSave" id="SubSave" onClick="return changes();">

 if($_POST['SubSave'] == "Save"){
    $aid = $_GET['rid'];
 $updcount = $_POST['theValue'];


if($_SESSION["almgtype"]==1 || (GetUserNoPhoto($_SESSION["almgid"]))>(GetTotalPhotoCount1($_SESSION["almgid"],$aid))) {


  $uid = $_SESSION["almgid"];

 for($k=1;$k<=$updcount;$k++) { 
        //echo $k;
   echo $_FILES["uploadfile"]["type"];

if($_FILES["uploadfile".$k]["name"]!="") {

if(($_FILES["uploadfile".$k]["type"] == "image/gif") || ($_FILES["uploadfile".$k]["type"] == "image/jpeg")|| ($_FILES["uploadfile".$k]["type"] == "image/pjpeg") || ($_FILES["uploadfile".$k]["type"] == "image/png")) {

 if ($_FILES["uploadfile".$k]["error"] > 0)
  {
  echo "Error: " . $_FILES["uploadfile".$k]["error"] . "<br />";
  }
else
  {  
       move_uploaded_file($_FILES["uploadfile".$k]["tmp_name"],
      "photoalbum/" . $_FILES["uploadfile".$k]["name"]);
      $uploadfile =  "photoalbum/" . $_FILES["uploadfile".$k]["name"];
  } 
  $path  = $uploadfile;
  $checklist = "select * from amt_photos1 where aid = '".trim($aid)."' and uid = '".trim($uid)."' and path = '".trim($path)."'";
  $chkresult  = mysql_query($checklist);
  if(mysql_num_rows($chkresult) == 0) {
  $i = 0;
  $path =$uploadfile;
  $result = "insert into amt_photos1 set uid = '".trim($uid)."',
                                     aid = '".trim($aid)."',
                                     path = '".trim($path)."',
                                     status = '0',
                                     createdby = '".$_SESSION["almgid"]."',
                                     createddate = now()";

  $rowlist = mysql_query($result) or die("Error:(".mysql_error().")".mysql_error());


                } 
                /**********************  if file already exist means ******************************************/
                else {
                $err= "The Uploaded file name ".$path." Is already exisit in the Album. Rename It or try to add Any other Photos";

                    }
                /**********************  if file already exist means ******************************************/
                $path ="";
                $uploadfile = "";
                $i  = "";
                }  // file extention
                     else {
        $err= "Unable To Upload The File Please Check The File Extention.Try Again Later";
     }

                }
                }
                }



                } // if save close
Improve this question
1
  • FYI, your unfiltered use of $_GET['rid'] as the variable $aid in the SQL expression make your application vulnerable to SQL injection attacks. You should fix that ASAP. Commented Nov 15, 2010 at 4:26

3 Answers 3

Reset to default
2

You probably need to change the maximum POST size in your php.ini configuration file (post_max_size setting).

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Also you may want to increase your "max_execution_time" as well.
And check that you don't have any Apache directives limiting post size, either. Reading your error logs would probably help.
Sorry I am new to this , where i include that max_size is there is any other link is available means please suggest me
0

You can use the command phpinfo() to dump your configuration. Likely, as others have stated you need to increase the upload size and execution time.

These can be modified through a .htaccess file.

php_value upload_max_filesize 20M
php_value post_max_size 20M
php_value max_execution_time 200
php_value max_input_time 200
Improve this answer

Comments

0

Just as a warning: Your upload handling script will make it utterly trivial to completely subvert your server:

  1. You blindly trust that the $_FILES[...]['type'] value is correctly set - this value is completely under the user's control, and they can stuff in "image/jpeg" and upload any type of file they want
  2. You blindly trust that the $_FILES[...]['filename'] value is correctly set - again, this value is completely under the user's control, and they can stuff in "hackme.php" if they want to
  3. You blindly write the file to your photoalbum directory, but don't check if the user-supplied filename contains pathing data

So, what happens if someone uploads the following file:

$_FILES['uploadfile0']['type'] = 'image/gif';
$_FILES['uploadfile0']['filename'] = '../pwn_me.php';

You've now happily put a user-provided PHP script ONTO YOUR WEBSERVER and they can now do anything they want.

On top of that, your database queries blindly insert the same data into the queries, leaving you wide open to SQL injection attacks. As well, you don't check for filename collisions until AFTER you've moved the file. So, someone could upload a malicious script, but only do it once for that particular filename. Congratulations, you've implemented versioned attacks on your server. You'll have "pwn_me.php", "pwn_me2.php", "pwn_me3.php", "my_little_pwnme.php", and so on.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.