0

Let me explain what i am hope to acomplish:

I want to allow my users to upload a image as avatar.

I found many php upload tutorials but i don't know hoy to upload the avatars as user_id.ext in /avatars folder.

I hope i was clear, thanks.

m3tsys
  • 3,939
  • 6
  • 31
  • 45
  • what is stopping you changing a name after upload is complete? – Elen Apr 19 '12 at 13:46
  • 2
    http://php.net/move_uploaded_file - Example #1 change the value of `$name` to whatever you want. – Mike B Apr 19 '12 at 13:48
  • ok but how to post $user_id from the upload page to the file that process the image upload? – m3tsys Apr 19 '12 at 13:51
  • You shouldn't post `$user_id` in the form.. anyone could change that value and replace another user's avatar. Can't you get `$user_id` from session or other authentication source? We have no idea how your application is structured so providing a complete/specific solution isn't possible. – Mike B Apr 19 '12 at 13:53

2 Answers2

1

In any upload script, you go through a few basic steps. First, you get data from $_FILES telling you where the temporary upload file is. You validate the file based on something to make sure it's not evil/malicious/wrong. Then you rename it and move it somewhere useful. In your last step, when you move the image to where it's going, take that opportunity to name the file as you like. If you're dealing with a user's account it should be trivial to get the username, id, middle name, etc and use that to set the file's name.

Surreal Dreams
  • 26,055
  • 3
  • 46
  • 61
  • ok but how to post $user_id from the upload page to the file that process the image upload? – m3tsys Apr 19 '12 at 13:53
  • Send it as a parameter when you call the file that processes the upload, or store it in the $_SESSION. Or send the username, or whatever you really want to use to name the file. – Surreal Dreams Apr 19 '12 at 14:01
0

This script gets the uploaded file and save it as /avatars/$user_id.ext, $user_id retrieved from POST:

<?php
if ($_FILES["file"]["error"] > 0) {
    echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
} else {
    move_uploaded_file($_FILES["file"]["tmp_name"], "/avatar/{$_POST['user_id']}.ext");
    echo "Stored in: " . "/avatar/{$_POST['user_id']}.ext";

}    
?>

And this is the form:

<form method="POST" enctype="multipart/form-data">
<input type="file" name="file">
<input type="hidden" name="user_id" value="<?php echo $user_id ?>">
<input type="submit" value="submit"></form>
Marco Gamba
  • 322
  • 2
  • 5
  • If I knew anyone elses `$user_id` I could change their avatar. – Mike B Apr 19 '12 at 14:33
  • Yeah, that's right but I assume that he already has a basic authorization system, he could just add a few conditions to my code (like `$_COOKIE['user'] == $dbrow['user'] && $_COOKIE['hashpwd'] == $dbrow['pwd'] && $_POST['userid'] == $dbrow['userid']`).. Mmh, that would make `$user_id` useless, indeed. But I simply posted an example of how this could be achieved, I was convinced he would have implemented that along with other authorization code. – Marco Gamba Apr 19 '12 at 15:01