Need help using PHP to upload images and collecting data from a form

[dux]

I am building a new website that allows members to upload images. I am using a program called Gallery to build the site (I have got it working and set the site up). I have located a php script that allows users to upload an image. The form they need to complete will be very simple, but I want it to include their username without the need for manual input. The images will be uploaded directly to the server so I need to match up an image with the user who submitted it as there will be other information in the form that needs to be added alongside the image.

My question is; how do I do it?

I have been looking at cookies or sessions, but I could really do with some advice on the whole process.

I am also a little wary about security. The upload folder is password protected but I really think I should be doing more than just that. How can I protect myself against viruses etc?

Any help on this would be greatly appreciated, it is very much a work in progress at the moment....

EDIT - I have been thinking about this - could the ouput of the form create a html file containing the image and the form fields?

[purplepaisley]

Hi, just my 2 cents but why reinvent the wheel when you can use something like Coppermine Gallery which does this already and has a very active open source community which maintains code security and compatibilty updates.

[dux]

I had a look at CopperMine but there was something about it I didn't like, and I can't remember what that was right now.

[niggles]

If you're going to allow visitors to upload images, you can either use a third party script (like Coppermine) or have a good read of PHP documentation. PHP.net has a wealth of information and script snippets.

At the very minimum you're going to need to understand:

* $_SESSION for associating the username they've logged in with the image so you can write it to the database or rename it

* mime type checking to ensure that they don't upload an .exe or .php instead of a .jpg (it's no good just checking the extension)

* renaming the files once uploaded so they don't contain malicious characters


The process is not so hard, but to be security conscious it's worth doing some reading on how to prevent file upload attacks etc.

Cheers,
Nigel

[memaggiem]

I hope I can say this - I browsed around, found a script that I was pleased with but it wasn't really what I wanted and it took some time to implement for what I wanted to do. I have multiple forms and multiple uploads of different types.

I browsed and tinkered more and then just got CoffeeCup form builder. (Can I say this - the company that is? I guess we'll see!) I'm pleased with it and have had no security issues at all.

HTH
Maggie

[datetopia]

If don't have php programming experience you should hire a programmer or start with some tutorials:
PHP Tutorial - File Upload

[alhefner]

I guess I am missing something here. Gallery is pretty secure on it's own and has a huge upload capability with file checking built in.

Do you want your gallery users to have direct access to your server ftp? I would never recommend that route!

Also, coppermine has pretty much the same capability just presented differently.

If you are attempting to go a simpler route that using the built-in functions of Gallery, you really do need to learn PHP! Using the super global variables like $_POST and $_SESSION are tools that every webmaster using PHP should know anyway. It will help you avoid those huge URL's that search engines don't like.