Rate and help improve

[klepec]

Hello.

I have written this script where user restaurant owner can add his place to the database of all local restaurants.

(insert basic information into database, add up to 3 images, thumbnail creation, insert image information to database).

 

It works well on localhost, but i would like some suggestions for improvement.

Im not very sure of its structure, it may not execute well once it is online.

And i also think there are too many "IF's". But i really have no idea how to do it any other way.

 

Thanks for all the suggestions.

 

<?php
if(!defined('PROTECTION') || constant('PROTECTION') != 'demover')
{
echo "fuck off intruder!";
exit;  
}

$naziv = mysql_real_escape_string($_POST['Naziv']);
$naslov = mysql_real_escape_string($_POST['Naslov']);
$kraj = mysql_real_escape_string($_POST['Kraj']);
$telefon = mysql_real_escape_string($_POST['Telefon']);
$web = "http://www.".mysql_real_escape_string($_POST['Spletna']);
$gm = mysql_real_escape_string($_POST['Lokacija']);

//$gmaps = gmParse($gm);
$gmaps = 10;

$fill="INSERT INTO bpoint
(sName, sAddr, placeID, sPhone, sWeb, sGMaps, companyID)
VALUES 
('$naziv','$naslov','$kraj','$telefon','$web','$gmaps','$cID')";

if (mysql_query($fill)) {
    
    $lastID=mysql_insert_id();
    $path="./truck/".$cID."/".$lastID;
    $pname=$_FILES["pic"]["tmp_name"];
    $num=0;
    
    if (count($_FILES["pic"]) && mkdir($path, 0777)) {
        
        include "thumbs.php";
        foreach($pname as $imag){
        $bname=date("YmdHis").$num;
        $num++;
        $finalpath=$path."/".$bname.".jpg";
        $finalthumb=$path."/".$bname."_thumb.jpg";
            
            if($imag!="") {
                
                if (move_uploaded_file($imag, $finalpath)) {
                    
                    make_thumb($finalpath,$finalthumb,150);
                    mysql_query("INSERT INTO images (name, companyID) VALUES ('$finalpath', '$cID')");
  
                }
                
            }
            
            
            
            
        }
        
        
    }
    
    unset($_FILES["pic"]);
    
} else {die(mysql_error());}




?>

[scootstah]

echo "fuck off intruder!";
exit; 

 

Haha, that made me laugh. You might want to make that a little more friendly in a production environment.

 

I'm a little concerned about where $cID is coming from, it is not defined in the code you posted. So that means it is either defined before the code you posted or you have register_globals on.

 

Also, you are not really handling any problems that may come from uploading a file. Neither are you ensuring the file is actually an image, and you are forcing its file extension to a jpeg.

[klepec]

All that code i posted is an include of original form php. $cID is GET from the URL. (?cid)

 

<?php 
include "header.php";

$cID = mysql_real_escape_string($_GET['cid']);

$con = mysql_connect("localhost","root","");
mysql_set_charset('utf8',$con); 

if(!$con) {

die("Connection Error: ".mysql_error());

}

mysql_select_db("avtost", $con);

$persona=mysql_query("SELECT userID, cName, cMobile FROM bcompany WHERE companyID='1'");

while ($persono=mysql_fetch_array($persona)) {
    
    $persone = $persono["userID"];
    $cName= $persono["cName"];
    $cMobile=$persono["cMobile"];
    
}

if ($persone!=$uid) {
    
    echo "Do te strani nimate dostopa!";
    exit;
    
}

if(isset($_POST["Potrdi"]))
{
    include("addPoint.php");
}

$getPlace= mysql_query("SELECT placeID FROM bplace");

mysql_close($con);
?>

 

HTML .....

[scootstah]

Another thing is that you are throwing around die(mysql_error())'s all over the place. That's bad enough in a development environment but is a definite no-no in a production environment. All you are doing is aiding potential attackers.

 

Just throw a 500 HTTP response and log the error. All your users need to know is that something didn't work.

[klepec]

Okay, ill try to fix and improve all the things you suggested.

 

Thanks )