test2

Is this really an uploaded file? The next thing you need to do is left out of more PHP instructions and books than you can imagine, but it’s critical. At this point, despite whether or not you have a real file, what your program has to work with is a file name. And that name is controlled entirely by what your users put into their file input box. So if they’re tricky, malicious, and thoroughly dishonest, they might try and put in a filename that does upload a file on their system, but also just so happens to match one of the special files on web servers that control things like, say, the passwords for users. (That file is usually /etc/passwd). You might think you must get your regular expressions on here and check for all kinds of fancy filename characters, but there’s an easier way. PHP gives you a function called is_uploaded_file that ensures that for a given name, that name references a file uploaded with HTTP (the language of web browsers and HTML forms). In other words, if the supplied name targets a file on your web server, this function will return false, and you know that something’s fishy. So you want to do something like this: // Make sure we didn't have an error uploading the image // Is this file the result of a valid upload? is_uploaded_file($_FILES[$image_fieldname]['tmp_name']) or handle_error("you were trying to do something naughty. Shame on you!", "Uploaded request: file named " . "'{$_FILES[$image_fieldname]['tmp_name']}'"); // Interact with MySQL Breathing and Sleeping Matter Any good programmer will tell you stories of at least a few all-night hacking sessions. And odds are, those stories will be tinged rosy, full of victories and excitement. But the truth of the matter is that fatigue slows the brain down, and no programmer is as effective on two hours of sleep as she is on six. Bottom line: a tired brain isn’t as useful as a rested one. And, because if you’ve been swimming in the pool of PHP programming for seven chapters before this one, now you’re well into the deep end. Chances are that you’re having to read at least a few things twice, and some of this new code introduces not just one or two new things, but three or four or five. There’s nothing at all wrong with this, but if you’re getting worn out, nobody wins by you plowing ahead. Take a few hours off, ride your bike, jog a mile, or just set PHP aside for the night. You’ll be stunned at how much clearer things seem after a bit of rest from programming. Don’t think that rest and taking a few moments to breathe out of sight of the keyboard are a sign of weakness; rather, just the opposite.

test

Warning Watch your square brackets ([ ]) and parentheses carefully here; it’s really easy to get them mixed up and cause a hard-to-find error. But this code is a little longer, while the code without the if is just a little clearer. Every bit of complexity you can save helps, so this is a nice trick to add to your growing PHP toolkit. You can actually check your code in action at this point. Visit create_user.html and find an image file that’s bigger than 2 MB. Look for a photo in iPhoto or something you’ve pulled straight off your camera. Select that image, and then try and submit your form. You should get something like Figure 8-5 back. Figure 8-5 Here’s one of those beautiful situations where a lot of hard work earlier pays off later. Rather than wading through your code or even writing custom PHP, you were able to quickly hand off an error to your handle_error function and get a nice response. Now multiply that by the hundreds (thousands?) of times you’ll use handle_error, and you’ll start to see the value of having that utility function written early on in your PHP life. Note You might have noticed that even though the image was rejected, your browser still uploads the image—regardless of how big the image is, or what your maximum file size is. That’s because it’s only after the image is uploaded that the size comparison is made. Sort of a bummer, but that’s a browser issue, and not something you can fix with PHP. This page is the result of your code finding an error code, and that error code being matched up to an error in $php_errors—in this case, the image was larger than your HTML allowed.