The next script that we will be looking at is the add_file script. It is responsible for adding files to a project. The page consists of a form that provides a file field. This is a special field that is specifically designed for uploading files. The form also has one additional attribute, as you will see in the HTML section of the page. Below is a screen shot of the form and also the code that built the script:

And the code for the page:

<?php

include "dbcon.php";

include "functions.php";

if(isset($_GET['pid'])){

//clean pid

if(!is_numeric($_GET['pid'])){

//the value received is not numeric. redirect the user to login

header("location:login.php");

}

//otherwise clean the received value for query use

$cpid = mysql_escape_string($_GET['pid']);

$getname = "SELECT title FROM projects WHERE pid = '".$cpid."'";

$g_result = mysql_query($getname);

if(!$g_result){

echo mysql_error();

}else{

$rowname = mysql_fetch_assoc($g_result);

$title = $row['title'];

}

}//end pid check

if(isset($_POST['submit'])){

//check vars

if(!$_FILES['userfile']['name']) {

$err = true;

$msg .= "<BR>Please upload a image file.";

}

$fname=mysql_escape_string($_FILES['userfile']['name']);

$p_pid=mysql_escape_string($_POST['p_pid']);

//insert

if(!$err){

$insert = "INSERT INTO files SET filename = '".$fname."',";

$insert .= "p_id= '".$p_pid."'";

if(!mysql_query($insert)){

echo mysql_error();

}else{

$newid=mysql_insert_id();

$msg= "Data inserted.".$p_pid."<br>";

}

}//err check

//upload file

if($new_id > 0){

$uploadpath = "p_files/";

$filename = trim(addslashes($_FILES['userfile']['name']));

if(move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadpath . $filename)) {

$msg .= "File uploaded.".$filename."";

}else{

$msg .= "File not uploaded.";

}

}

}

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Templates/PM_Main.dwt.php" codeOutsideHTMLIsLocked="false" -->

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!-- InstanceBeginEditable name="doctitle" -->

<title>Untitled Document</title>

<!-- InstanceEndEditable -->

<!-- InstanceBeginEditable name="head" -->

<!-- InstanceEndEditable -->

<link href="Templates/main.css" rel="stylesheet" type="text/css" />

</head>

<body>

<table width="100%" border="0">

<tr>

<td width="33%">&nbsp;</td>

<td width="28%">&nbsp;</td>

<td width="39%">Logged in: <!-- InstanceBeginEditable name="login" --><? echo $_SESSION['name'];?> | <a href="logout.php">Logout</a><!-- InstanceEndEditable --></td>

</tr>

<tr>

<td colspan="3" bgcolor="#6699CC" class="headertxt">Project Management Software </td>

</tr>

<tr>

<td colspan="3"><!-- InstanceBeginEditable name="main" -->

<form id="form1" name="form1" method="post" action="add_file.php" enctype="multipart/form-data">

<table width="100%" border="0">

<tr>

<td colspan="2" class="loginheader"><?php echo $title;?></td>

</tr>

<tr>

<td colspan="2"><?php if(isset($msg)){

echo $msg;

}?> </td>

</tr>

<tr>

<td width="10%">File Name </td>

<td width="90%"><label>

<input name="userfile" type="file" id="userfile" />

<input type="hidden" name="p_pid" value="<?php echo $_GET['pid'];?>"/>

</label></td>

</tr>

<tr>

<td>&nbsp;</td>

<td><label>

<input type="submit" name="submit" value="Upload File" />

</label></td>

</tr>

</table>

</form>

<!-- InstanceEndEditable --></td>

</tr>

<tr>

<td colspan="3"><!-- InstanceBeginEditable name="nav" --><a href="main.php">View Project List</a> | <a href="admin/login.php">Administrators Corner </a><!-- InstanceEndEditable --></td>

</tr>

<tr>

<td align="right" class="cright" colspan="3">copyright &copy; 2007 PM </td>

</tr>

</table>

</body>

<!-- InstanceEnd --></html>

The code does a couple of familiar things. First it makes the usual checks to make sure that we don't crash the application, then it retrieves the project name and stores it in a variable called $title:

<?php

include "dbcon.php";

include "functions.php";

if(isset($_GET['pid'])){

//clean pid

if(!is_numeric($_GET['pid'])){

//the value received is not numeric. redirect the user to login

header("location:login.php");

}

//otherwise clean the received value for query use

$cpid = mysql_escape_string($_GET['pid']);

$getname = "SELECT title FROM projects WHERE pid = '".$cpid."'";

$g_result = mysql_query($getname);

if(!$g_result){

echo mysql_error();

}else{

$rowname = mysql_fetch_assoc($g_result);

$title = $row['title'];

}

}//end pid check