download from mysql

Hiya guys

After getting everything else working how I expected, I’m sort of struggling on the last step. Downloading

I have an upload.php file that allows me to upload a file to Mysql, the fields available are:

upid - Primary
id - Need to link this to the logged on user id
name
type
size
content

The upload works perfectly

Can anyone help with implmenting it to the profile.php (1st page after login)

On profile page I have:

Welcome “username” from Session
Dynamic Table display his user id, username and password at the moment, this will be changed as not needed tho. I am using the sessions MM_Username to pass from the login

The table for Login looks like:

id - primary
username
password

I assume that if I can copy the ID from login and put it in ID in Upload and add colums to dynamic table to show the upload file, will this make that file only available to logged in user?

Cheers

What is the end goal. Why are you dynamically generating tables? A single upload listing table tied to a user I’d is enough. When you do a query, you the only display files owned by the user.

Hi thanks for the reply

The end goal is to allow a customer to login to their own account area and view copies of their PDF Invoices, Statements and Estimates.

I have built everything else using PHP, MYSQL and Dreamweaver against alot of advice, but this is all I know.

Login.PHP send the username to Profile.php (containg all customer details) and this is done via MM_Username Session.

Profile.PHP says Welcome “username” so this is working correctly, onced logged in I thought it would be easy enough to display a dynamic table allowing the user to edit their own email, address telephone etc

At the moment, I have an upload.php which allows me to upload the PDF to mysql which is working, I created a field in tbl upload to allow the acceptance of the Username ID. At the moment I enter this manually. This is turn should display the uploaded file within the users account, which appears to be working

I have a download script also which display all the files stored in MYSQL but doesn’t display per user, so any customer can print everyone elses details.

I need a way to allow the user to download the file in the table: ie

Tbl - Login
ID Username Password
2 HL2283 1234

Tbl Upload
upID ID FILENAME TYPE SIZE CONTENT DOWLOAD
1 2 Invoice1 PDF 1mb HPYERLINK
2 2 Invoice 2 PDF 1mb HYPERLINK

If the user clicks on the Hyperlink, it should either display the file in a new window or download

Forgot to mention

To view the site and see what I mean, http://scotair.noip.me/new.php

username: alex
password: alex

I’ve altered it slighty since my last post, and now have everything working via MM_Username session, so the only part I need help with is thw dowload file link part. PLease visit site and you will see

I have a download script also which display all the files stored in MYSQL but doesn't display per user, so any customer can print everyone elses details.

I need a way to allow the user to download the file in the table: ie

Post that script and the login script. your sql statement is what you need to change and probably, the retrieval of the user id.

Cheers

Login.php
[php]

<?php require_once('Connections/new.php'); ?> <?php if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { if (PHP_VERSION < 6) { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; } $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? doubleval($theValue) : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } } mysql_select_db($database_new, $new); $query_Recordset1 = "SELECT * FROM login"; $Recordset1 = mysql_query($query_Recordset1, $new) or die(mysql_error()); $row_Recordset1 = mysql_fetch_assoc($Recordset1); $totalRows_Recordset1 = mysql_num_rows($Recordset1); ?> <?php // *** Validate request to login to this site. if (!isset($_SESSION)) { session_start(); } $loginFormAction = $_SERVER['PHP_SELF']; if (isset($_GET['accesscheck'])) { $_SESSION['PrevUrl'] = $_GET['accesscheck']; } if (isset($_POST['username'])) { $loginUsername=$_POST['username']; $password=$_POST['password']; $MM_fldUserAuthorization = ""; $MM_redirectLoginSuccess = "success.php"; $MM_redirectLoginFailed = "failed.php"; $MM_redirecttoReferrer = false; mysql_select_db($database_new, $new); $LoginRS__query=sprintf("SELECT username, password FROM login WHERE username=%s AND password=%s", GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); $LoginRS = mysql_query($LoginRS__query, $new) or die(mysql_error()); $loginFoundUser = mysql_num_rows($LoginRS); if ($loginFoundUser) { $loginStrGroup = ""; if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();} //declare two session variables and assign them $_SESSION['MM_Username'] = $loginUsername; $_SESSION['MM_UserGroup'] = $loginStrGroup; if (isset($_SESSION['PrevUrl']) && false) { $MM_redirectLoginSuccess = $_SESSION['PrevUrl']; } header("Location: " . $MM_redirectLoginSuccess ); } else { header("Location: ". $MM_redirectLoginFailed ); } } ?> Untitled Document

username

password

[/php]

and download.php
[php]

Download File From MySQL Database <?php $con = mysql_connect('localhost', 'username', 'password') or die(mysql_error()); $db = mysql_select_db('test', $con); $query = "SELECT id, name FROM upload"; $result = mysql_query($query) or die('Error, query failed'); if (mysql_num_rows($result) == 0) { echo "Database is empty
"; } else { while (list($id, $name) = mysql_fetch_array($result)) { ?> <?php echo urlencode($name); ?>
<?php } } mysql_close(); ?> <?php if (isset($_GET['id'])) { $con = mysql_connect('localhost', 'username', 'password') or die(mysql_error()); $db = mysql_select_db('test', $con); $id = $_GET['id']; $query = "SELECT name, type, size, content " . "FROM upload WHERE id = '$id'"; $result = mysql_query($query) or die('Error, query failed'); list($name, $type, $size, $content) = mysql_fetch_array($result); header("Content-length: $size"); header("Content-type: $type"); header("Content-Disposition: attachment; filename=$name"); ob_clean(); flush(); echo $content; mysql_close(); exit; } ?> [/php]

Download script was something I downloaded but I have changed the tbl behind it as follows

Original tbl was
ID
Name
Type
Size
Content

I deleted that table and changed it to:

upid - Primary
ID - Refers to Login Table ID
Username - Refers to Login Username
Name
Type
Size
Content

Here is success.php (1st page after login)
[php]

<?php require_once('Connections/new.php'); ?> <?php if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { if (PHP_VERSION < 6) { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; } $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? doubleval($theValue) : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } } ?> <?php require_once('Connections/new.php'); ?> <?php if (!isset($_SESSION)) { session_start(); } ?> <?php if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { if (PHP_VERSION < 6) { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; } $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? doubleval($theValue) : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } } $maxRows_Recordset1 = 10; $pageNum_Recordset1 = 0; if (isset($_GET['pageNum_Recordset1'])) { $pageNum_Recordset1 = $_GET['pageNum_Recordset1']; } $startRow_Recordset1 = $pageNum_Recordset1 * $maxRows_Recordset1; $colname_Recordset1 = "-1"; if (isset($_SESSION['MM_Username'])) { $colname_Recordset1 = $_SESSION['MM_Username']; } mysql_select_db($database_new, $new); $query_Recordset1 = sprintf("SELECT id, username, password FROM login WHERE username = %s", GetSQLValueString($colname_Recordset1, "text")); $query_limit_Recordset1 = sprintf("%s LIMIT %d, %d", $query_Recordset1, $startRow_Recordset1, $maxRows_Recordset1); $Recordset1 = mysql_query($query_limit_Recordset1, $new) or die(mysql_error()); $row_Recordset1 = mysql_fetch_assoc($Recordset1); if (isset($_GET['totalRows_Recordset1'])) { $totalRows_Recordset1 = $_GET['totalRows_Recordset1']; } else { $all_Recordset1 = mysql_query($query_Recordset1); $totalRows_Recordset1 = mysql_num_rows($all_Recordset1); } $totalPages_Recordset1 = ceil($totalRows_Recordset1/$maxRows_Recordset1)-1; $maxRows_Recordset2 = 10; $pageNum_Recordset2 = 0; if (isset($_GET['pageNum_Recordset2'])) { $pageNum_Recordset2 = $_GET['pageNum_Recordset2']; } $startRow_Recordset2 = $pageNum_Recordset2 * $maxRows_Recordset2; $colname_Recordset2 = "-1"; if (isset($_SESSION['MM_Username'])) { $colname_Recordset2 = $_SESSION['MM_Username']; } mysql_select_db($database_new, $new); $query_Recordset2 = sprintf("SELECT * FROM upload WHERE username = %s", GetSQLValueString($colname_Recordset2, "text")); $query_limit_Recordset2 = sprintf("%s LIMIT %d, %d", $query_Recordset2, $startRow_Recordset2, $maxRows_Recordset2); $Recordset2 = mysql_query($query_limit_Recordset2, $new) or die(mysql_error()); $row_Recordset2 = mysql_fetch_assoc($Recordset2); if (isset($_GET['totalRows_Recordset2'])) { $totalRows_Recordset2 = $_GET['totalRows_Recordset2']; } else { $all_Recordset2 = mysql_query($query_Recordset2); $totalRows_Recordset2 = mysql_num_rows($all_Recordset2); } $totalPages_Recordset2 = ceil($totalRows_Recordset2/$maxRows_Recordset2)-1; ?> Untitled Document

Hello <?php echo $_SESSION['MM_Username']?> !

 

<?php do { ?> <?php } while ($row_Recordset1 = mysql_fetch_assoc($Recordset1)); ?>

id	username	password
<?php echo $row_Recordset1['id']; ?>	<?php echo $row_Recordset1['username']; ?>	<?php echo $row_Recordset1['password']; ?>

[/php]

There are a few issues.

1 you are using depricated mysql_ functions. That is a big security risk as well as, when you upgrade your php version it will no longer work. Switch to mysql_ or PDO. Then, start using prepared statements. They prevent sql injection attacks.

Your sql string should be along the lines of

[php]SELECT id, name FROM upload WHERE id = uid[/php]

And the uid should come from a session variable created at login getting the users id from the login or users table.

Ah ok, I only really know dreamweaver lol and little bits of coding, Going to learn PDO once this is complete and then rebuild the entire thing.

Are you able to help me at the minuate as is?

So I have a session at the moment for MM_Username, do I need to code another session for ID?

If so would I just change this area:

[php]//declare two session variables and assign them
$_SESSION[‘MM_Username’] = $loginUsername;
$_SESSION[‘MM_UserGroup’] = $loginStrGroup; [/php]

to
[php]//declare two session variables and assign them
$_SESSION[‘MM_ID’] = $loginID;
$_SESSION[‘MM_UserGroup’] = $loginStrGroup; [/php]

I understand what you mean just not 100% how to implement as DW usually does this

After login assign the uid to the session variable.

Then change your statement like above limiting what is returned to only include files from that user.

Dreamweaver is bad. For html it bloats markup for php it is downright dangerous.

So I would assign the UID in the success.php page at the top?

You would do it where you assign the other session variables.

ok, I added [php]$_SESSION[‘MM_Username’] = $loginUsername;
$_SESSION(“MM_UserID”) = $loginID;
$_SESSION[‘MM_UserGroup’] = $loginStrGroup; [/php] to login.php

and now it returns with : Fatal error: Can’t use function return value in write context in C:\xampp\htdocs\ridge\new.php on line 71

Look at the difference,

$_SESSION(“MM_UserID”) = $loginID;
$_SESSION[‘MM_UserGroup’] = $loginStrGroup;

Ah ok didn’t notice that. Fixed that bit Thanks

Login page works again and loads to success.php

I added just to test it - Hello <?php echo $_SESSION['MM_Username']?> !
Hello <?php echo $_SESSION['MM_UserID']?> !

Now on Success I get Hello Alex! Hello! So I’m still missing something as no ID is displayed but no errors

Did you retrieve the user id from the database?

Hi, I got a little help from another guy who did it another way without using the ID, I think I was getting in a muddle and getting loads of things mixed up.

I managed to get part of it working with doing this:

[php]
echo ‘

Uploaded Files

’;

// get the files belonging to the logged in user
$result = mysql_query(‘SELECT upid, name, size FROM upload WHERE username=’’.mysql_real_escape_string($_SESSION[‘MM_Username’]).’’’);

// check query did execute without errors
if($result)
{
// output each file
while($row = mysql_fetch_assoc($result))
{
// set a link to download.php passing the files upid as a query string parameter
echo ‘’.$row[‘name’].’ - ‘.$row[‘size’].’
’;
}
// query did not execute, log or show error message
} else {
trigger_error('Cannot get users files from database: ’ . mysql_error());
}
[/php]

And this now displays only the files for that username, however, the download part isn’t working

I have

[php]

<?php session_start(); // very basic check to see if user is logged in if(!isset($_SESSION['MM_Username'])) { // kill the script display warning. die('Unauthorised accessed. You must be logged in to access this file'); } // Has a file id been passed? if(isset($_GET['upid']) && ctype_digit($_GET['upid'])) { // fetch the file where the upid matches $result = mysql_query('SELECT name, type, size, content FROM upload WHERE upid='.intval($_GET['upid'])); // query executed ok if($result) { // get the files details list($name, $type, $size, $content) = mysql_fetch_row($result); // present file for download header("Content-length: $size"); header("Content-type: $type"); header("Content-Disposition: attachment; name=$name"); echo $content; exit; } } [/php] saved as download.php but it's just returning a blank page with http://scotair.noip.me/download1.php?upid=1 in the url and nothing else showing, no errors etc

Resolved