How to resize image and prevent mysql injections?

I wote this just recently but would like to resize the image instead of setting a limit of 5mb. Also how can I prevent Mysql injection on this page? Thanks
<?php 
session_start();
$error="";

//error_reporting(E_ALL); 


	// image upload folder
    $image_folder = 'images/classified/'; 
	// fieldnames in form
	$all_file_fields = array('image1', 'image2' ,'image3', 'image4');
	// allowed filetypes
	$file_types = array('jpg','gif','png','pdf');
	// max filesize 5mb
	$max_size = 5000000;
	//echo'<pre>';print_r($_FILES);exit;
	
	$time = time();
	$count = 1;
	
	foreach($all_file_fields as $fieldname){ 
		if($_FILES[$fieldname]['name'] != ''){
			
			$type = substr($_FILES[$fieldname]['name'], -3, 3);
						
			// check filetype
			if(in_array(strtolower($type), $file_types)){
				
				//check filesize
				if($_FILES[$fieldname]['size']>$max_size){
					$error = "File too big. Max filesize is ".$max_size." MB";
				
				}else{
				
					// new filename	
					$filename = str_replace(' ','',$myusername).'_'.$time.'_'.$count.'.'.$type;
			
					// move/upload file
					$target_path = $image_folder.basename($filename);
					move_uploaded_file($_FILES[$fieldname]['tmp_name'], $target_path);
				
					//save array with filenames
					$images[$count] = $image_folder.$filename;
					$count = $count+1;

				}//end if

			}else{ $error = "Please use jpg, gif, png or pdf files";
			
			}//end if
		}//end if
	}//end foreach



if($error != ''){ echo $error;	
}else{


/* --------------------------------------------------------------------------------------------------
SAVE TO DATABASE ------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------- */


$con = mysql_connect("localhost","","");
if (!$con){die('Could not connect: ' . mysql_error());}

// if residential
if($_POST['type'] == "residential"){
		mysql_select_db("", $con);
		$sql = "INSERT INTO apartments (username, title, county, town, type, description, phone, rooms, bath, square, rent, fees, imageurl1, imageurl2, imageurl3, imageurl4) VALUES ('".$myusername."', '".$_POST['title']."', '".$_POST['county']."', '".$_POST['town']."', '".$_POST['type']."', '".$_POST['description']."','".$_POST['phone']."','".$_POST['rooms']."','".$_POST['bath']."','".$_POST['square']."','".$_POST['rent']."','".$_POST['fees']."','".$images[1]."','".$images[2]."','".$images[3]."','".$images[4]."')";

		$result = mysql_query($sql) or die(mysql_error());
}


// if commercial
else if($_POST['type'] == "commercial"){
		mysql_select_db("", $con);
		$sql = "INSERT INTO comm (username, title, county, town, type, description, phone, rooms, bath, square, rent, fees, imageurl1, imageurl2, imageurl3, imageurl4) VALUES ('".$myusername."', '".$_POST['title']."', '".$_POST['county']."', '".$_POST['town']."', '".$_POST['type']."', '".$_POST['description']."','".$_POST['phone']."','".$_POST['rooms']."','".$_POST['bath']."','".$_POST['square']."','".$_POST['rent']."','".$_POST['fees']."','".$images[1]."','".$images[2]."','".$images[3]."','".$images[4]."')";

		$result = mysql_query($sql) or die(mysql_error());
}


	echo "<p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><br /><h1>You Have Successfully Posted</h1>";
	echo "<p>&nbsp;</p><p>&nbsp;</p><br /><a href='index.php'>go to your ACCOUNT page</a>";

	
}//end if		
	
	?>

Open in new window

genesisvhAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

h2g2guyCommented:
The best way to prevent SQL injections is to pass any data you get from the client through a method called mysql_real_escape_string().  This will escape any quotation marks that might get you into trouble.  Depending on how PHP is set up on your server, you may need to run it through a separate method before that, because it may be automatically escaping some naughty characters already.

With regards to resizing images, check out this freely-usable code that I just came across:  http://www.white-hat-web-design.co.uk/articles/php-image-resizing.php

It's a PHP class that can do most any resizing job you need in less than 10 extra lines of code.  The only adjustment I would make would be to use include_once() rather than include(), because here I think it would be much better practice.  
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
genesisvhAuthor Commented:
Where in my script can I include SimpleImage.php? If I to upload images from a form?
0
h2g2guyCommented:
Include it at the top of any script that needs to be able to resize an image.  Where you put THAT code largely depends on the functioning of the entire website.
0
genesisvhAuthor Commented:
Ok so I tried this and it didn't work and suggestions? These were my errors.

Warning: getimagesize() [function.getimagesize]: Filename cannot be empty in /../SimpleImage.php on line 28

Warning: imagesx(): supplied argument is not a valid Image resource in /../SimpleImage.php on line 60

Warning: imagejpeg(): supplied argument is not a valid Image resource in /../SimpleImage.php on line 40
<?php 
session_start();
error_reporting(E_ALL);
ini_set('display_errors','On');
include('SimpleImage.php');
      $image = new SimpleImage();    
//error_reporting(E_ALL); 


	// image upload folder
    $image_folder = 'images/classified/'; 
	// fieldnames in form
	$all_file_fields = array('image1', 'image2' ,'image3', 'image4');
	// allowed filetypes
	$file_types = array('jpg','gif','png');
	// max filesize 5mb
	$max_size = 5000000;
	//echo'<pre>';print_r($_FILES);exit;
	
	$time = time();
	$count = 1;
	
	foreach($all_file_fields as $fieldname){ 
		if($_FILES[$fieldname]['name'] != ''){
			
			$type = substr($_FILES[$fieldname]['name'], -3, 3);
						
			// check filetype
			if(in_array(strtolower($type), $file_types)){
				
				//check filesize
				if($_FILES[$fieldname]['size']>$max_size){
					$error = "File too big. Max filesize is ".$max_size." MB";
				
				}else{
				
					// new filename	
					$filename = str_replace(' ','',$myusername).'_'.$time.'_'.$count.'.'.$type;
			
					// move/upload file
					$image->load($_FILES['uploaded_image']['tmp_name']);
					if($image->getWidth() > 150) { //if the image is larger that 150.
						$image->resizeToWidth(150); //resize to 150.
					}
					$target_path = $image_folder.basename($filename); //image path.
					
					$image->save($target_path); //save image to a directory.					
				
					//save array with filenames
					$images[$count] = $image_folder.$filename;
					$count = $count+1;

				}//end if

			}else{ $error = "Please use jpg, gif, png files";
			
			}//end if
		}//end if
	}//end foreach



if($error != ''){ echo $error;	
}else{


/* --------------------------------------------------------------------------------------------------
SAVE TO DATABASE ------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------- */
?>

Open in new window

0
genesisvhAuthor Commented:
Does anyone know what he errors above mean? What am I doing wrong?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.