How to resize image and prevent mysql injections?

I wote this just recently but would like to resize the image instead of setting a limit of 5mb. Also how can I prevent Mysql injection on this page? Thanks
<?php 
session_start();
$error="";

//error_reporting(E_ALL); 


	// image upload folder
    $image_folder = 'images/classified/'; 
	// fieldnames in form
	$all_file_fields = array('image1', 'image2' ,'image3', 'image4');
	// allowed filetypes
	$file_types = array('jpg','gif','png','pdf');
	// max filesize 5mb
	$max_size = 5000000;
	//echo'<pre>';print_r($_FILES);exit;
	
	$time = time();
	$count = 1;
	
	foreach($all_file_fields as $fieldname){ 
		if($_FILES[$fieldname]['name'] != ''){
			
			$type = substr($_FILES[$fieldname]['name'], -3, 3);
						
			// check filetype
			if(in_array(strtolower($type), $file_types)){
				
				//check filesize
				if($_FILES[$fieldname]['size']>$max_size){
					$error = "File too big. Max filesize is ".$max_size." MB";
				
				}else{
				
					// new filename	
					$filename = str_replace(' ','',$myusername).'_'.$time.'_'.$count.'.'.$type;
			
					// move/upload file
					$target_path = $image_folder.basename($filename);
					move_uploaded_file($_FILES[$fieldname]['tmp_name'], $target_path);
				
					//save array with filenames
					$images[$count] = $image_folder.$filename;
					$count = $count+1;

				}//end if

			}else{ $error = "Please use jpg, gif, png or pdf files";
			
			}//end if
		}//end if
	}//end foreach



if($error != ''){ echo $error;	
}else{


/* --------------------------------------------------------------------------------------------------
SAVE TO DATABASE ------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------- */


$con = mysql_connect("localhost","","");
if (!$con){die('Could not connect: ' . mysql_error());}

// if residential
if($_POST['type'] == "residential"){
		mysql_select_db("", $con);
		$sql = "INSERT INTO apartments (username, title, county, town, type, description, phone, rooms, bath, square, rent, fees, imageurl1, imageurl2, imageurl3, imageurl4) VALUES ('".$myusername."', '".$_POST['title']."', '".$_POST['county']."', '".$_POST['town']."', '".$_POST['type']."', '".$_POST['description']."','".$_POST['phone']."','".$_POST['rooms']."','".$_POST['bath']."','".$_POST['square']."','".$_POST['rent']."','".$_POST['fees']."','".$images[1]."','".$images[2]."','".$images[3]."','".$images[4]."')";

		$result = mysql_query($sql) or die(mysql_error());
}


// if commercial
else if($_POST['type'] == "commercial"){
		mysql_select_db("", $con);
		$sql = "INSERT INTO comm (username, title, county, town, type, description, phone, rooms, bath, square, rent, fees, imageurl1, imageurl2, imageurl3, imageurl4) VALUES ('".$myusername."', '".$_POST['title']."', '".$_POST['county']."', '".$_POST['town']."', '".$_POST['type']."', '".$_POST['description']."','".$_POST['phone']."','".$_POST['rooms']."','".$_POST['bath']."','".$_POST['square']."','".$_POST['rent']."','".$_POST['fees']."','".$images[1]."','".$images[2]."','".$images[3]."','".$images[4]."')";

		$result = mysql_query($sql) or die(mysql_error());
}


	echo "<p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><br /><h1>You Have Successfully Posted</h1>";
	echo "<p>&nbsp;</p><p>&nbsp;</p><br /><a href='index.php'>go to your ACCOUNT page</a>";

	
}//end if		
	
	?>

Open in new window

genesisvhAsked:
Who is Participating?
 
h2g2guyCommented:
The best way to prevent SQL injections is to pass any data you get from the client through a method called mysql_real_escape_string().  This will escape any quotation marks that might get you into trouble.  Depending on how PHP is set up on your server, you may need to run it through a separate method before that, because it may be automatically escaping some naughty characters already.

With regards to resizing images, check out this freely-usable code that I just came across:  http://www.white-hat-web-design.co.uk/articles/php-image-resizing.php

It's a PHP class that can do most any resizing job you need in less than 10 extra lines of code.  The only adjustment I would make would be to use include_once() rather than include(), because here I think it would be much better practice.  
0
 
genesisvhAuthor Commented:
Where in my script can I include SimpleImage.php? If I to upload images from a form?
0
 
h2g2guyCommented:
Include it at the top of any script that needs to be able to resize an image.  Where you put THAT code largely depends on the functioning of the entire website.
0
 
genesisvhAuthor Commented:
Ok so I tried this and it didn't work and suggestions? These were my errors.

Warning: getimagesize() [function.getimagesize]: Filename cannot be empty in /../SimpleImage.php on line 28

Warning: imagesx(): supplied argument is not a valid Image resource in /../SimpleImage.php on line 60

Warning: imagejpeg(): supplied argument is not a valid Image resource in /../SimpleImage.php on line 40
<?php 
session_start();
error_reporting(E_ALL);
ini_set('display_errors','On');
include('SimpleImage.php');
      $image = new SimpleImage();    
//error_reporting(E_ALL); 


	// image upload folder
    $image_folder = 'images/classified/'; 
	// fieldnames in form
	$all_file_fields = array('image1', 'image2' ,'image3', 'image4');
	// allowed filetypes
	$file_types = array('jpg','gif','png');
	// max filesize 5mb
	$max_size = 5000000;
	//echo'<pre>';print_r($_FILES);exit;
	
	$time = time();
	$count = 1;
	
	foreach($all_file_fields as $fieldname){ 
		if($_FILES[$fieldname]['name'] != ''){
			
			$type = substr($_FILES[$fieldname]['name'], -3, 3);
						
			// check filetype
			if(in_array(strtolower($type), $file_types)){
				
				//check filesize
				if($_FILES[$fieldname]['size']>$max_size){
					$error = "File too big. Max filesize is ".$max_size." MB";
				
				}else{
				
					// new filename	
					$filename = str_replace(' ','',$myusername).'_'.$time.'_'.$count.'.'.$type;
			
					// move/upload file
					$image->load($_FILES['uploaded_image']['tmp_name']);
					if($image->getWidth() > 150) { //if the image is larger that 150.
						$image->resizeToWidth(150); //resize to 150.
					}
					$target_path = $image_folder.basename($filename); //image path.
					
					$image->save($target_path); //save image to a directory.					
				
					//save array with filenames
					$images[$count] = $image_folder.$filename;
					$count = $count+1;

				}//end if

			}else{ $error = "Please use jpg, gif, png files";
			
			}//end if
		}//end if
	}//end foreach



if($error != ''){ echo $error;	
}else{


/* --------------------------------------------------------------------------------------------------
SAVE TO DATABASE ------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------- */
?>

Open in new window

0
 
genesisvhAuthor Commented:
Does anyone know what he errors above mean? What am I doing wrong?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.