>>function pic_upload($userid) >>{ >>if (is_uploaded_file($_FILES['devpicture']['tmp_name'])) >>{ >>$filename = $_FILES['devpicture']['tmp_name']; >>$realname = $_FILES['devpicture']['name'];
>>$username = $userid.".jpg"; >>copy($_FILES['devpicture']['tmp_name'], "c:/apache/htdocs/os-seek/photos\\".$username); >>$username; >>} >>else >>{ >>echo "Possible file upload attack: filename >>".$_FILES['devpicture']['name'].".<br>"; >>} >>} >>------------------------------------------- >>and then the updating >>------------------------------------------- >>pic_upload($id); >>$query = "UPDATE os_developers SET devpicture = '$username' WHERE devid >>= $id"; >>$result = mysql_query($query) or die(mysql_error()); I don't exactly know what is wrong, but I can definitely tell you that you have two gaping security holes with this code. Unless you're doing checks that you did not show (which is highly likely), $username and $id can be set to anything. I'm not exactly sure how important/unimpornant some of that stuff is, but you might want to make sure you kill off MySQL comment code inside there and other possible exploits. The other problem with your code is that you're not debugging it. Set up echo statements here and there to make sure variables are defined as you think they are, that's the biggest mistake I see myself and others make, not defining variables as I think I am. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php