Categories
HTML MVC PHP

Picture Uploads in PHP MVC Applications

Basic picture file uploads are handled on the client-side by a form and on the server-side by a script moving a cached temporary file to a permanent location while recording the appropriate path information to database. In this post, we will elaborate on each of these portions.

The HTML Form

For forms to upload files correctly, 2 requirements must be met: a named file input must be included in the form and the encoding type must be appropriately. We show below an example proper form:

  1. <form action='' method='post' enctype='multipart/form-data'>
  2.   <div class='form-group'>
  3.     <label>Picture:
  4.       <input type='file' name='newPicture' class='form-control' />
  5.     </label>
  6.   </div>
  7.   <div class='form-group'>
  8.     <label>Description:
  9.       <textarea name='description' class='form-control'></textarea>
  10.     </label>
  11.   </div>
  12.   <input type='submit' name='action' value='Add picture' class='btn btn-primary' />
  13.   <a href='/product/index' class='btn btn-secondary'>Cancel</a>
  14. </form>

First, we see on line 1 that the enctype attribute for the form is set to multipart/form-data. This encodes the submitted form data with different parts for different data, much like an email with attachments included. If the form enctype attribute to this value, the file is simply not received by the server application.

Second, we see on line 4 an input with the type attribute set to the value file. This input also has the attribute name set to newPicture so that we may refer to it by this name in the server script.

The submit URL for this form will be the same as its calling URL.

The PHP Script

Now, a server-side script must receive the form data, check the data and save the file as appropriate:

  1. public function addPicture($product_id){
  2.   if(isset($_FILES['newPicture']) 
  3.     && $_FILES['newPicture']['error'] == UPLOAD_ERR_OK){
  4.     $info = getimagesize($_FILES['newPicture']['tmp_name']);
  5.     $allowedTypes = [IMAGETYPE_JPEG=>'.jpg',
  6.                      IMAGETYPE_PNG=>'.png',
  7.                      IMAGETYPE_GIF=>'.gif'];//accept jpg, png, gif
  8.     if($info === false){ // no go
  9.       $this->view('product/addPicture', ['error'=>'Bad file format']);
  10.     }else if(!array_key_exists($info[2], $allowedTypes)){ // no go
  11.       $this->view('product/addPicture', 
  12.         ['error'=>'Not an accepted file type']);
  13.     }else{
  14.       //save the picture in the images folder
  15.       $path = getcwd().DIRECTORY_SEPARATOR.'images'.DIRECTORY_SEPARATOR;
  16.       $filename = uniqid().$allowedTypes[$info[2]];
  17.       move_uploaded_file($_FILES['newPicture']['tmp_name'], $path.$filename);
  18.  
  19.       $newPicture = $this->model('Picture');
  20.       $newPicture->product_id = $product_id;
  21.       $newPicture->filename = $filename;
  22.       $newPicture->description = $_POST['description'];
  23.       $newPicture->create();
  24.       header('location:/product/index');
  25.     }
  26.   }else{
  27.     $this->view('product/addPicture');
  28.   }
  29. }

This method is meant to accept files associated to products in a product catalog. Therefore, on line 1, we need to pass in the product_id foreign key value for the picture record to refer to the appropriate product record.

On lines 2 and 3, we verify that the picture is indeed sent (line 2) to the receiving script without any error (line 3). If not, the script branches to line 27 and presents the submission form.

On lines 4 and 8, we extract image file information (line 4) that will allow us to validate (on line 8) that the received file is indeed an image. If not, an error message is sent to the user on line 9.

At line 10, the image information (from line 4) is used again against an image type whitelist (produced on lines 5-7). If the file is not of the proper type, an error message is sent to the user, on lines 11-12.

Finally, if all checks are good, the script continues on to lines 15-24. Lines 15, 16, 17 handle saving the file to the filesystem as follows:

  1. Define the saving path in the OS, based on the current working directory. The file will be saved in the images folder under the server document root.
  2. Define the file name to a random string with the extension from the whitelist defined on lines 5-7.
  3. Move (save) the file from its temporary location to the images folder.

Lines 19-24 record the data as follows:

  1. Get an instance of the Picture class.
  2. Populate the product_id foreign key from the method parameter.
  3. Populate the filename, since other computers don’t have access to the full path structure. We will use this filename later to display these pictures.
  4. Populate the description from the form data.
  5. Invoke Picture::create() to save the Picture record to the database.
  6. Redirect the client side to the Product index.

Viewing the Pictures

In such an application, we simply call up all the pictures in a product detail user story with a controller method as follows:

  1. public function detail($product_id){
  2.   $theProduct = $this->model('Product')->find($product_id);
  3.   $thePictures = $this->model('Picture')->getForProduct($product_id);
  4.   $theProduct->pictures = $thePictures;
  5.   $this->view('product/detail', $theProduct);
  6. }

By setting the pictures to be part of the product, we are able to pass all the data as a single object to then output the picture URLs as in the following view code:

  1. <?php
  2. foreach($data->pictures as $picture){
  3.   echo "<img src='/images/$picture->filename' style='max-width:100px;' />";
  4.   echo "<a href='/product/deletePicture/$picture->picture_id' class='btn btn-danger'>Delete picture</a>";
  5. }
  6. ?>

On line 3, we output an image element that will refer to the faved file in the images folder under the Web server document root. On line 4, we also include a delete link.

Deleting the Picture

Mistakes happen and things change, so it makes sense to be able to delete pictures from our Web application. The hyperlink form the above view calls the deletePicture method from our product controller, defined as follows:

  1. public function deletePicture($picture_id){
  2.   $thePicture = $this->model('Picture')->find($picture_id);
  3.   unlink(getcwd().DIRECTORY_SEPARATOR.'images'.DIRECTORY_SEPARATOR.$thePicture->filename);
  4.   $thePicture->delete();
  5.   header('location:/product/detail/'.$thePicture->product_id);
  6. }

The process is simply to find the Picture record using its primary key value, delete the associated file with the unlink instruction, and delete the picture record before redirecting back the appropriate page (here we go back to the product details.

The Picture Model and Database

To support all these operations, we need a Picture model similar to the following:

  1.  
  2. class Picture extends Model{
  3.   var $product_id;
  4.   var $filename;
  5.   var $description;
  6.  
  7.   public function getForProduct($product_id){
  8.     $SQL = 'SELECT * FROM Picture where product_id = :product_id';
  9.     $stmt = self::$_connection->prepare($SQL);
  10.     $stmt->execute(['product_id'=>$product_id]);
  11.     $stmt->setFetchMode(PDO::FETCH_CLASS, 'Picture');
  12.     return $stmt->fetchAll();
  13.   }
  14.  
  15.   public function create(){
  16.     $SQL = 'INSERT INTO Picture(product_id,filename,description) VALUE(:product_id,:filename,:description)';
  17.     $stmt = self::$_connection->prepare($SQL);
  18.     $stmt->execute(['product_id'=>$this->product_id,'filename'=>$this->filename,'description'=>$this->description]);
  19.     return $stmt->rowCount();
  20.   }
  21.  
  22.   public function find($picture_id){
  23.     $SQL = 'SELECT * FROM Picture WHERE picture_id = :picture_id';
  24.     $stmt = self::$_connection->prepare($SQL);
  25.     $stmt->execute(['picture_id'=>$picture_id]);
  26.     $stmt->setFetchMode(PDO::FETCH_CLASS, 'Picture');
  27.     return $stmt->fetch();
  28.   }
  29.  
  30.   public function update(){
  31.     $SQL = 'UPDATE Picture SET filename = :filename,description = :description WHERE picture_id = :picture_id';
  32.     $stmt = self::$_connection->prepare($SQL);
  33.     $stmt->execute(['filename'=>$this->filename,'description'=>$this->description,'picture_id'=>$this->picture_id]);
  34.     return $stmt->rowCount();
  35.   }
  36.  
  37.   public function delete(){
  38.     $SQL = 'DELETE FROM Picture WHERE picture_id = :picture_id';
  39.     $stmt = self::$_connection->prepare($SQL);
  40.     $stmt->execute(['picture_id'=>$this->picture_id]);
  41.     return $stmt->rowCount();
  42.   }
  43. }

This model performs operations on a Picture table with the following fields:

  • picture_id: the automatically incremented integer primary key
  • product_id: the foreign key to the product table
  • filename: a string type to hold the short filename
  • description: a text type field to hold long descriptions.

Conclusion

These general guidelines are also applicable to records that are child records of a master-detail relationship. You could change the upload types by modifying the upload whitelist and replacing getimagesize with other validation mechanisms.

By Michel

My name is Michel Paquette. I currently teach my students how to create data-driven Web applications at Vanier College, in Montreal.

My GitHub page contains a few examples of Web applications. Also consult my YouTube channels: @CSTutoringDotCa and @MichelPaquette.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.