[Resolved] Upload attack error for every upload

kilbey1

Every time I try to use the upload script in the manual, it comes back an upload attack. Can anyone see errors in this? I am trying to upload an Excel file.

Submit form...

	<form enctype="multipart/form-data" action="<?php echo $PHP_SELF; ?>?goto=hotlistupload" method="post">
 <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
 Send this file: <input name="userfile" type="file" />
 <input type="submit" value="Send File" />
</form>

Upload code...

		$uploaddir = "C:\Temp";
		$uploadfile = $uploaddir . $_FILES['userfile']['name'];

	print "<pre>";
	if  (move_uploaded_file($_FILES['userfile']['tmp_nam
	e'], $uploadfile)) {
	   print "File is valid, and was successfully uploaded. ";
	   print "Here's some more debugging info:n";
	   print_r($_FILES);
	} else {
	   print "Possible file upload attack!  Here's some debugging info:\n";
	   print_r($_FILES);
	}
	print "</pre>";

Error returned...

Possible file upload attack!  Here's some debugging info:
Array
(
    [userfile] => Array
        (
            [name] => CURRENT HOTLIST-TO BE POSTED.xls
            [type] => application/vnd.ms-excel
            [tmp_name] => C:\WINNT\TEMP\php92.tmp
            [error] => 0
            [size] => 23552
        )

)

devinemke

i don't know if it's just the way this board mangles text but your paths are invalid. they should be:

$uploadfile = 'C:/Temp/' . $_FILES['userfile']['name'];

*note: no that's not a typo, you can use forward slashes for Windows paths

an invlaid path fed to move_uploaded_file() will return FALSE which is why you would see the error message.

kilbey1

Thanks, that was definitely part of the problem.

The other problem was that
if (move_uploaded_file($_FILES['userfile']['tmp_nam

and

e'], $uploadfile)) {

were on different lines, thereby throwing the error!