Lost with an upload script

MichaelHe

I am trying to make an upload script for the first time, and I don't get it.

I have trying copying the script from the PHP manual, but I can't get it to work.

As it lookes right now I have a script looking like this, a direct copy from the manual :

<!-- The data encoding type, enctype, MUST be specified as below -->
<form enctype="multipart/form-data" action="test.php" method="POST">
    <!-- MAX_FILE_SIZE must precede the file input field -->
    <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
    <!-- Name of input element determines name in $_FILES array -->
    Send this file: <input name="userfile" type="file" />
    <input type="submit" value="Send File" />
</form>



<?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.

$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
   echo "File is valid, and was successfully uploaded.\n";
} else {
   echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";

?>

When I run the site I see a form box with a browse button. I then browse a .txt file from my harddrive, and press 'send file'

i then get the message:

Warning:  move_uploaded_file() [function.move-uploaded-file]: SAFE MODE Restriction in effect.  The script whose uid/gid is 1638/80 is not allowed to access /var owned by uid/gid 0/0 in /usr/home/web/web60269/TEST/test.php on line 28
Possible file upload attack!
Here is some more debugging info:Array
(
    [userfile] => Array
        (
            [name] => bring.txt
            [type] => text/plain
            [tmp_name] => /var/tmp/phpKhNDMU
            [error] => 0
            [size] => 965
        )

)

I can see that the [tmp_name] => /var/tmp/phpKhNDMU line changes when I try to upload again, so it seems like it's trying to upload the file with a tmp name, but when I check, there are no files uploaded.

I'm not sure where the files are stored so I have made a dir called /var/www/uploads and one just called uploads and they are all set to chmod 777.

But still nothing happens.

What am I doing wrong, and where in script is the moved file name entered ?

Please help me get startet.

Michael

Azala

I'm no Unix expert, but as far as I know /var/ is a protected directory of the Unix OS and from the warning message it seems to me it's saying that the webbrowser don't have access to store no files in that directory.

Change:

$uploaddir = '/var/www/uploads/';

to for instance

$uploaddir = $_SERVER['DOCUMENT_ROOT']."/uploads/";

and make a UPLOADS directory correctly chmodded in your public root folder.

MichaelHe

Perfect, it works.
Thank you so much.

BUT... how do I change the name ?
You see it has to be renamed to $songid which is not known yet...
In my form I write Song title and so on, and then I have an INSERT INTO statement where I put the song in the database. In the this database I have a field called SongID and this a an auto_increse field.
The uploaded file has to be renamed to ex. 48.txt if the SongID the song is given is 48.

So there are two problem. How do I get the songid right after the INSERT INTO has given the song it's ID, and how to I rename the file. ??

MichaelHe

I have just found out how to get the ID with this command $idnum = mysql_insert_id(); so now I just need to rename the file that has just been uploaded to the name $idnum .txt

Shall it be renamed after upload, or can I upload it directly with the new name ?

Azala

Easy.

After the INSERT statement do this:

$mySongID = mysql_insert_id();

Now you know what ID the song was assigned, now all that is left is to rename the uploaded file.

rename($uploadfile, $uploaddir.$mySongID.".txt");

However, please look up these functions on php.net to make sure you understand the process.

What happens if rename fails?

We know that rename returns true if it works, so we should probably do:

if (! rename($uploadfile, $uploaddir.$mySongID.".txt"))
    //Rename failed, do something, quick! :D

Azala

Sure, you can rename it before you upload:

$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {

Change:

$uploadfile = $uploaddir . $mySongID.".txt";

then call move_uploaded as one of the last things you do.

if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {

it will then get the correct name and you can skip the rename function.

MichaelHe

OK.. now it all works perfect.
The file is uploaded in the correct folder, and with the right name and everything..

Thanks a lot for that. 😃

Now I only have only problem.
The importent part og my script looks like this :

<?ob_start()?>
<html>
<head>
<title>Untitled Document</title><link rel="stylesheet" href="Layout/Style.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000" leftMargin="0" topMargin="0" rightMargin="0">

<?php
include 'Layout/LayoutTop.html';
include 'Layout/Menu.html';

require("Layout/Setup.php");
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($dbname);
?>

<form enctype="multipart/form-data" method="post" action=''>
  <input type="hidden" name="MAX_FILE_SIZE" value="10000"><input name="upload" type="file">
  <input type="submit" name="Submit" value="Submit">
</form>

<?
if($_POST){
$titel = $_POST['Titel'];
$uploaddir = $_SERVER['DOCUMENT_ROOT']."/TEST/Tekster/"; 
}

$result = mysql_query("select * from Tekster WHERE Pid='$brugerid'");
$count = mysql_num_rows($result);

If {IF ($count<$antal){mysql_query ("INSERT INTO Tekster (Titel, Pid) VALUES ('$titel','$brugerid')");
$sangid = mysql_insert_id();
$uploadfile = $uploaddir . $sangid.".txt";
if (move_uploaded_file($_FILES['upload']['tmp_name'], $uploadfile)) {
   echo "File is valid, and was successfully uploaded.\n";} else {
   echo "Possible file upload error!\n";}
   echo 'Here is some more debugging info:';
   print_r($_FILES);

header("Location: BrugerData.php?Brugernavn=$brugernavn&Adgangskode=$adgangskode");;};};}

mysql_close($conn);
</body>
</html>

Parts of the form and many $'s has been removed.
But the problem is that I have to write ob_start() in the beginning of the script ro make the header line work. But when i write ob_start() the upload doesn't , and it I don't write it the upload works, but the header doesn't..

How to I solve this problem. ?

Michael

Azala

Are you closing

ob_start();

with

ob_end_flush();

MichaelHe

Off cause. I knew I forgot something.

Now it all just works like a charm...

Thank you for the help.