[RESOLVED] File Upload question

NoBullMan

I have a question on file uploading. I hve searched the forum but have not found a solution.
I used the following test files to test the file upload. It works fine except that the file does not appear where it is supposed to. In fact, it does not appear anywhere accessible! It ends up in /tmp/some_random_name. When I check the directory /tmp no such file or folder exists!

Since this is a site hosted by an outside hosting company, I cannot modify the php.ini file, as directed in the php manual to change the temp_dir (if this is what I need to do). This is what I have and the output:

 <form action="test_upload.php" method="post" enctype="multipart/form-data">
<p>Pictures:
<input type="file" name="pictures" />
<input type="submit" value="Send" />
</p>
</form>

test_upload.php:

$uploaddir = '/home/mydomain/www/demo/images/uploads';
$uploadfile = $uploaddir . basename($_FILES['pictures']['name']);

if (move_uploaded_file($_FILES['pictures']['tmp_name'], $uploadfile)) {
   echo "File is valid, and was successfully uploaded.\n";
}
else {
   echo "Possible file upload attack!\n";
}
echo 'Here is some more debugging info:';
print_r($_FILES);
?>

Output:

File is valid, and was successfully uploaded.

Here is some more debugging info:
Array(
[pictures] => Array
(
[name] => bg_blue.jpg
[type] => image/jpeg
[tmp_name] => /tmp/phpc7nOLo
[error] => 0
[size] => 14772
)
)

If I replace the $_FILES['pictures']['tmp_name'] with $uploaddir in the function move_uploaded_file(), I get "Possible file upload attack!"

TIA

littlegirl

<td height="28" bgcolor="<? echo $bgcolor; ?>"> <div align="left"><font color="#003DBB" size="2" face="Arial, Helvetica, sans-serif"> 
<input name="Mbiemer<? echo $x; ?>" class="smallwhitetxt3" type="text" size=10 value="<? if (isset($_POST["Mbiemer"])) { $Mbiemer = $_POST["Mbiemer"]; } echo $Mbiemer; ?>"> 
</font> </div></td> 
<td height="28" bgcolor="<? echo $bgcolor; ?>"> <div align="left"><font color="#003DBB" size="2" face="Arial, Helvetica, sans-serif"> 
<input name="Emer<? echo $x; ?>" class="smallwhitetxt5" type="text" size=25 value="<? if (isset($_POST["Emer"])) { $Emer = $_POST["Emer"]; } echo $Emer; ?>"> 
</font> </div></td> 
<td width="41" height="28"> 
<div align="center"><font size="2" color="#FF0000" face="Geneva, Arial, Helvetica, sans-serif"><? echo "<a href=\"editopedagoge.php?ID_Pedagog=$ID_Pedagog\">X</a>" ?> 
</font></div></td> 
<td width="55" height="28" align="left"> 
<div align="center"><font size="2" color="#FF0000" face="Geneva, Arial, Helvetica, sans-serif"> <a href="javascript:removeRecord(<?=$ID_Pedagog?>)"><img src="ball143.gif" width="20" height="20" class="smallwhitetxt5"></a> 
</font></div></td> 
</tr> 
<? 

$x++; 
} 
} // mbaron while 
?> 
</table> 
<table width="443" border="0" align="center" cellpadding="0" background="jo.gif"> 
<tr> 
<td width="439" background="sfondi.gif"><div align="center"><span class="style3"><font color="#0000FF"><a href="admin.php" class="smallwhitetxt style2">Kliko k&euml;tu për t&euml; shkuar n&euml; faqen administrim </a></font></span></div></td> 
</tr> 
</table> 
<p>&nbsp;</p> 
<p>&nbsp;</p> 
<p align="center">&nbsp; </p> </p> 
</body> 
</html>

[/code]

littlegirl

[QUOTE]<?
  if (isset($_GET["ID_Pedagog"])) {
	$ID_Pedagog = $_GET["ID_Pedagog"];
	$query_fshi = "delete from pedagoget where ID_Pedagog = $ID_Pedagog";
	mysql_query($query_fshi);}
	?>
	<?
	while($row=mysql_fetch_array($resultall)){
	$ID_Pedagog=$row['ID_Pedagog'];
     $emer=$row['Emer'];
	  $Mbiemer=$row['Mbiemer'];
	   $Titulli_Akademik=$row['Titulli_Akademik'];
	   $Titulli_Shkencor=$row['Titulli_Shkencor'];
	    $ID_Departament=mysql_result($resultall,$x,"ID_Departament");


?>
<?
	    $query2="SELECT *from departamentet WHERE  ID_Departament=' $ID_Departament' order by Emer";
		$result2=mysql_query($query2);
		 while($row2=mysql_fetch_array($result2)){
	 $Emer=$row2['Emer'];
	 ?>
<?


?>
  <tr bordercolor="#990000" bgcolor="#CC99CC"> 
  <td height="28" bgcolor="<? echo $bgcolor; ?>"> <div align="left"><font color="#003DBB" size="2" face="Arial, Helvetica, sans-serif"> 
                            <input name="emer<? echo $x; ?>" class="smallwhitetxt5" type="text" size=10 value="<? if (isset($_POST["emer"])) { $emer = $_POST["emer"]; } echo $emer; ?>">
    </font> </div></td>

<td height="28" bgcolor="<? echo $bgcolor; ?>"> <div align="left"><font color="#003DBB" size="2" face="Arial, Helvetica, sans-serif"> 
                        <input name="Mbiemer<? echo $x; ?>" class="smallwhitetxt3" type="text" size=10 value="<? if (isset($_POST["Mbiemer"])) { $Mbiemer = $_POST["Mbiemer"]; } echo $Mbiemer; ?>">
</font> </div></td>
<td height="28" bgcolor="<? echo $bgcolor; ?>"> <div align="left"><font color="#003DBB" size="2" face="Arial, Helvetica, sans-serif"> 
                        <input name="Emer<? echo $x; ?>" class="smallwhitetxt5" type="text" size=25 value="<? if (isset($_POST["Emer"])) { $Emer = $_POST["Emer"]; } echo $Emer; ?>">
</font> </div></td>
<td width="41" height="28"> 
  <div align="center"><font size="2" color="#FF0000" face="Geneva, Arial, Helvetica, sans-serif"><? echo "<a href=\"editopedagoge.php?ID_Pedagog=$ID_Pedagog\">X</a>" ?> 
</font></div></td>
 <td width="55" height="28" align="left"> 
   <div align="center"><font size="2" color="#FF0000" face="Geneva, Arial, Helvetica, sans-serif"> <a href="javascript:removeRecord(<?=$ID_Pedagog?>)"><img src="ball143.gif" width="20" height="20" class="smallwhitetxt5"></a>



</font></div></td>

  </tr>
  <?

    $x++;
}
} // mbaron while 


?>
</table>
<table width="443" border="0" align="center" cellpadding="0" background="jo.gif">
  <tr>
    <td width="439" background="sfondi.gif"><div align="center"><span class="style3"><font color="#0000FF"><a href="admin.php" class="smallwhitetxt style2">Kliko k&euml;tu për t&euml; shkuar n&euml; faqen administrim </a></font></span></div></td>
  </tr>
</table>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p align="center">&nbsp; </p> </p>
</body>
</html>[/QUOTE]

[/QUOTE][/code]

NoBullMan

??????????????????????
Are you OK littlegirl?

phpstuck

First thing I notice is your form attributes... With file uploads you must specify the enctype exactly or PHP won't recognize the format.

<form enctype="multipart/form-data" action="something.php"
method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="50000">
Select a file: <input name="upfile" type="file">
<input type="submit" value="Upload">
</form>

PS: the max_file_size is a matter of conveinience and is not 100% enforced but every little bit helps.... the enctype line is the most important. PHP can handle the max file size for you though.

Then only one thing changes on the basic upload (however I would use more security in the long run) This following is fairly secure, let me know how this goes.

$uploaddir = "uploads/";
$filename = trim($_FILES['upfile']['name'];
$filename = substr($_filename, -20);
$filename = ereg_replace(" ", "", $filename);
if((ereg(".jpg", $filename)) || (ereg(".gif", $filename))) {
    $uploadfile = $uploaddir . $filename;
    if (move_uploaded_file($_FILES['upfile']['tmp_name'],
    $uploadfile)) {
        chmod($uploadfile, 0644);
         print("File upload was successful");
} else {
         print("File upload failed");
}
} else {
print("Only image files are allowed, upload failed");
}

NoBullMan

I do have the enctype in my <form ...> line.

My question is how come it does not upload the file to the folder I specify and uploads it instead to the /tmp/<random_name> folder.

You must have been looking at little girls post that has nothing to do with my question!

phpstuck

Easy pilgram... I wasn't done and I just got ahead of myself... The obvious next question... You did speak with you host and they provided you with your absolute upload directory path (which is as posted) and what did they say when you asked them about the PHP.ini settings (some hosts don't like to allow uploads due to security issues)

Just trying to help and I didn't bring my magic wand this evening :-)

NoBullMan

hehehe... my reference to "little girl's post'" was actually the couple of replies to my question posetd by "littlegirl" that has nothing to do with my question, in the very same thread.

Any way, I will check with my web hosting company to see if they have some restrictions on file upload.

I just want to make sure there is nothing wrong with the piece of code I have included, or if there are some issues, how to get around them.

Thanks.

NoBullMan

I checked the PHP settings on the web hosting, using phpinfo(), and it seems that "file_uploads" is "on", both as "Local Value" and "Master Value".