Uploading files, works 80% of the time

Sykoi

Well I have an incredibly strange bug that I have posted on several different forums but to no avail, so I thought I'd give phpbuilder a try...

Basically when you upload a file, every single time no matter what the outcome - ths script sees all the file's information, it see's the name, adds it to a database, it even sees the mime and size.
But for some odd reason, from time to time - the file isn't moved when move_uploaded_file is called. Whats even stranger about this, is the fact that if it does this for fileA one time and you try to upload it again, it'll work correctly the second time around.

Even thought I don't really want to show my code, since its a jumbled mess of me trying to figure out whats going wrong (Although I have removed most of the debug prints/print_rs), and uses numerous temporary bits of code (Which I had acquired from various sources to see if that bit of code was the problem).

(Note: This bug appears on both my local windows testing machine, as well as my Redhat/cPanel/php 5 box)

<?
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
//include('functions.inc.php');
include_once('header.php');
//ob_start(); Called in header.php
$user_id = $_SESSION['userid'];
$upload_location = $GLOBALS['upload_location'];
?>

<script language="JavaScript" type="text/javascript">
function put(filename) {
	window.opener.document.getElementById('main').innerHTML = window.opener.document.getElementById('main').innerHTML + "<br />" + filename;
}
</script>
<?
if ($_POST['upload']) {


//$uploaddir = 'uploaded/';
//$uploadfile = $uploaddir . basename($_FILES['file']['name']);

//if(isset($_POST['upload']) && $_FILES['file']['size'] > 0)
if (is_uploaded_file($_FILES['file']['tmp_name'])) {
	if (!$_SESSION['sort-id']) {
		$timestamp = time();
//Can be done with a single query, I know
			$sqls = "INSERT INTO sortbyid_ref (date) VALUES ('".$timestamp."')";
			$mysql->query($sqls,'add_ref');
			$sqls2 = "SELECT * FROM sortbyid_ref WHERE date='".$timestamp."'";
			$mysql->query($sqls2,'get_ref');
			$refidq = $mysql->fetch_row('get_ref');
			$_SESSION['sort-id'] = $refidq['id'];
			print $_SESSION['sort-id'];
		}

	$sort_id	= $_SESSION['sort-id'];
	$fileName   = mysql_real_escape_string($_FILES['file']['name']);
	//$tmpName    = mysql_real_escape_string($_FILES['file']['tmp_name']);
	$tmpName    = $_FILES['file']['tmp_name'];
	$fileSize   = mysql_real_escape_string($_FILES['file']['size']);
	$fileType   = mysql_real_escape_string($_FILES['file']['type']);
    $sort_id    = mysql_real_escape_string($sort_id);
    $user_id    = mysql_real_escape_string($user_id);

	//$fp      = fopen($tmpName, 'r');
	//$content = fread($fp, filesize($tmpName));
	//$content = addslashes($content);
	$sql = "INSERT INTO files (name, sort_id, user_id, upload_dir, data, size, mime) VALUES ('$fileName','$sort_id','$user_id','$upload_location','','$fileSize','$fileType')";
	$mysql->query($sql,'add_file');
    $error = mysql_error();
	$mysql->query("SELECT id FROM files WHERE name = '$fileName' AND size = '$fileSize'",'find_file');
	$listid = $mysql->fetch_row('find_file');
	$id = $listid[id];
	//fclose($fp);

    //Now we're going to figure out what we call the file.. and where' we upload it to.
    $new_filename = $exact_dir.$upload_location . $id . "_" . basename($fileName);
	print $new_filename."<br>".$tmpName."<br>";
    if (!move_uploaded_file($tmpName,$new_filename)) {
        echo "Failed...";
		print_r($_FILES);
        return;
    }
    $ffileName = $url_location . $id . "_" . basename($fileName);
    $putStr = "<a href=\"". $ffileName ."\">$fileName</a> <input type=\"hidden\" name=\"file\" value=\"". $id ."\" />";
	?>
	<script language="JavaScript" type="text/javascript">
		put(' <?php echo $putStr ?>');
		window.opener.document.getElementById('uploaded_files').value = '<?php print $_SESSION['sort-id']; ?>';
	</script>
	File successfully uploaded. <a href="window.php">Add another</a> | <a href="javascript: window.close()">Close</a>
	<?
	print "sort-id: ".$_SESSION['sort-id'];
} else {
   echo "Possible file upload attack!\n";
}
?>

<?
} 
else {
	?>
	<form action="" method="post" enctype="multipart/form-data">
<?php
    if(!isset($_SESSION['sort-id'])) {
        echo "<span id='window-warn'>!!WARNING!! The files being uploaded have no sortby id!</span><br />";
    }
	print "sort-id: ".$_SESSION['sort-id'];
?>
	  <span id="window-title">Select a file to upload.</span><br />
	  <label for="file">File:</label> 
	  <input type="file" name="file" id="file"  /> 
	  <input type="hidden" name="upload" id="upload" value="upload" />
      <input type="hidden" name="article-id" id="article-id" value="<?php echo $article_id; ?>" />

  <input type="submit" name="submit" value="Submit" />
</form>

<?
}
//ob_end_flush(); Taken out because its called in footer.php
include_once('footer.php');
?>

Some variables:
$upload_location = '/uploaded/';
$exact_dir = getcwd();

leatherback

Hi,

Two questions:

Where is $_SESSION['sort-id'] set? This is one of the potential blocking structures, which may change
What does the php log say? Have you tried setting your error reporting to E_ALL? You should get some errors, if the script fails

Sykoi

sort-id is unrelated, however it is set after a user uploads a file, and is unset after you submit an article... Its... Well, its just for tracking what files go where.

And even though I have had my reporting at E_ALL, I'll try again and edit this

I am officially not only an idiot, but also extremely embarrassed :quiet:
So I turned on E_ALL again, opened up the upload folder in one monitor and uploaded a bunch of files in the other... I uploaded 20 files, checked the database.... And guess what? While all the files were uploaded (Something I had never actually confirmed), the database wasn't assigning the same ID to the database as it was to the file name, so while the files were uploaded with ID_NAME, the database got a different ID.

Ugh... To think I wasted so much time trying to figure this problem out and all I had to do was actually LOOK at the upload folder, and look at the complete file name instead of anything after ##_

Anyways, thank you for your help in showing that I made a majorly stupid mistake 🙁

Nugen

just a note after looking at your code you can easily inject lethal SQL into this script. Hopefully you aren't using it for the public.

with filenames you should use a regular expression for a-z 0-9 and only allow . - and _ or any other special symbols you wish to allow. otherwise someone could make posts with fake filenames that escape mysql escaping.

I noticed your post below but will just edit this one:

Heres an example of a way to easily scrub out escaping escaped charecters.

function CleanUsertext_array($usertext){
	   $usertext = is_array($usertext) ?
               array_map('CleanUsertext_array', $usertext) :
			   str_replace("_", " ", $usertext);
               preg_replace("/[^a-zA-Z0-9 .@]/", "", $usertext);

   return $usertext;

}


$_POST=CleanUsertext_array($_POST);

//this removes any special charecters that aren't alphanumeric or {space}, period, or @ symbol from all array values, in this example the post array.

You could also just use

$cleantext=preg_replace("/[^a-zA-Z0-9 .@]/", "", $usertext);

For single variables. Cleaning before you even begin parsing the content of the information is the best bet at safe execution. Otherwise someone could use a filename like: %27%3B%20DROP%20DATABASE%20-- (most likely modified for escaping) and inject a subquery into your statements.

Keep in mind this doesn't neccesarily have to even be a real file or filename but strings posted to the script from a spoofed source.

mysql escape strings isn't for security but just storing data, its always best to limit the users ability to add anything you don't want within the database by limiting their ability to use charecters outside of the scope of the variable. In this case anything stored within the database should be cleaned or detect an injection outside of the supplied functions of PHPs base and allow this to flag an error and disallow the SQL querys execution / creation.

Sykoi

Any suggestions? I thought using mysql_real_escape_string would counter this... I can't use my normal input parser as it messes with slashes, so I'm open to any alternative.