[RESOLVED] Php uploading file but no file

tyler_hjdesign_

Hello, I've been working on this script trying to figure out why the file upload isn't posting to the database and not being able to find the file in the proper directory... It's php5 on linux and have register global on.

To be specific, I go to my page and input the information and choose a file to upload. When I hit submit, I get a upload progress bar but after it's done uploading, I can't find the file. Also the information is suppose to be posted on another page but nothing happens. I tried checking out the path and permission but I'm having trouble. What would be the best way to approach this?

<?

/-----------------------------------------------------------------------------------------------------
Purpose: The user can add new sections for the
-----------------------------------------------------------------------------------------------------/

session_start();
header("Cache-control: private"); // IE6 fix
include ($DOCUMENT_ROOT."/mySQL_config.php");
include ($DOCUMENT_ROOT."/functions.php");
include ($DOCUMENT_ROOT."/config.php");
check_admin();

$FilePath = $_SERVER['DOCUMENT_ROOT']."/employee/materials/training/files/";

//if we have a file ID then we're updating a record.
	if (isset($Submit)) {

			// if we're updating, we don't need to upload a new file.

			if(!empty($DocID)) {

				//if any of these fields are empty, then we cannot continue
				if(empty($DocName) || empty($SectionID)) {

					$msg = 'One or more fields were left blank.  Please review the information you have entered and resubmit.';

				} else {

				// update the record
				$upd_query = "UPDATE materials_training
								SET DocName = '".$DocName."',
								SectionID = '".$SectionID."'
								WHERE DocID = ".$DocID;

				$result = mysql_query($upd_query) or die("The database was not successfully updated.  <br><br> Query: ".$upd_query);

				}

			} else {

				//if any of these fields are empty, then we cannot continue
				if(empty($DocName) || empty($SectionID) || empty($UserFile)) {

					$msg = 'One or more fields were left blank.  Please review the information you have entered and resubmit.';

				} else {

					// move our uploaded file

					$SearchChar = array(" ", "'", "@", "#", "$", "&", "*");
					$filename = str_replace($SearchChar,"_",$HTTP_POST_FILES['UserFile']['name']);	

					if (move_uploaded_file($_FILES['UserFile']['tmp_name'], $FilePath.$filename)) {

						// insert record into DB
						$query = "INSERT INTO materials_training (DocName, SectionID, Filename) VALUES ('".$DocName."', '".$SectionID."', '".$filename."')";
						$result = mysql_query($query); 

						$msg = "Your file has been uploaded successfully.";

					} else {

						$msg = "There was a problem uploadinig your file.";

					}
				}	
			}
	}

	if (!empty($DocID)) {

		$query = "SELECT * FROM materials_training WHERE DocID = ".$DocID;
		$result = mysql_query($query);
		$result_ar = mysql_fetch_assoc($result);

	}
// header("Location: index.php?curSection=7&curPage=5");

?>

<HTML>
<HEAD>
<? include($DOCUMENT_ROOT."/meta.php"); ?>
<link href="/quantum.css" rel="stylesheet" type="text/css">
</HEAD>
<BODY background="http://www.quantumhp.com/images/pattern_leaves_tan.gif" LEFTMARGIN=0 TOPMARGIN=0 MARGINWIDTH=0 MARGINHEIGHT=0>
<table width="95%" height="100%" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" class="page_border">
<tr>
<td height="91" align="right" bgcolor="#64211f"><img src="/images/splash_logo.gif" width="734" height="91"></td>
</tr>
<tr>
<td class="top_menu_shell" height="26" align="left" valign="middle" nowrap bgcolor="#000000"><? include($_SERVER['DOCUMENT_ROOT'].'/top_menu.php'); ?></td>
</tr>
<tr>
<td height="88" bgcolor="#000000" class="photo_border"><img src="/images/sample-photo02.gif" alt="" width="740" height="88"></td>
</tr>
<tr>
<td valign="top">
<table width="100%" height="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="231" valign="top" background="/images/pattern_leaves_brown.gif"><? include("include_Menu.php"); ?></td>
<td valign="top"><br>
<table width="95%" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td height="26" class="title-bold">ADD <span class="title-italic">document</span> </td>
</tr>
<tr>
<td align="center" class="content-body">
<br><blockquote><p align="left" class="error"><? echo $Msg; unset($Msg);?></p></blockquote><br>
<form action="<? echo $PHP_SELF."?curPage=4&curSection=7&DocID=".$DocID; ?>" method="post" enctype="multipart/form-data" name="form1">
<table border="0" align="center" cellpadding="5" cellspacing="0">
<tr>
<td align="right" width="138" class="form-fieldLabels">Document Name: </td>
<td><input type="hidden" name="MAX_FILE_SIZE" value="40000000" /><input name="DocName" type="text" id="keyword_input" value="<? echo $result_ar['DocName']; ?>" size="35" maxlength="120"></td>
</tr>
<tr>
<td align="right" class="form-fieldLabels">Section: </td>
<td><select name="SectionID" id="SectionID">
<?
//Query database for a list of all sections
$opt_query = "SELECT * FROM materials_training_sections WHERE SectionID > 0 ORDER BY SectionName";
$opt_result = mysql_query($opt_query);
while ( $opt_result_ar=mysql_fetch_assoc($opt_result) ) {
								if ($opt_result_ar['SectionID'] == $result_ar['SectionID']) {

								print '<option selected value='.$opt_result_ar['SectionID'].'>'.$opt_result_ar['SectionName'].'</option>';

								} else {

								print '<option value='.$opt_result_ar['SectionID'].'>'.$opt_result_ar['SectionName'].'</option>';

								}
							}
						?>
                    </select></td>
			      </tr>
				  <? if(empty($DocID)) { ?>
				  <tr>
				    <td align="right" class="form-fieldLabels">File: * </td>

				    <td><input name="UserFile" type="file" id="UserFile"></td>
			      </tr>
				  <? } ?>
				  <tr>
				    <td>&nbsp;</td>
				    <td align="right">&nbsp;</td>
			      </tr>
				  <tr>
					<td>&nbsp;</td>
					<td align="right"><input type="submit" name="Submit" value="Submit"></td>
				  </tr>
				</table>
				<p align="center" class="form-fieldLabels">* - Required Fields</p>
			  </form>
			  <script type="text/javascript">
				document.form1.SectionName.focus();
			  </script>
			</td>
          </tr>
        </table>
        <br>
	  </td>
    </tr>
  </table>
</td>
</tr>
<tr>
<td height="35" valign="middle" align="center" bgcolor="#64211f"><? include($DOCUMENT_ROOT."/footer.php");?></td>

</tr>
</table>
</BODY>
</HTML>

<? mysql_close($connection); ?>

bradgrafelman

tyler@hjdesign.;10991387 wrote:
It's php5 on linux and have register global on.

First thing I would suggest, then, is that you first work on getting register_globals disabled.

Next, you'd want to update your code so that it doesn't rely on this highly deprecated possible security exploit.... oops, I mean "feature" (which isn't even going to be available in future releases of PHP).

Finally, note that when dealing with file uploads you should first be checking to see if the 'error' index indicates that the file upload was successful. If not, either output or log the error code so that it's easier to debug what went wrong. For more info, see [man]features.file-upload.errors[/man].

tyler_hjdesign_

Thank you for the quick reply. Unfortunately register global off isn't a option as of right now. I do know of the security risk and the future depletion of it but right now, it just isnt going to happen. (Not my decision, I've tried)

Anyway I clicked on the link. Do I just post the scripts into the top of my current script?

bradgrafelman

tyler@hjdesign.;10991391 wrote:
Unfortunately register global off isn't a option as of right now.

At the very least, you should write code as if it was disabled. At least then it will be more readable.

For example, say you're reading my code and I've got a variable $VarName. Can you tell me if that variable's contents came from: earlier in the script (e.g. local/global variable), the query string (GET), form data (POST), a cookie, a session, or an environmental variable? Now try answering the same question for $POST['VarName'] or $SESSION['VarName'].

Along the same lines, note that the $HTTP_* variables (such as $HTTP_POST_FILES) have been deprecated for some time as well (but let me guess, that just means your sysadmin wants them enabled even more so?).

tyler@hjdesign.;10991391 wrote:
Anyway I clicked on the link. Do I just post the scripts into the top of my current script?

Er... what scripts? I linked you to a manual page that explained how error handling works when dealing with file uploads, not a PHP script repository.

tyler_hjdesign_

I myself didn't write this script. This all was developed back in 2006 and it just so happens that they moved server and it stopped working. So I've been asked to look into it. I just so happen to know php to a certain extent.

That link you sent me, I'm feeling a little overwhelmed with all that information. Especially those comments below stating which script to use and things.

I just need to know which part of my script isnt working and why.

tyler_hjdesign_

Anyone?

tyler_hjdesign_

Here's what I'm getting: How and where do I need to define the variable?

Notice: Undefined variable: Msg in /home/quantumhpadmin/public_html/system/materials/training/materials_add.php on line 122

Notice: Undefined variable: result_ar in /home/quantumhpadmin/public_html/system/materials/training/materials_add.php on line 127

tyler_hjdesign_

I fixed it. Just in case anyone has problems with this, I added this script on top of the codes. It had to do with $HTTP_POST_FILES not being supported by php5. This is a temporary fix somewhat. The real fix is to rewrite it to support the new php standards.

if( !isset( $HTTP_SERVER_VARS ) )
{
$HTTP_SERVER_VARS = $SERVER;
}
if( !isset( $HTTP_GET_VARS ) )
{
$HTTP_GET_VARS = $GET;
}
if( !isset( $HTTP_POST_VARS ) )
{
$HTTP_POST_VARS = $POST;
}
if( !isset( $HTTP_POST_FILES ) )
{
$HTTP_POST_FILES = $FILES;
}