Page 1 of 1

FILE UPLOAD PROBLEM - HELP NEEDED

Posted: Sat Sep 13, 2003 8:01 am
by tuberider
Hi,
i'm having a problem with file uploads using the following code:

Code: Select all

print_r($HTTP_POST_FILES);

if (is_uploaded_file($image)) {
echo "<BR>UPLOAD OK";
$dest = "/usr/local/www/htdocs/ohat/ohat_home/images/contents/" .$image_name
. "/";

if (move_uploaded_file ($image , $dest) )
echo "<BR>MOVE OK!";
else
echo "<BR>MOVE ERROR!";
}
else
echo "UPLOAD ERROR!";
[mod_edit: added

Code: Select all

tags][/size]

this is the result:

Array ( [image] => Array ( [name] => surf.jpg [type] => image/pjpeg [tmp_name] => /tmp/phpNGtNbn [error] => 0 [size] => 17106 ) ) 

UPLOAD OK

Warning: move_uploaded_file(/usr/local/www/htdocs/ohat/ohat_home/images/contents/surf.jpg/) [function.move-uploaded-file]: failed to create stream: Permission denied in /usr/local/www/htdocs/ohat/ohat_home/admin/modules/content.php on line 409

Warning: move_uploaded_file() [function.move-uploaded-file]: Unable to move '/tmp/phpNGtNbn' to '/usr/local/www/htdocs/ohat/ohat_home/images/contents/surf.jpg/' in /usr/local/www/htdocs/ohat/ohat_home/admin/modules/content.php on line 409

MOVE ERROR

can u tell me why that permission denied error happens?

i'd be very thankfull with ur help.

Best Regards,

Rui

Posted: Sat Sep 13, 2003 8:55 am
by JAM

Code: Select all

// shouldnt...
$dest = "/usr/local/www/htdocs/ohat/ohat_home/images/contents/" .$image_name . "/"; 
// be...
$dest = "/usr/local/www/htdocs/ohat/ohat_home/images/contents/" .$image_name ;
Looks like you are trying to move the tmp as a directory...

Re: FILE UPLOAD PROBLEM - HELP NEEDED

Posted: Sat Sep 13, 2003 1:14 pm
by m3rajk
tuberider wrote:Hi,
i'm having a problem with file uploads using the following code:

Code: Select all

print_r($HTTP_POST_FILES);

if (is_uploaded_file($image)) {
echo "<BR>UPLOAD OK";
$dest = "/usr/local/www/htdocs/ohat/ohat_home/images/contents/" .$image_name
. "/";

if (move_uploaded_file ($image , $dest) )
echo "<BR>MOVE OK!";
else
echo "<BR>MOVE ERROR!";
}
else
echo "UPLOAD ERROR!";
this is the result:
Array ( [image] => Array ( [name] => surf.jpg [type] => image/pjpeg [tmp_name] => /tmp/phpNGtNbn [error] => 0 [size] => 17106 ) )

UPLOAD OK

Warning: move_uploaded_file(/usr/local/www/htdocs/ohat/ohat_home/images/contents/surf.jpg/) [function.move-uploaded-file]: failed to create stream: Permission denied in /usr/local/www/htdocs/ohat/ohat_home/admin/modules/content.php on line 409

Warning: move_uploaded_file() [function.move-uploaded-file]: Unable to move '/tmp/phpNGtNbn' to '/usr/local/www/htdocs/ohat/ohat_home/images/contents/surf.jpg/' in /usr/local/www/htdocs/ohat/ohat_home/admin/modules/content.php on line 409

MOVE ERROR
can u tell me why that permission denied error happens?

i'd be very thankfull with ur help.

Best Regards,

Rui
now to see if that does what i think and makes this much more readable.. then i'll try to help

Posted: Sat Sep 13, 2003 1:20 pm
by m3rajk
how are you getting $image?

are you getting it from $HTTP_POST_FILES['tmp_name']?

i'm not sure, but you might be having an issue elsewhere. can you give us aview of what comese before this? (use the php tags)

Posted: Sat Sep 13, 2003 1:55 pm
by tuberider
First of all let me thank all your help.

Before this piece of code:

Code: Select all

print_r($HTTP_POST_FILES);
$image = $HTTP_POST_FILES["image"]["tmp_name"];
echo "<BR>IMG = $image   <BR> NAME = $image_name";

if (is_uploaded_file($image)) {
echo "<BR>UPLOAD OK";
$dest = $_SERVER["DOCUMENT_ROOT"] ;
echo "<BR>source = $image <BR>dest = $dest";
        if (file_exists($image) ) {
                echo "<BR>FILE EXISTS!";
                if (move_uploaded_file ($image ,$dest ) )
                        echo "<BR>MOVE OK!";
                else
                        echo "<BR>MOVE ERROR!";

        }
        else echo "<BR>FILE NOT FOUND!";
}
else
echo "UPLOAD ERROR!";
[mod_edit: added

Code: Select all

tags][/size]


i've got a form with multipart/form-data enctype and $image goes from :
<input type=\"file\" name=\"image\">.

when i run that piece of code i get this output:

Array ( [image] => Array ( [name] => surf.jpg [type] => image/pjpeg [tmp_name] => /tmp/php5Dr6C6 [error] => 0 [size] => 17106 ) ) 
IMG = /tmp/php5Dr6C6 
NAME = surf.jpg
UPLOAD OK
source = /tmp/php5Dr6C6 
dest = /usr/local/www/htdocs/ohat/ohat_home
FILE EXISTS!
Warning: move_uploaded_file(/usr/local/www/htdocs/ohat/ohat_home/surf.jpg) [function.move-uploaded-file]: failed to create stream: Permission denied in /usr/local/www/htdocs/ohat/ohat_home/admin/modules/content.php on line 411

Warning: move_uploaded_file() [function.move-uploaded-file]: Unable to move '/tmp/php5Dr6C6' to '/usr/local/www/htdocs/ohat/ohat_home/surf.jpg' in /usr/local/www/htdocs/ohat/ohat_home/admin/modules/content.php on line 411

MOVE ERROR!

PS:couldn't it be a question of file/dir permissions? if so, how can i view/change them?
the server is running linux with apache...

once more thank you 4 all ur help...i really need it 

Best Regards,

Rui

Posted: Sat Sep 13, 2003 5:32 pm
by m3rajk
there's a number of things. let me say once again:PLEASE USE THE PHP TAGS ON PHP CODEit makes your post MUCH easier to read. i almost skipped over it because you didn't. i'm sure others DID skip over it, and they may be better at trouble shooting than me.


ok. i don't see you ever setting $image. if nothing is set then it'll cause an issue when you try to move something and there's no file.

so. before anyone gives you help, we need to know the following so we can give you answers that are reelvant to your php set up.
  1. what version of php are you using (4.0.6? 4.1.0? 4.2.2? some other version?)
  2. do you know if register_globals is still at the default setting? (if not we shall assume it is) if you know it isn't, what is the setting? (on or off)
  3. are you using this as a cgi module or stand alone? (quirks are sometimes different: ie when connecting to my sql one has to use mysql_pconnect, the other mysql_connect)

Posted: Sat Sep 13, 2003 9:30 pm
by evilmonkey
Is your server on apache and Linux? If so, go into your FTP and chmod (set permission of your directory) to 777. I think it's more complicated on windows.

m3rajk, calm down. :lol:

Posted: Sun Sep 14, 2003 8:00 am
by tuberider
i'm really sorry for the php tags...i'm new at this forum and i read your post so quickly that i didn't pay much attention to your last sentence (use the php tags)...

answering your questions:

1- i'm using Apache/1.3.27 (Unix) PHP/4.3.1
2- register globals = On
3-i'm using this as stand alone

thanks again 4 all ur help.

Best Regars,

Rui

Posted: Sun Sep 14, 2003 8:13 am
by volka
it's certainly a problem with the file permissions. If you're unfamiliar with them take a look at e.g. http://www.ctssn.com/linux/lesson6.html or http://www.onlamp.com/pub/a/bsd/2000/09 ... asics.html or http://www.google.de/search?&q=unix%20f ... ermissions
Now the server's running with the permissions of a certain account and so is your script. You have to make sure it has write permissions for the destination directory.
Setting the permissions to 777 as evilmonkey suggested means "everyone can do anything with this file/directory/...". I'm not sure that's what you want.
It will work but it's like letting your flat's door open so everyone from the same house can walk in.

Do you have full access to the server (are you the owner/admin)?

Posted: Sun Sep 14, 2003 10:21 am
by tuberider
Volka, thank you very much for your tips and urls.

well, i have full acess to the server and i'm testing this application (i didn't developed it) to be presented next week to the organization.

Talking in a general way, this is a project for an humanitary foundation were users (among all other things) should be able to post articles and suggest new projects (they fill up the forms in wich they can also submit pictures too -that's my big deal!)

so, that /tmp dir must have write permissions for all users that use the website to send their pics along with text...
do you have any suggestion to do it in a secure way? or saving the pic as LOB on mysql database would be better?

Best Regards,

Rui

Posted: Sun Sep 14, 2003 10:38 am
by Cruzado_Mainfrm
what if someone uploads a php file there and breaks into your site? be careful with what files can be uploaded :), you don't want anyone uploading malicious code, it doesn't matter if u say that the content header is a jpg file, it can be read as php.

when you give ppl u don't know access to file writing you don't know what harm they can do, try unsetting variables that may be passed into the document(only if u have register_globals on, that by security means should be disabled).

Posted: Sun Sep 14, 2003 10:52 am
by tuberider
following Volka's tip, i used ls -la and i noticed the following:

the EVERYONE ELSE group is like r-- for every file and like r-x for every directory listed in my website dir.

Posted: Sun Sep 14, 2003 10:59 am
by tuberider
finally! i did it guys!
i did this:
chmod 777 tmp
chmod 777 images

and move_uploaded_file ($source,$dest) worked fine!
now i have that security issues...

thank you very much!

Best Regards,

Rui

Posted: Sun Sep 14, 2003 11:42 am
by m3rajk
evilmonkey wrote:Is your server on apache and Linux? If so, go into your FTP and chmod (set permission of your directory) to 777. I think it's more complicated on windows.

m3rajk, calm down. :lol:
did you see it before the mod edits? there was nothing seperating anything so i first had to figure out where things started and stopped. and i still don't see anything more than in the original post, so it still looks like somethings may not be set. in the post there's links to the code, and a nicely sized button reading "php"

maybe i'm just really weird here, but the fact it has a code (granted it looke like it's bbased on the lotus notes system i used in vhs the first year that was around and maybe having had that makes me realize there can be code that's allowed for users) i decided to LOOK at the code options on my first post. i guess i just expect others to do the same.
tuberider wrote:i'm really sorry for the php tags...i'm new at this forum and i read your post so quickly that i didn't pay much attention to your last sentence (use the php tags)...

answering your questions:

1- i'm using Apache/1.3.27 (Unix) PHP/4.3.1
2- register globals = On
3-i'm using this as stand alone

thanks again 4 all ur help.

Best Regars,

Rui
ok. turn off register globals. it's a security issue. chances are any hosting company you go to will not turn them on and will tell you to change your code.
next thing to do is to realize you're about .. i believe it was 4.0.6 that was the first to switch from $HTTP_GET_VARS to $_GET and 4.1.0 that was the register globals switch, but i may have the reversed. in any case 4.3.1 is above both, so code needs to reflect that.

wherever you have $HTTP_WHATEVER_VARS you need to change to $_WHATEVER

ok. i read it all now. you need to be aware that the http is deprecated. bad habit to use it still.

and the issue with register globals. you should fix the code so that it assumes registerglobals is off and that the deprecated vars aren't supported

Posted: Mon Sep 15, 2003 9:18 am
by tuberider
m3rajk,

thank you very much 4 ur help & tips.

Best Regards,

Rui