here is my code. The code work ok if i reference the XML file directly without uploading it e.g. using $xmlSource= "test.xml;
Code: Select all
<HTML>
<HEAD>
<TITLE>File Upload</TITLE>
</HEAD>
<BODY BGCOLOR="WHITE" TEXT="BLACK">
<P><FONT FACE="Arial, Helvetica, sans-serif"><FONT SIZE="+1">File
Upload</FONT><BR><BR>
<FORM METHOD="POST" ENCTYPE="multipart/form-data" ACTION="scriptbelow.php">
<INPUT TYPE="HIDDEN" NAME="MAX_FILE_SIZE" VALUE="20000">
File 1: <INPUT TYPE="FILE" NAME="userfile" SIZE="60"><BR><BR>
<INPUT TYPE="SUBMIT" VALUE="Upload">
</FORM>
</FONT></P>
</BODY>
</HTML>Code: Select all
<?php
if ($HTTP_POST_FILES['userfile']['name']=="none")
{
echo "Problem: no file uploaded";
exit;
}
if ($HTTP_POST_FILES['userfile']['size']==0)
{
echo "Problem: uploaded file is zero length";
exit;
}
if ($HTTP_POST_FILES['userfile']['type'] != "text/xml")
{
echo "Problem: file is not an xml file";
exit;
}
if (!is_uploaded_file($HTTP_POST_FILES['userfile']))
{
echo "Problem: possible file upload attack";
exit;
}
//i use WINDOWS
$upfile = "\\uploads".$userfile_name;
if ( !copy($userfile, $upfile))
{
echo "Problem: Could not move file into directory";
exit;
}
$xmlSource= $upfile;
//here i declare the normal xml processing function like character data,
//startElement and endElement. then i have another function with //parses the uploaded file
function parseFile(){
global $xmlSource,$items;
//Creating the xml parser
$xml_parser=xml_parser_create();
//Registering the handlers
xml_set_element_handler($xml_parser,"startElement","endElement");
xml_set_character_data_handler($xml_parser,"characterData");
//Disables case-folding. Needed for this example
xml_parser_set_option($xml_parser,XML_OPTION_CASE_FOLDING,false);
//Open the xml file and feed it to the parser in blocks of 4KB
if(!($fp=fopen($xmlSource,"r"))){
die("Cannot open $xmlSource ");
}
while(($data=fread($fp,4096))){
if(!xml_parse($xml_parser,$data,feof($fp))){
die(sprintf("XML error at line %d column %d ",
xml_get_current_line_number($xml_parser),
xml_get_current_column_number($xml_parser)));
}
}
//free the parser and returns the array
xml_parser_free($xml_parser);
return $items;
}//end parseFile()
?>if a comment out the if statement causing that error, I get another errorProblem: Could not move file into directory
and so on.Problem: possible file upload attack
Please help review my code. Any ideas are well come.