Image uploads

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Image uploads

Post by josh »

I am trying to write an uplaod script to upload gif's and jpg's... before i limit it to certaint file types and file sizes i need to get the basic upload function working.. this code i am running just says:


Possible file upload attack!
Here is some more debugging info:

Array
(
[userfile] => Array
(
[name] => img.jpg
[type] =>
[tmp_name] =>
[error] => 2
[size] => 0
)

)

when i try to run it....
here is my code

Code: Select all

<?php
<?
if ($stage==NULL) {
?>
<!-- The data encoding type, enctype, MUST be specified as below -->
<form enctype="multipart/form-data" action="content/imageup.php" method="POST">
    <!-- MAX_FILE_SIZE must precede the file input field -->
    <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
	 <input type="hidden" name="stage" value="1">
    <!-- Name of input element determines name in $_FILES array -->
    Send this file: <input name="userfile" type="file" />
    <input type="submit" value="Send File" />
</form>
<?php
} else {
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.

$uploaddir = '../uploads/img';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

echo '<pre>' . $uploadfile . '<BR>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
   echo "File is valid, and was successfully uploaded.\n";
} else {
   echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";
}
?> 
?>
I am new to file uploads not new to php...
The folder it is writeing too is chmod(777) so it should have no problem moveing the file there yet i still get the error message..

Any help greatly appreciated
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

Eh, I figured it out... heres my script if anyone wants it, or if anyone wants to point my huge security issues so i can fix them

:lol:

Code: Select all

<?php

if ($user!=NULL) {
if ($stage==NULL) {
?>
<!-- The data encoding type, enctype, MUST be specified as below -->
<form enctype="multipart/form-data" action="content/imageup.php" method="POST">
    <!-- MAX_FILE_SIZE must precede the file input field -->
    <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
	 <input type="hidden" name="stage" value="1">
    <!-- Name of input element determines name in $_FILES array -->
    Send this file: <input name="userfile" type="file" />
    <input type="submit" value="Send File" />
</form>
<?php
} else {
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.

$uploaddir = '/home/jetlinka/public_html/main/uploads/img/';
$filename =  basename($_FILES['userfile']['name']);
$rand = rand(10000000000000, 99999999999999999);
$uploadfile = $uploaddir . $rand;
$filename = $rand;
if (file_exists("$uploadfile.jpg")) {
while (file_exists("$uploadfile.jpg")) {
$rand = rand(0,9);
$uploadfile .= $rand;
$filename .= $rand;
}
}

$Array_Type_Image = Array ("image/jpeg", "image/pjpeg");

if (In_Array($_FILES["userfile"]["type"], $Array_Type_Image) ) {
	if ($_FILES["userfile"]["size"] < 50000) {
$uploadfile .=".jpg";
		if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
			//$filename = basename($_FILES['userfile']['tmp_name']);
		   echo "<img src='http://jetlinkairways.com/main/uploads/img/$filename.jpg'>";
		   echo "<BR>'http://jetlinkairways.com/main/uploads/img/$filename.jpg'<BR>";
   
		} else {
		   echo "Possible file upload attack!\n";
		}
	} else {
		echo "File too large";
		//print_r ($_FILES["file_name"]);
	}
} else {
echo "Not a valid .jpg file";
}
}
} else {
include('signupreq.php');
}


?>
Post Reply