I wonder if anybody can see what is going wrong with my script. If I use this for uploading to my server it works perfectly:
Code: Select all
<?php
//vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
// You may change maxsize, and allowable upload file types.
//^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
//Maximum file size. You may increase or decrease.
$MAX_SIZE = 10000000;
//Allowable file Mime Types. Add more mime types if you want
//$FILE_MIMES = array('image/jpeg','image/jpg','image/gif','image/png','application/msword','application/zip','application/sit','application/rar','application/txt','application/rtf',);
//Allowable file ext. names. you may add more extension names.
$FILE_EXTS = array('.doc');
//,'.txt','.zip','.sit','.jpg','.jpeg','.png','.gif','.rtf','.rar'
//Allow file delete? no, if only allow upload only
$DELETABLE = true;
//vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
// Do not touch the below if you are not confident.
//^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/************************************************************
* Setup variables
************************************************************/
$site_name = $_SERVER['HTTP_HOST'];
$url_dir = "http://".$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']);
$url_this = "http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$upload_dir = "files/";
$upload_url = $url_dir."/files/";
$message ="";
/************************************************************
* Create Upload Directory
************************************************************/
if (!is_dir("files")) {
if (!mkdir($upload_dir))
die ("upload_files directory doesn't exist and creation failed");
if (!chmod($upload_dir,0755))
die ("change permission to 755 failed.");
}
/************************************************************
* Process User's Request
************************************************************/
if ($_REQUEST[del] && $DELETABLE) {
$resource = fopen("log.txt","a");
fwrite($resource,date("Ymd h:i:s")."DELETE - $_SERVER[REMOTE_ADDR]"."$_REQUEST[del]\n");
fclose($resource);
$signals = $_FILES['userfile']['name'];
if (strpos($_REQUEST[del],"/.")>0); //possible hacking
else if (strpos($_REQUEST[del],"files/") === false); //possible hacking
else if (substr($_REQUEST[del],0,6)=="files/") {
unlink($_REQUEST[del]);
print "<script>window.location.href='$url_this?message=File deletion successful.'</script>";
}
}
else if ($_FILES['userfile']) {
$resource = fopen("log.txt","a");
fwrite($resource,date("Ymd h:i:s")."UPLOAD - $_SERVER[REMOTE_ADDR]"
.$_FILES['userfile']['name']." "
.$_FILES['userfile']['type']."\n");
fclose($resource);
$file_type = $_FILES['userfile']['type'];
$file_name = $_FILES['userfile']['name'];
$file_ext = strtolower(substr($file_name,strrpos($file_name,".")));
//File Size Check
if ( $_FILES['userfile']['size'] > $MAX_SIZE)
$message = "The file size is over 2MB.";
//File Type/Extension Check
else if (!in_array($file_type, $FILE_MIMES)
&& !in_array($file_ext, $FILE_EXTS) )
$message = "Sorry, $file_name($file_type) is not allowed to be uploaded.";
else
$message = do_upload($upload_dir, $upload_url);
print "<script>window.location.href='$url_this?message=$message'</script>";
}
else if (!$_FILES['userfile']);
else
$message = "Invalid File Specified.";
/************************************************************
* List Files
************************************************************/
$handle=opendir($upload_dir);
$filelist = "";
while ($file = readdir($handle)) {
if(!is_dir($file) && !is_link($file)) {
$filelist .= "<a href='$upload_dir$file'>".$file."</a>";
if ($DELETABLE)
$filelist .= " - <a href='?del=$upload_dir$file' title='delete'> Delete this file?</a>";
$filelist .= "<sub><small><small><font color=black> ".date("d-m H:i", filemtime($upload_dir.$file))
."</font></small></small></sub>";
$filelist .="<br>";
}
}
// Delete on this page returns a url parm of files/signal.doc
// substr() will extract from the position (counting from 0)
// WHERE wordName= %s is replaced with $filename after it has been striped of files/
$relURL = $_GET['del'];
$filename = substr($relURL, 6);
if ((isset($_GET['del'])) && ($_GET['del'] != "")) {
$deleteSQL = sprintf("DELETE FROM word WHERE wordName='$filename'",
GetSQLValueString($_GET['del'], "text"));
mysql_select_db($database_johnston, $johnston);
$Result1 = mysql_query($deleteSQL, $johnston) or die(mysql_error());
}
function do_upload($upload_dir, $upload_url) {
$temp_name = $_FILES['userfile']['tmp_name'];
$file_name = $_FILES['userfile']['name'];
$file_name = str_replace("\\","",$file_name);
$file_name = str_replace("'","",$file_name);
$file_path = $upload_dir.$file_name;
//File Name Check
if ( $file_name =="") {
$message = "Invalid File Name Specified";
return $message;
}
$result = move_uploaded_file($temp_name, $file_path);
if (!chmod($file_path,0755))
$message = "change permission to 755 failed.";
else
$message = ($result)?"$file_name uploaded successfully." :
"Somthing is wrong with uploading a file.";
return $message;
}
?>Warning: fopen(log.txt): failed to open stream: Permission denied in /home/johnston/domains/fergusjohnston.com/public_html/admin_word_update2.php on line 136
Warning: fwrite(): supplied argument is not a valid stream resource in /home/johnston/domains/fergusjohnston.com/public_html/admin_word_update2.php on line 139
Warning: fclose(): supplied argument is not a valid stream resource in /home/johnston/domains/fergusjohnston.com/public_html/admin_word_update2.php on line 140
Warning: in_array(): Wrong datatype for second argument in /home/johnston/domains/fergusjohnston.com/public_html/admin_word_update2.php on line 150
Code: Select all
//vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
// You may change maxsize, and allowable upload file types.
//^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
//Maximum file size. You may increase or decrease.
$MAX_SIZE = 10000000;
//Allowable file Mime Types. Add more mime types if you want
//$FILE_MIMES = array('image/jpeg','image/jpg','image/gif','image/png','application/msword','application/zip','application/sit','application/rar','application/txt','application/rtf',);
//Allowable file ext. names. you may add more extension names.
$FILE_EXTS = array('.doc');
//,'.txt','.zip','.sit','.jpg','.jpeg','.png','.gif','.rtf','.rar'
//Allow file delete? no, if only allow upload only
$DELETABLE = true;
//vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
// Do not touch the below if you are not confident.
//^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/************************************************************
* Setup variables
************************************************************/
$site_name = $_SERVER['HTTP_HOST'];
$url_dir = "http://".$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']);
$url_this = "http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$upload_dir = "files/";
$upload_url = $url_dir."/files/";
$message ="";
/************************************************************
* Create Upload Directory
************************************************************/
if (!is_dir("files")) {
if (!mkdir($upload_dir))
die ("upload_files directory doesn't exist and creation failed");
if (!chmod($upload_dir,0755))
die ("change permission to 755 failed.");
}
/************************************************************
* Process User's Request
************************************************************/
if ($_REQUEST[del] && $DELETABLE) {
$resource = fopen("log.txt","a");
fwrite($resource,date("Ymd h:i:s")."DELETE - $_SERVER[REMOTE_ADDR]"."$_REQUEST[del]\n");
fclose($resource);
if (strpos($_REQUEST[del],"/.")>0); //possible hacking
else if (strpos($_REQUEST[del],"files/") === false); //possible hacking
else if (substr($_REQUEST[del],0,6)=="files/") {
unlink($_REQUEST[del]);
print "<script>window.location.href='$url_this?message=File deletion successful.'</script>";
}
}
else if ($_FILES['userfile']) {
$resource = fopen("log.txt","a");
fwrite($resource,date("Ymd h:i:s")."UPLOAD - $_SERVER[REMOTE_ADDR]"
.$_FILES['userfile']['name']." "
.$_FILES['userfile']['type']."\n");
fclose($resource);
$file_type = $_FILES['userfile']['type'];
$file_name = $_FILES['userfile']['name'];
$file_ext = strtolower(substr($file_name,strrpos($file_name,".")));
//File Size Check
if ( $_FILES['userfile']['size'] > $MAX_SIZE)
$message = "The file size is over 2MB.";
//File Type/Extension Check
else if (!in_array($file_type, $FILE_MIMES)
&& !in_array($file_ext, $FILE_EXTS) )
$message = "Sorry, $file_name($file_type) is not allowed to be uploaded.";
else
$message = do_upload($upload_dir, $upload_url);
print "<script>window.location.href='$url_this?message=$message'</script>";
}
else if (!$_FILES['userfile']);
else
$message = "Invalid File Specified.";
/************************************************************
* List Files
************************************************************/
$handle=opendir($upload_dir);
$filelist = "";
while ($file = readdir($handle)) {
if(!is_dir($file) && !is_link($file)) {
$filelist .= "<a href='$upload_dir$file'>".$file."</a>";
if ($DELETABLE)
$filelist .= " - <a href='?del=$upload_dir$file' title='delete'> Delete this file?</a>";
$filelist .= "<sub><small><small><font color=black> ".date("d-m H:i", filemtime($upload_dir.$file))
."</font></small></small></sub>";
$filelist .="<br>";
}
}
// Delete on this page returns a url parm of files/signal.doc for example
// substr() will extract from the position (counting from 0) and strip files from files/signal.doc
// WHERE wordName= %s is replaced with $filename after it has been striped of files/
$relURL = $_GET['del'];
$filename = substr($relURL, 6);
if ((isset($_GET['del'])) && ($_GET['del'] != "")) {
$deleteSQL = sprintf("DELETE FROM word WHERE wordName='$filename'",
GetSQLValueString($_GET['del'], "text"));
mysql_select_db($database_johnston, $johnston);
$Result1 = mysql_query($deleteSQL, $johnston) or die(mysql_error());
}
function do_upload($upload_dir, $upload_url) {
// If the upload form field is filled out but the wordDetails is empty,
// then stop a null value from the blank field being passed to the database otherwise proceed
if (isset($_POST['wordDetails']) && !empty($_POST['wordDetails'])) {
$temp_name = $_FILES['userfile']['tmp_name'];
$file_name = $_FILES['userfile']['name'];
$file_name = str_replace("\\","",$file_name);
$file_name = str_replace("'","",$file_name);
$file_path = $upload_dir.$file_name;
//$wordDetails here added by Brian
$wordDetails= $_POST['wordDetails'];
//proceed with insert into db once all tests are passed.
$insertSQL = sprintf("INSERT INTO word (wordName, wordDetails) VALUES (%s, %s)",
GetSQLValueString($_FILES['userfile']['name'], "text"),
GetSQLValueString($_POST['wordDetails'], "text"));
mysql_select_db($database_johnston, $johnston);
$Result1 = mysql_query($insertSQL, $johnston) or die(mysql_error());
}
//If wordDetails empty check
if ( $wordDetails =="") {
$message = "Programme Note title missing";
return $message;
}
//File Name Check
if ( $file_name =="") {
$message = "Invalid File Name Specified";
return $message;
}
$result = move_uploaded_file($temp_name, $file_path);
if (!chmod($file_path,0755))
$message = "change permission to 755 failed.";
else
$message = ($result)?"$file_name uploaded successfully." :
"Something is wrong with uploading a file.";
return $message;
}
?>If anybody has the patience to read through and see what’s going wrong I’d be most grateful. Most of this code I have tried to adapt myself and I’m not afraid to admit that I’m drowning here in stuff that’s beyond my full understanding.
Sincere thanks for any advice
Brian
This is my Form just in case it’s relevant.
Code: Select all
<form name="e;upload"e; id="e;upload"e; ENCTYPE="e;multipart/form-data"e; method="e;post"e;action="e;<?php echo $editFormAction; ?>"e;>
<p><strong>Your Uploaded Files so far are: </strong></p>
<?=$filelist?>
<p>&nbsp;</p>
<table align="e;center"e;>
<tr valign="e;baseline"e;>
<td nowrap align="e;right"e;>Upload Word file: </td>
<td><input type="e;file"e; id="e;userfile"e; name="e;userfile"e; ></td>
</tr>
<tr valign="e;baseline"e;>
<td nowrap align="e;right"e;>Programme Note title:
</td>
<td><input type="e;text"e; name="e;wordDetails"e; id ="e;wordDetails"e; value="e;"e; size="e;32"e; ></td>
</tr>
<tr valign="e;baseline"e;>
<td nowrap align="e;right"e;>&nbsp;</td>
<td><input type="e;submit"e; name="e;upload"e; value="e;Insert record"e;></td>
</tr>
</table>
<input type="e;hidden"e; name="e;upload"e; value="e;form1"e;>
</form>