Page 1 of 1

Upload file, need help.

Posted: Mon Nov 21, 2005 2:57 am
by vigour
I need help with this code. I'm trying to upload a file but I always get the error message: Possible file upload attack!

I don't understand why.

Can someone please help me?

Code: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>Untitled Document</title>
</head>
<body>

<form action="test_upload.php" method="post" enctype="multipart/form-data"> 
<p>Pictures: 
<input type="file" name="pictures" /> 
<input type="submit" value="Send" /> 
</p> 
</form>  

</body>
</html>




Code: Select all

<?
$uploaddir = '/pictures/upload/'; 
$uploadfile = $uploaddir . basename($_FILES['pictures']['name']); 
if (move_uploaded_file($_FILES['pictures']['tmp_name'], $uploadfile))
	{ 
   	echo "File is valid, and was successfully uploaded.\n"; 
	} 
else
	{ 
   	echo "Possible file upload attack!\n"; 
	} 
//echo basename($_FILES['pictures']['name']);
echo '<br>';
echo $uploadfile;
?>

Posted: Mon Nov 21, 2005 3:24 am
by JayBird
You probably need the full path for the upload_dir

Code: Select all

$uploaddir = $_SERVER['DOCUMENT_ROOT]."/pictures/upload/";

Posted: Mon Nov 21, 2005 3:36 am
by vigour
Pimptastic wrote:You probably need the full path for the upload_dir

Code: Select all

$uploaddir = $_SERVER['DOCUMENT_ROOT]."/pictures/upload/";
Sorry, that did not help, same error message.

Posted: Mon Nov 21, 2005 4:02 am
by JayBird
in your else statement put this and post what it returns

Code: Select all

echo "<pre>";
print_r($_FILES);
echo "</pre>";

Posted: Mon Nov 21, 2005 4:09 am
by vigour
Pimptastic wrote:in your else statement put this and post what it returns

Code: Select all

echo "<pre>";
print_r($_FILES);
echo "</pre>";
This is what it returned:

Array
(
[pictures] => Array
(
[name] => 0003s.gif
[type] => image/gif
[tmp_name] => /var/tmp/phpEl44mP
[error] => 0
[size] => 2093
)

)

If I'm not totally wrong the error code 0 means no error, but if that's the case I don't understand why there is no picture in my folder after the upload.

Posted: Mon Nov 21, 2005 4:15 am
by JayBird
vigour wrote:If I'm not totally wrong the error code 0 means no error, but if that's the case I don't understand why there is no picture in my folder after the upload.
Yes, the file was upload correctly, but the part it fails on is moving the uploaded file, to the place you want to store it.

Im pretty sure it is a file path error...are you using the full server path for $uploaddir

Posted: Mon Nov 21, 2005 8:35 am
by trukfixer
If you are going to use a relative path like this:

Code: Select all

$uploaddir = '/pictures/upload/';
make sure you either use no leading slash, or use a dot slash thus:

Code: Select all

$uploaddir = './pictures/upload/'; //relative path from "./" (this directory)  

//OR


$uploaddir = 'pictures/upload/';//no leading slash - relative path

Posted: Mon Nov 21, 2005 8:41 am
by Jenk
you also want to consider using the function realpath()

:)

Posted: Mon Nov 21, 2005 11:42 am
by Grim...
Make sure the folder you are trying to move the file to has a CHMod of 0775 (or 0777).