Uploading file failed, db entry created anyway

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Bill H
DevNet Resident
Posts: 1136
Joined: Sat Jun 01, 2002 10:16 am
Location: San Diego CA
Contact:

Uploading file failed, db entry created anyway

Post by Bill H »

I have two problems with the foillowing code, one minor, the other major.

Code: Select all

if (isset($_POST['AddFile']))           // the file/name upload has been attempted by client
{
     ob_start();
     if (is_uploaded_file($_FILES['Ifile']['tmp_name']))
     {
          $Dest = "incl/" . $_FILES['Ifile']['name'];                                // where to put it
          if (move_uploaded_file($_FILES['Ifile']['tmp_name'], $Dest) != FALSE)      // success
          {
               include "db_connect.php";                    // connects and links to correct db

               $F = $_FILES['Ifile']['name'];               // don't need path in db name
               $N = $_POST['Client'];
               $Query = "INSERT INTO Clients (id,Name,File) VALUES (0,'$N','$F')";
               mysql_query($Query,$Link);

               unset($_SESSION['Add']);           // kicks sysyem out of add mode
          }
          else $msg = "writing " . $_FILES['Ifile']['name'];               // could not move uploaded file
     }
     else $msg = "uploading " . $_FILES['Ifile']['name'];                  // file did not upload

     $Inform = "Client not created: " . $msg . " failed.";
     ob_end_flush();
}
The major one first. If the viewer types in a filename of a file that does not exist the code above creates the database entry and unsets the $_SESSION var as if a file had been uploaded successfully. wtf?

And the minor one. The max file size defined in php.ini is 2Mb as is max upload etc. But if the user selects a file that is larger than that, the system waits a bit over sixty seconds before informing that the upload failed, despite the inclusion of the following in the form.

Code: Select all

<input type="hidden" name="MAX_FILE_SIZE" value="2000000">
Shouldn't that trip the oversize file error faster than that?
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

Did you remember:

Code: Select all

<FORM .... enctype="multipart/form-data">
User avatar
Bill H
DevNet Resident
Posts: 1136
Joined: Sat Jun 01, 2002 10:16 am
Location: San Diego CA
Contact:

Post by Bill H »

Yep, sure did. Everything works the way it should, except when a nonexistant filename is typed into the file input.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

check the error element of the $_FILES entry.
User avatar
Bill H
DevNet Resident
Posts: 1136
Joined: Sat Jun 01, 2002 10:16 am
Location: San Diego CA
Contact:

Post by Bill H »

[error] is zero, and (aha) [size] is also zero. I'm going to put a trap in there to make sure the size is bigger than some arbitrary value and see if that works. I'll let you know.

But still... Why, if there is no file, would both functions return TRUE?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Your first if essentially checks that the array ($_FILES['Ifile'] is an array) has elements in it.

The second if should fail, I believe if no files is present.. at least that would make sense.


As for the "max size" setting you're passing in via the field: php has to wait for the upload to complete, too large or not, because it's part of the submission transmission. There's no real way around that.
User avatar
Bill H
DevNet Resident
Posts: 1136
Joined: Sat Jun 01, 2002 10:16 am
Location: San Diego CA
Contact:

Post by Bill H »

From the PHP maunal for is_uploaded_file()
Returns TRUE if the file named by filename was uploaded via HTTP POST.
..which doesn't really contradict what you said, but the manual could have worded it a little more clearly perhaps?
For the move_uploaded_file()
This function checks to ensure that the file designated by filename is a valid upload file (meaning that it was uploaded via PHP's HTTP POST upload mechanism). If the file is valid, it will be moved to the filename given by destination.

If filename is not a valid upload file, then no action will occur, and move_uploaded_file() will return FALSE.

If filename is a valid upload file, but cannot be moved for some reason, no action will occur, and move_uploaded_file() will return FALSE. Additionally, a warning will be issued.
First, this implies that is_uploaded_file() isn't really needed.

If, however, is_uploaded_file() returns true for an array with error and size both equalling zero, then you might expect the first part of this function to do likewise. As for "if it cannot be moved" well, for a nonexistant file, what constitutes "not being able to be moved."

The entire process, both functions, seems a bit vague.

Meanwhile, checking for a size < 1 solves my problem, so the question has become academic. Thanks for leading me to look at the rest of the array.
Post Reply