Page 1 of 1

Uploading file failed, db entry created anyway

Posted: Wed Jan 11, 2006 9:16 am
by Bill H
I have two problems with the foillowing code, one minor, the other major.

Code: Select all

if (isset($_POST['AddFile']))           // the file/name upload has been attempted by client
{
     ob_start();
     if (is_uploaded_file($_FILES['Ifile']['tmp_name']))
     {
          $Dest = "incl/" . $_FILES['Ifile']['name'];                                // where to put it
          if (move_uploaded_file($_FILES['Ifile']['tmp_name'], $Dest) != FALSE)      // success
          {
               include "db_connect.php";                    // connects and links to correct db

               $F = $_FILES['Ifile']['name'];               // don't need path in db name
               $N = $_POST['Client'];
               $Query = "INSERT INTO Clients (id,Name,File) VALUES (0,'$N','$F')";
               mysql_query($Query,$Link);

               unset($_SESSION['Add']);           // kicks sysyem out of add mode
          }
          else $msg = "writing " . $_FILES['Ifile']['name'];               // could not move uploaded file
     }
     else $msg = "uploading " . $_FILES['Ifile']['name'];                  // file did not upload

     $Inform = "Client not created: " . $msg . " failed.";
     ob_end_flush();
}
The major one first. If the viewer types in a filename of a file that does not exist the code above creates the database entry and unsets the $_SESSION var as if a file had been uploaded successfully. wtf?

And the minor one. The max file size defined in php.ini is 2Mb as is max upload etc. But if the user selects a file that is larger than that, the system waits a bit over sixty seconds before informing that the upload failed, despite the inclusion of the following in the form.

Code: Select all

<input type="hidden" name="MAX_FILE_SIZE" value="2000000">
Shouldn't that trip the oversize file error faster than that?

Posted: Wed Jan 11, 2006 10:02 am
by Buddha443556
Did you remember:

Code: Select all

<FORM .... enctype="multipart/form-data">

Posted: Wed Jan 11, 2006 10:21 am
by Bill H
Yep, sure did. Everything works the way it should, except when a nonexistant filename is typed into the file input.

Posted: Wed Jan 11, 2006 11:05 am
by feyd
check the error element of the $_FILES entry.

Posted: Wed Jan 11, 2006 12:23 pm
by Bill H
[error] is zero, and (aha) [size] is also zero. I'm going to put a trap in there to make sure the size is bigger than some arbitrary value and see if that works. I'll let you know.

But still... Why, if there is no file, would both functions return TRUE?

Posted: Wed Jan 11, 2006 2:15 pm
by feyd
Your first if essentially checks that the array ($_FILES['Ifile'] is an array) has elements in it.

The second if should fail, I believe if no files is present.. at least that would make sense.


As for the "max size" setting you're passing in via the field: php has to wait for the upload to complete, too large or not, because it's part of the submission transmission. There's no real way around that.

Posted: Wed Jan 11, 2006 3:48 pm
by Bill H
From the PHP maunal for is_uploaded_file()
Returns TRUE if the file named by filename was uploaded via HTTP POST.
..which doesn't really contradict what you said, but the manual could have worded it a little more clearly perhaps?
For the move_uploaded_file()
This function checks to ensure that the file designated by filename is a valid upload file (meaning that it was uploaded via PHP's HTTP POST upload mechanism). If the file is valid, it will be moved to the filename given by destination.

If filename is not a valid upload file, then no action will occur, and move_uploaded_file() will return FALSE.

If filename is a valid upload file, but cannot be moved for some reason, no action will occur, and move_uploaded_file() will return FALSE. Additionally, a warning will be issued.
First, this implies that is_uploaded_file() isn't really needed.

If, however, is_uploaded_file() returns true for an array with error and size both equalling zero, then you might expect the first part of this function to do likewise. As for "if it cannot be moved" well, for a nonexistant file, what constitutes "not being able to be moved."

The entire process, both functions, seems a bit vague.

Meanwhile, checking for a size < 1 solves my problem, so the question has become academic. Thanks for leading me to look at the rest of the array.