Page 1 of 1

Updated config file, didn't solve. Checked all URL's, nope!

Posted: Wed Mar 22, 2006 8:51 pm
by xterra
I'm doing a simple image upload and basically as I'm sure all of you are aware no matter what tutorial I find on the internet the code is basically the same (for just simple image uploads).

But what I am finding is that it keeps returning "Possible image upload attack!".

I have changed the config file to the following:

"config.inc.php"


$cfg['UploadDir'] = 'http://www.mydomain.com/images/';


In my upload.php file:

Code: Select all

<?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.

$uploaddir = 'http://www.mydomain.com/images/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
   echo "File is valid, and was successfully uploaded.\n";
} else {
   echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";

?>
Notice the two upload directories are the same. It keeps saying possible image upload attack. The file size is only a few Kilobytes, it must have something to do with the directory that which I am trying to upload to.

Can anyone offer any advice? As far as I know there are no restrictions that would disable image uploads on my server. I mean I changed it in my config file.

Regards,
Rob.


Posted: Wed Mar 22, 2006 8:56 pm
by Benjamin

Code: Select all

$uploaddir = 'http://www.mydomain.com/images/';
Needs to be something like...

Code: Select all

$uploaddir = '/home/username/www/html/website.com/images/';

Posted: Wed Mar 22, 2006 9:00 pm
by xterra
Ok so I'll try

Code: Select all

$uploaddir = '/home/username/www/html/domain.com/images/';

Posted: Wed Mar 22, 2006 9:03 pm
by Benjamin
No, you will need to change the path to the path where your web site images folder is on the actualy server. If it's a unix server it will be something like the format above, otherwise it could be something like "C:/folder/folder/websites/mywebsite.com/images/"

Posted: Wed Mar 22, 2006 9:07 pm
by xterra
Thanks for responding.

Sorry I am a noob.

It is a Unix server. The directory looks like this, when I get to it through FileZilla, all my html files are under a folder called htdocs.

When i click the htdocs, all my files that I made are in there. Then, inside that htdocs, I have a folder called images. But, inside htdocs, but not images, there is phpMyAdmin.

So it looks like this:

htdocs

-----Welcome.html
-----submit.php
-----Images Folder
-----phpMyAdmin
-----------Config File


So the image directory is located:

myDomain.com/images/


And the PHP files are located:

myDomain.com/Submit.php


So then would it be:

$uploaddir = '/home/xterra/www/html/myDomain.com/images/';

Posted: Wed Mar 22, 2006 9:11 pm
by feyd
it might be best to base the path off $_SERVER['DOCUMENT_ROOT']

Posted: Wed Mar 22, 2006 9:39 pm
by xterra
That's a good idea.

I tried that, and just for testing purposes I outputted would it would be when I made the string (+images directory) and it looks good:

Code: Select all

$location=$_SERVER['DOCUMENT_ROOT'];
$imageName='images/';
$result="$location$imageName";



Makes:
/home/myUsername/htdocs/images/


Looks good. But I just put that PHP code in the config file so that would be the directory file, AND the upload file. But still doesn't work. Could this be something regarding permissions?

Posted: Wed Mar 22, 2006 9:43 pm
by xterra
Some more info:

Possible file upload attack!
Here is some more debugging info:Array
(
[userfile] => Array
(
[name] => t.bmp
[type] => image/bmp
[tmp_name] => /tmp/phpiy2BGp
[error] => 0
[size] => 11094
)

)

Posted: Wed Mar 22, 2006 9:51 pm
by Benjamin
Yes your images directory needs to have write permissions. Also (for security) you will need to add code to chmod the upload file to read only and ensure that it actually is an image.

Posted: Wed Mar 22, 2006 10:00 pm
by xterra
THANKS!!! IT WORKED!!!!!!!