Page 2 of 2

Posted: Wed May 03, 2006 4:46 am
by corillo181
jus tin case you see the problem while i keepp testing..i'll chekc in a few if i still can't read the file with this code

Code: Select all

<?php
$uploadDir = 'xml/';

if(isset($_POST['upload']))
{
$fileName = $_FILES['userfile']['name'];
$tmpName = $_FILES['userfile']['tmp_name'];
$fileSize = $_FILES['userfile']['size'];
$fileType = $_FILES['userfile']['type'];

$filePath = $uploadDir . $fileName;

$result = move_uploaded_file($tmpName, $filePath);
if (!$result) {
echo "Error uploading file";
exit;
}

include 'config/db.php';


if(!get_magic_quotes_gpc())
{
$fileName = addslashes($fileName);
$filePath = addslashes($filePath);
} 

$query = "INSERT INTO images (name, size, type, path ) ".
"VALUES ('$fileName', '$fileSize', '$fileType', '$filePath')";

mysql_query($query) or die(mysql_error());


}
?>

Posted: Wed May 03, 2006 4:51 am
by corillo181
yeah is that scrip alright.. it returns the pictures as 403-forbidden

Posted: Wed May 03, 2006 5:21 am
by Maugrim_The_Reaper
What are the file permissions for the pictures? Should be world readable.

Instead of addslashes() for SQL queries for mysql - use mysql_real_escape_string() or its equivalent if using mysqli (MySQL4.1+).

Posted: Wed May 03, 2006 5:29 am
by corillo181
i changed addlashes to mysql_real_escape_string and it still dont work.. still give the forbidden..

Posted: Wed May 03, 2006 6:09 am
by Maugrim_The_Reaper
Here's a good read for general awareness of securing file uploads...
http://shiflett.org/articles/security-corner-oct2004

Posted: Wed May 03, 2006 6:15 am
by Maugrim_The_Reaper
mysql escape functions won't alter that - it simply adds more security than using addslashes alone which is limited and ignores character encoding.

Check file permissions - are they at least 644? I.e rw-r--r-- so that all users can at least read them and therefore access them online? If one of the settings is missing the read flag (r) it may be a problem, e.g. rw-r----- (no read permission for world)

Posted: Wed May 03, 2006 1:56 pm
by corillo181
how would i chekc that? yahoo is my server provider..so i can't see wich settings they got set up..

Posted: Wed May 03, 2006 6:18 pm
by corillo181
:| i changed the file permission to 777 with the FTP client and still when i upload something with tthat script it says is FORBIDDEN...

any one know whats wrogn with the uploading script..

Posted: Thu May 04, 2006 12:47 am
by corillo181
well i found out the problem it had to be copy insted of move..

but now can someone tell me how do i work a file chekc in to this becuase i try few ways and still not workin..

Code: Select all

<?php
$uploaddir =  'xml/';
if(isset($_POST['ulfile']))
{
if($_SERVER['ulfile']['type'] == "image/gif"){
$filename = $_FILES['ulfile']['name'];
$tmpname = $_FILES['ulfile']['tmp_name'];
$filesize = $_FILES['ulfile']['size'];
$filetype = $_FILES['ulfile']['type'];
$filepath = $uploaddir . $filename;
$result=copy($tmpname, $filepath);
}
if(!$result){
echo"error uploading file";
exit;

}
}
?>