Upload file problem

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Noobie
Forum Commoner
Posts: 85
Joined: Sun May 15, 2005 11:38 am

Upload file problem

Post by Noobie »

Hi

I'm wondering if someone could help me with an document upload problem?

I had a script working fine except that it didn't do exactly what I wanted it to - so I tweaked it. In fact I tweaked it so much that it no longer works! :cry:

Anyway - here it is:

The script takes the information sent by a form and enters the text fields info into a db along with the document name then it moves the document itself to the uploads folder.

Code: Select all

include("/home/whatever/public_html/includes/dbsetup.php");   
   
// Making variables
$nl_id = $_POST['nl_id'];
$nl_title = $_POST['nl_title'];
$nl_date = $_POST['nl_date'];
$nl_name = $_FILES['nl_name'];
$uploaddir = '/uploads/';


   $result=MYSQL_QUERY("INSERT INTO newsletter (nl_id,nl_title,nl_date,nl_name)".
      "VALUES ('NULL', '$nl_title', '$nl_date', '$nl_name' )");

   // save the info to the database
   $results = mysql_query( $query );

if (move_uploaded_file($_FILES['nl_name']['tmp_name'], $nl_name)) {
    echo "<h2>Sucessful Upload</h2><p>File is valid, and was successfully uploaded.</p>";
    } else {
       echo "<p>Problem Uploading</p>";
    }
I'm getting the following error:
move_uploaded_file(Array) [function.move-uploaded-file]: failed to open stream: Permission denied in... etc etc
Any help gratefully accepted!
thiscatis
Forum Contributor
Posts: 434
Joined: Thu Jul 20, 2006 11:00 am

Post by thiscatis »

Hmm, are you sure the permission settings for the uploads folder are set to writable?
You can change this using CHMOD
Noobie
Forum Commoner
Posts: 85
Joined: Sun May 15, 2005 11:38 am

Post by Noobie »

That's what I thought - but no, it's set to 777.
mentor
Forum Contributor
Posts: 100
Joined: Sun Mar 11, 2007 11:10 am
Location: Pakistan

Post by mentor »

what does this mean?
$nl_name = $_FILES['nl_name'];
mentor
Forum Contributor
Posts: 100
Joined: Sun Mar 11, 2007 11:10 am
Location: Pakistan

Post by mentor »

You did not mention the correct destination to move uploaded file.

Code: Select all

if (move_uploaded_file($_FILES['nl_name']['tmp_name'], $nl_name))
Noobie
Forum Commoner
Posts: 85
Joined: Sun May 15, 2005 11:38 am

Post by Noobie »

Yeah the original script appended the upload directory onto the file name but I had to change that as the only way it worked was for the upload directory path to be /home/username/html/uploads which was no good if appended to the file name but if I tried just having /uploads/ as the specified directory then it didn't work.

(bearing in mind that I'm not very good at PHP) I tried to do this:

Code: Select all

if (move_uploaded_file($_FILES['nl_name']['tmp_name'], $uploaddir))
But no joy either.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

/uploads would be the directory "uploads" in the root. I doubt the directory is there. Note how "/home/username/html/uploads" is a full system path.

$nl_name is being set to the array associated with the information for your uploaded file. You need to use the basename() of the 'name' element from that array.
Noobie
Forum Commoner
Posts: 85
Joined: Sun May 15, 2005 11:38 am

Post by Noobie »

Maybe I'm approaching this in the wrong way.

The original version of this script that works is:

Code: Select all

$uploaddir = '/home/username/public_html/uploads/';
$uploadfile = $uploaddir . basename($_FILES['nl_name']['name']);

include("/home/username/public_html/includes/dbsetup.php");   
   
// Making variables
    $nl_id = $_POST['nl_id'];
    $nl_title = $_POST['nl_title'];
    $nl_date = $_POST['nl_date'];


    $result=MYSQL_QUERY("INSERT INTO newsletter (nl_id,nl_title,nl_date,uploadfile)".
    "VALUES ('NULL', '$nl_title', '$nl_date', '$uploadfile' )");


// save the info to the database
    $results = mysql_query( $query );



if (move_uploaded_file($_FILES['nl_name']['tmp_name'], $uploadfile)) {
         echo "<h2>Sucessful Upload</h2><p>File is valid, and was successfully uploaded.</p>";
	  } else {
           echo "<p>Problem Uploading</p>";
        }
The problem is that it inserts the full path (i.e. /home/username/public_html/uploads/filename.doc) into the DB and that's no use to me as I need a more useable path for the file.

So what do I need to change to get it to upload the file but without appending the full path (pref just the filename)?

Thanks for your patience.
mentor
Forum Contributor
Posts: 100
Joined: Sun Mar 11, 2007 11:10 am
Location: Pakistan

Post by mentor »

You can use relative path like

Code: Select all

$uploaddir = 'uploads/';
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Code: Select all

basename($_FILES['nl_name']['name'])
Noobie
Forum Commoner
Posts: 85
Joined: Sun May 15, 2005 11:38 am

Post by Noobie »

Thanks for all your help, in the end I did this:

Code: Select all

$uploaddir = '/home/username/public_html/uploads/';
$uploadfile = $uploaddir . basename($_FILES['nl_name']['name']);
$uploadfilename = basename($_FILES['nl_name']['name']);

include("/home/username/public_html/includes/dbsetup.php");   
   
// Making variables
$nl_id = $_POST['nl_id'];
$nl_title = $_POST['nl_title'];
$nl_date = $_POST['nl_date'];
$nl_name = $_FILES['nl_name'];


   $result=MYSQL_QUERY("INSERT INTO newsletter (nl_id,nl_title,nl_date,uploadfilename)".
      "VALUES ('NULL', '$nl_title', '$nl_date', '$uploadfilename' )");


   // save the info to the database
   $results = mysql_query( $query );


if (move_uploaded_file($_FILES['nl_name']['tmp_name'], $uploadfile)) {
   echo "<h2>Sucessful Upload</h2><p>File is valid, and was successfully uploaded.</p>";
   } else {
   echo "<p>Problem Uploading</p>";
   }
And it works fine - unless someone can see anything that might come back to bite me?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Noobie wrote: And it works fine - unless someone can see anything that might come back to bite me?
Apart from the arbitrary file upload and the SQL injection, there's nothing to worry about, your server is pwned anyways :twisted:
Post Reply