Page 1 of 1

Upload file problem

Posted: Mon Mar 19, 2007 7:10 am
by Noobie
Hi

I'm wondering if someone could help me with an document upload problem?

I had a script working fine except that it didn't do exactly what I wanted it to - so I tweaked it. In fact I tweaked it so much that it no longer works! :cry:

Anyway - here it is:

The script takes the information sent by a form and enters the text fields info into a db along with the document name then it moves the document itself to the uploads folder.

Code: Select all

include("/home/whatever/public_html/includes/dbsetup.php");   
   
// Making variables
$nl_id = $_POST['nl_id'];
$nl_title = $_POST['nl_title'];
$nl_date = $_POST['nl_date'];
$nl_name = $_FILES['nl_name'];
$uploaddir = '/uploads/';


   $result=MYSQL_QUERY("INSERT INTO newsletter (nl_id,nl_title,nl_date,nl_name)".
      "VALUES ('NULL', '$nl_title', '$nl_date', '$nl_name' )");

   // save the info to the database
   $results = mysql_query( $query );

if (move_uploaded_file($_FILES['nl_name']['tmp_name'], $nl_name)) {
    echo "<h2>Sucessful Upload</h2><p>File is valid, and was successfully uploaded.</p>";
    } else {
       echo "<p>Problem Uploading</p>";
    }
I'm getting the following error:
move_uploaded_file(Array) [function.move-uploaded-file]: failed to open stream: Permission denied in... etc etc
Any help gratefully accepted!

Posted: Mon Mar 19, 2007 8:06 am
by thiscatis
Hmm, are you sure the permission settings for the uploads folder are set to writable?
You can change this using CHMOD

Posted: Mon Mar 19, 2007 8:08 am
by Noobie
That's what I thought - but no, it's set to 777.

Posted: Mon Mar 19, 2007 8:09 am
by mentor
what does this mean?
$nl_name = $_FILES['nl_name'];

Posted: Mon Mar 19, 2007 8:13 am
by mentor
You did not mention the correct destination to move uploaded file.

Code: Select all

if (move_uploaded_file($_FILES['nl_name']['tmp_name'], $nl_name))

Posted: Mon Mar 19, 2007 8:21 am
by Noobie
Yeah the original script appended the upload directory onto the file name but I had to change that as the only way it worked was for the upload directory path to be /home/username/html/uploads which was no good if appended to the file name but if I tried just having /uploads/ as the specified directory then it didn't work.

(bearing in mind that I'm not very good at PHP) I tried to do this:

Code: Select all

if (move_uploaded_file($_FILES['nl_name']['tmp_name'], $uploaddir))
But no joy either.

Posted: Mon Mar 19, 2007 10:04 am
by feyd
/uploads would be the directory "uploads" in the root. I doubt the directory is there. Note how "/home/username/html/uploads" is a full system path.

$nl_name is being set to the array associated with the information for your uploaded file. You need to use the basename() of the 'name' element from that array.

Posted: Mon Mar 19, 2007 10:50 am
by Noobie
Maybe I'm approaching this in the wrong way.

The original version of this script that works is:

Code: Select all

$uploaddir = '/home/username/public_html/uploads/';
$uploadfile = $uploaddir . basename($_FILES['nl_name']['name']);

include("/home/username/public_html/includes/dbsetup.php");   
   
// Making variables
    $nl_id = $_POST['nl_id'];
    $nl_title = $_POST['nl_title'];
    $nl_date = $_POST['nl_date'];


    $result=MYSQL_QUERY("INSERT INTO newsletter (nl_id,nl_title,nl_date,uploadfile)".
    "VALUES ('NULL', '$nl_title', '$nl_date', '$uploadfile' )");


// save the info to the database
    $results = mysql_query( $query );



if (move_uploaded_file($_FILES['nl_name']['tmp_name'], $uploadfile)) {
         echo "<h2>Sucessful Upload</h2><p>File is valid, and was successfully uploaded.</p>";
	  } else {
           echo "<p>Problem Uploading</p>";
        }
The problem is that it inserts the full path (i.e. /home/username/public_html/uploads/filename.doc) into the DB and that's no use to me as I need a more useable path for the file.

So what do I need to change to get it to upload the file but without appending the full path (pref just the filename)?

Thanks for your patience.

Posted: Mon Mar 19, 2007 10:58 am
by mentor
You can use relative path like

Code: Select all

$uploaddir = 'uploads/';

Posted: Mon Mar 19, 2007 11:00 am
by feyd

Code: Select all

basename($_FILES['nl_name']['name'])

Posted: Mon Mar 19, 2007 11:05 am
by Noobie
Thanks for all your help, in the end I did this:

Code: Select all

$uploaddir = '/home/username/public_html/uploads/';
$uploadfile = $uploaddir . basename($_FILES['nl_name']['name']);
$uploadfilename = basename($_FILES['nl_name']['name']);

include("/home/username/public_html/includes/dbsetup.php");   
   
// Making variables
$nl_id = $_POST['nl_id'];
$nl_title = $_POST['nl_title'];
$nl_date = $_POST['nl_date'];
$nl_name = $_FILES['nl_name'];


   $result=MYSQL_QUERY("INSERT INTO newsletter (nl_id,nl_title,nl_date,uploadfilename)".
      "VALUES ('NULL', '$nl_title', '$nl_date', '$uploadfilename' )");


   // save the info to the database
   $results = mysql_query( $query );


if (move_uploaded_file($_FILES['nl_name']['tmp_name'], $uploadfile)) {
   echo "<h2>Sucessful Upload</h2><p>File is valid, and was successfully uploaded.</p>";
   } else {
   echo "<p>Problem Uploading</p>";
   }
And it works fine - unless someone can see anything that might come back to bite me?

Posted: Mon Mar 19, 2007 1:37 pm
by Mordred
Noobie wrote: And it works fine - unless someone can see anything that might come back to bite me?
Apart from the arbitrary file upload and the SQL injection, there's nothing to worry about, your server is pwned anyways :twisted: