Page 1 of 1
multiple file upload
Posted: Sat Jul 14, 2007 5:45 pm
by nayeemmz
Hi,
I am facing a weird problem.
I am uploading multiple files using a form.
Right now I am trying to upload the following 4
files:
file 1, size = 2686 bytes
file 2, size = 746 bytes
file 3, size = 3516 bytes
file 4, size = 3277 bytes
If I try to upload them in that order the size of file 4 is shown to be 0 bytes on the file server
If I swap file 3 and 4 then I have the same problem of file size being 0 on the file server.
However, if I upload in the order file 1, file 3, file 4, file 2 then everything works fine and all the files show the right size.
As long as I don't upload files 3 and 4 last, the file ize of the last uploaded file is shown to be correct otherwise 0.
Any help would be appreciated.
Thanks
-Nayeem
Posted: Sat Jul 14, 2007 6:05 pm
by feyd
Code please.
Posted: Sat Jul 14, 2007 6:09 pm
by nayeemmz
Here is the code:
Code: Select all
<form enctype="multipart/form-data" action="uploadfilesonly.php" method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="2097152"></input>
<table>
<?
$uploadNeed = $_POST['uploadNeed'];
for($x=0;$x<$uploadNeed;$x++){
?>
<tr><td>
<? if($x>0) {?>
file <?echo $x;?>: <input name="uploadFile<? echo $x;?>" type="file" id="uploadFile<? echo $x;?>" size=100></td></tr> <? } // Save the driver class file name.
else {
?> Dr file:<input name="uploadFile<? echo $x;?>" type="file" id="uploadFile<? echo $x;?>" size=100></td></tr> <? } } ?> <tr><td align=right>
<p><input name="uploadNeed" type="hidden" value="<? echo $uploadNeed;?>">
<input type="submit" name="Submit" value="Submit"> </td></tr> </table>
</p> </form>
Posted: Sat Jul 14, 2007 6:50 pm
by feyd
Upload handling code, please.
Posted: Sun Jul 15, 2007 1:42 am
by nayeemmz
Here is the upload handling code:
Code: Select all
for($x=0; $x<$uploadNeed;$x++)
{
$file_name = $_FILES['uploadFile'.$x]['name'];
// strip file_name of slashes
$file_name = stripslashes($file_name);
$file_name = str_replace("'","",$file_name);
if(!ssh2_scp_send ($ss_connect,$_FILES['uploadFile'.$x]['tmp_name'],'/tmp/'.$file_name,0644))
{
echo "Problem: Could not move $file_name into directory";
exit;
}
echo "$file_name uploaded successfully<br><br>";
}
Posted: Sun Jul 15, 2007 6:44 am
by feyd
What have you added/tried to aid in debugging?
Posted: Sun Jul 15, 2007 3:23 pm
by nayeemmz
Here are some of the tests that I run. I am just including the if statements:
Code: Select all
1. if($file_name =="")
2. if($_FILES['uploadFile'.$x]['size']==0)
3. if($_FILES['uploadFile'.$x]['type'] != "application/octet-stream")
4. if(!is_uploaded_file($_FILES['uploadFile'.$x]['tmp_name']))
I also check that the user is logged in.
Thanks
-Nayeem
Posted: Sun Jul 15, 2007 4:00 pm
by feyd
What is the purpose of the 'type' check? Why is there no 'error' check?
basename() is important to use on the 'name' field as some browsers supply full paths (and your script will accept full paths, thereby allowing someone to overwrite just about any file they wish)
Posted: Sun Jul 15, 2007 6:52 pm
by nayeemmz
Hi,
The type check is there because I want to upload only a particular type of files.
I understand about the basename() part but I don't think I understand how basename() could possibly solve the problem that I am having, though.
Thanks
-Nayeem
Posted: Sun Jul 15, 2007 6:55 pm
by feyd
nayeemmz wrote:The type check is there because I want to upload only a particular type of files.
'type' is supplied by the submitting agent and isn't verified by PHP. It's a bad idea to rely on it. Checking the file's content itself is, unfortunately, the only way to verify the file is acceptable.
mime_content_type() and/or
getimagesize() may be of interest.
nayeemmz wrote:I understand about the basename() part but I don't think I understand how basename() could possibly solve the problem that I am having, though.
It wasn't intended to fix your issue, only help close a gaping security hole in your script.
Posted: Sun Jul 15, 2007 7:02 pm
by nayeemmz
Okay.
Thanks for pointing out about the basename() and the file type check.