Help needed in uploading file on server on a button click

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
shaam
Forum Newbie
Posts: 20
Joined: Tue Jun 23, 2009 6:36 am

Help needed in uploading file on server on a button click

Post by shaam »

Hi everyone,
I want to upload a file on server through button click on a web page,its working on my localhost but when i try to upload the file on server i get following error,


Warning: move_uploaded_file(Document/CV/0[1].578125001245226128_Services2.gif) [function.move-uploaded-file]: failed to open stream: Permission denied in /home/content/o/p/t/opt4me/html/uploadCV.php on line 21

Warning: move_uploaded_file() [function.move-uploaded-file]: Unable to move '/tmp/phpEaJk81' to 'Document/CV/0[1].578125001245226128_Services2.gif' in /home/content/o/p/t/opt4me/html/uploadCV.php on line 21

My code is:

Code: Select all

 
<?php
    include ('dbconnect.php');
    $filename = $_FILES['userfile']['name'];
    
    
    
    
    
 if($filename == '')
 {
 header('location: index.php');
 }
 else
 {
 
         $uploaddir = 'Document/CV/';
        //chmod('777',$uploaddir);
        $filename = $_FILES['userfile']['name'];
        $fullfilename = $_FILES['userfile']['name'];
        $uploadfile = $uploaddir.$fullfilename;
            if(move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) 
            {
     $query2 = "insert into table1(CV_name,CV_fulname,date) values ('$filename','$fullfilename',curdate())";
                mysql_query($query2);
                            $insertId2 = mysql_insert_id();
                    if($insertId2)
                {
                header('location:regester_user.php?cvid='.$insertId2);
                exit;
                }  
                else
                {
        header('location: index.php');}
            } 
    //end code of Upload File.
            }
        
        
?>
Last edited by Benjamin on Wed Jun 24, 2009 1:03 pm, edited 1 time in total.
Reason: Added [code=php] tags.
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: Help needed in uploading file on server on a button click

Post by goldensparrow »

maybe you have not set permission of your folder to uploading (Document/CV/) yet.
pls check folder permission on your server

this is step of setting folder permission
1.right click your folder to setting and so to properties
2.change Numerics Value = 777

or use function

Code: Select all

chmod("[path file]",0777);
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Help needed in uploading file on server on a button click

Post by kaisellgren »

If it is not a permission issue, it might be the filename "0[1].578125001245226128_Services2.gif", because as far as I can tell you, no filenames should ever contain [ ] characters.

Your code is also vulnerable to attacks - you are allowing the user to decide where to write data. To make matters worse, it is also vulnerable to SQLi and header injections.
shaam
Forum Newbie
Posts: 20
Joined: Tue Jun 23, 2009 6:36 am

Re: Help needed in uploading file on server on a button click

Post by shaam »

Thanks kaisellgren for your reply,
Its not the file name issue,i tried it with different file name but the same error,

Warning: move_uploaded_file(Document/CV/Winter.jpg) [function.move-uploaded-file]: failed to open stream: Permission denied in /home/content/o/p/t/opt4me/html/uploadCV.php on line 21

Warning: move_uploaded_file() [function.move-uploaded-file]: Unable to move '/tmp/phpMSXxcV' to 'Document/CV/Winter.jpg' in /home/content/o/p/t/opt4me/html/uploadCV.php on line 21

Also can u tell me how can i make it secure from SQLi or headeri ??,im new to this field thats y dont know how to make it secure.

Thanks
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Help needed in uploading file on server on a button click

Post by kaisellgren »

I think /Document/CV/ is not writable.

For SQLi, take a look at http://fi.php.net/manual/en/function.my ... string.php it explains pretty much.

As for the header injection, the $insertId2 you pass into the header is not filtered. A simple fix would be to cast it to an integer:

Code: Select all

header('location:regester_user.php?cvid='. (int) $insertId2);
shaam
Forum Newbie
Posts: 20
Joined: Tue Jun 23, 2009 6:36 am

Re: Help needed in uploading file on server on a button click

Post by shaam »

Thank you very much KAI,
i have added the method(mysql_real_escape_string() mentioned in the article u send earliar) in my login pages to prevent it from SQLinjuction,hopefully it will prevent my site from SQLinjuction.

Thanks
shaam
Forum Newbie
Posts: 20
Joined: Tue Jun 23, 2009 6:36 am

Re: Help needed in uploading file on server on a button click

Post by shaam »

but i think if we used stored procedure then there will be no issue of SQLinjuction ??
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Help needed in uploading file on server on a button click

Post by kaisellgren »

shaam wrote:but i think if we used stored procedure then there will be no issue of SQLinjuction ??
Stored Procedures do not make your code SQLi safe:

Code: Select all

CREATE PROCEDURE `getEmail`(fullName VARCHAR(50))
BEGIN   
SELECT `email` FROM `emails` WHERE `fullName`= fullName;
END

Code: Select all

CALL getEmail('$userSuppliedData'); // SQLi
I'm not sure if the syntax is correct, haven't used SPs for a while.
Last edited by Benjamin on Wed Jun 24, 2009 1:04 pm, edited 1 time in total.
Reason: Changed code type from text to sql.
Post Reply