...

View Full Version : File Upload



rafiki
07-27-2007, 03:26 AM
error =

Warning: move_uploaded_file(/uploads/zzzzzzzzMORPH.png): failed to open stream: No such file or directory in /home/www/rafiki.freehostia.com/upload/upload.php on line 14



Warning: move_uploaded_file(): Unable to move '/tmp/phpQPbG4Q' to '/uploads/zzzzzzzzMORPH.png' in /home/www/rafiki.freehostia.com/upload/upload.php on line 14

Possible file upload attack!
Here is some more debugging info:Array
(
[mp4] => Array
(
[name] =>
[type] =>
[tmp_name] =>
[error] => 4
[size] => 0
)

[swf] => Array
(
[name] => zzzzzzzzMORPH.png
[type] => image/png
[tmp_name] => /tmp/phpQPbG4Q
[error] => 0
[size] => 6391
)
php code =

<form action="upload.php" method="POST" enctype="multipart/form-data" class="upload_form">
<input type="file" accept="MP4" name="mp4" id="mp4" />MP4<br />
<input type="file" name="swf" id="swf" />SWF <br />
<input type="hidden" value="MAX_FILE_SIZE" id="max" />
<input type="submit" value="Upload!" id="Up_button" />
</form>
<?php
if (isset($_FILES['mp4']['name'])||isset($_FILES['swf']['name'])){
$uploaddir = '/uploads/';
$uploadfile = $uploaddir . basename($_FILES['swf']['name']);
$uploadfile2 = $uploaddir . basename($_FILES['mp4']['name']);

echo '<pre>';
if (move_uploaded_file($_FILES['swf']['tmp_name'], $uploadfile)||move_uploaded_file($_FILES['mp4']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";
}
?>
any help appreciated..
FYI:
i have not set it to accept anyfile types, and left all file size's etc.. to default

_Aerospace_Eng_
07-27-2007, 03:34 AM
First be sure that the uploads folder has the correct write permissions. I believe 777 or 666 should work.

2nd it also looks like you are trying to move to a folder called uploads however from the error you don't seem to have a folder called uploads. Are you sure its not upload that you want instead of uploads?

rafiki
07-27-2007, 03:42 AM
tried both CHMOD's
didnt work :(
Current Path: www/rafiki.freehostia.com/upload/uploads/
with upload.php in
Current Path: www/rafiki.freehostia.com/upload/

_Aerospace_Eng_
07-27-2007, 03:45 AM
The thing with this is I'm pretty sure its going back to the root directory passed the public_html folder.

move_uploaded_file(/uploads/zzzzzzzzMORPH.png)
Change this

$uploaddir = '/uploads/';
to this

$uploaddir = $_SERVER['DOCUMENT_ROOT'].'/uploads/';

rafiki
07-27-2007, 03:54 AM
i changed to


$uploaddir = $_SERVER['DOCUMENT_ROOT'].'/uploads/';

and it went into upload/ not upload/uploads/ so i changed that to


$uploaddir = $_SERVER['DOCUMENT_ROOT'].'/upload/uploads/';

and that didnt work either same result as

$uploaddir = $_SERVER['DOCUMENT_ROOT'].'/uploads/';


heres a picture i tried uploading to /uploads folder
http://rafiki.freehostia.com/upload/Me%20n%20baby.jpg
as you can see its in the /upload folder.
you need to copy the link into your browsers address bar for some strange reason :S

_Aerospace_Eng_
07-27-2007, 05:15 AM
Hmm I wonder if its the web host. Seeing as how the tmp folder is outside the root you may not have access to it on free hostia. You might have to use ini_set() to setup your own tmp folder on the root of the site.

rafiki
07-27-2007, 01:08 PM
ok i made the dir
/www/rafiki.freehostia.com/upload/temp/
so use ini_set() to set the temp dir for uploads like so?
ini_set('upload_tmp_dir','$_SERVER['DOCUMENT_ROOT']/upload/temp/');

using that ini_set() line above it still doesnt move the file into /uploads/

_Aerospace_Eng_
07-27-2007, 01:12 PM
No you need to concatenate the $_SERVER variable to the rest of the pat.

rafiki
07-27-2007, 01:13 PM
No you need to concatenate the $_SERVER variable to the rest of the pat.

while testing i got the unexpected $ error and concatenated the $_SERVER var i editted my post above.

_Aerospace_Eng_
07-27-2007, 01:16 PM
Sighs, you didn't concatenate anything.

ini_set('upload_tmp_dir',$_SERVER['DOCUMENT_ROOT'].'/upload/temp/');

rafiki
07-27-2007, 01:18 PM
i did in my php file, should of added that :( sorry, and thanks for the fast replies.
current full file code ==


<form action="upload.php" method="POST" enctype="multipart/form-data" class="upload_form">
<input type="file" accept="MP4" name="mp4" id="mp4" />MP4<br />
<input type="file" name="swf" id="swf" />SWF <br />
<input type="hidden" value="MAX_FILE_SIZE" id="max" />
<input type="submit" value="Upload!" id="Up_button" />
</form>
<?php
ini_set('upload_tmp_dir',$_SERVER['DOCUMENT_ROOT'].'/upload/temp/');
if (isset($_FILES['mp4']['name'])||isset($_FILES['swf']['name'])){
$_SERVER['DOCUMENT_ROOT'].'/upload/uploads/';
$uploadfile = $uploaddir . basename($_FILES['swf']['name']);
$uploadfile2 = $uploaddir . basename($_FILES['mp4']['name']);

echo '<pre>';
if (move_uploaded_file($_FILES['swf']['tmp_name'], $uploadfile)||move_uploaded_file($_FILES['mp4']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";
}
?>

_Aerospace_Eng_
07-27-2007, 01:38 PM
You have no $uploaddir variable. After adding that you shouldn't need ini_set. I just tried your script corrected on my freehostia account and it worked fine.

rafiki
07-27-2007, 01:40 PM
Thanks Aero ill try it now, but i guess if yours works mine should too.
leave rep if it lets me

_Aerospace_Eng_
07-27-2007, 01:43 PM
I would actually use this for upload.php

<?php
if(isset($_POST['submit']) && $_POST['submit'] == 'Upload!')
{
if (isset($_FILES['mp4']['name']) || isset($_FILES['swf']['name']))
{
$uploaddir = $_SERVER['DOCUMENT_ROOT'].'/upload/uploads/';
$uploadfile = $uploaddir . basename($_FILES['swf']['name']);
$uploadfile2 = $uploaddir . basename($_FILES['mp4']['name']);

echo '<pre>';
echo (move_uploaded_file($_FILES['swf']['tmp_name'], $uploadfile) || move_uploaded_file($_FILES['mp4']['tmp_name'], $uploadfile2)) ? 'File is valid, and was successfully uploaded.<br>' : 'Possible file upload attack<br>';
echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";
}
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Untitled Document</title>
</head>
<body>
<form action="/upload/upload.php" method="POST" enctype="multipart/form-data" class="upload_form">
<input type="file" accept="MP4" name="mp4" id="mp4" />
MP4<br />
<input type="file" name="swf" id="swf" />
SWF <br />
<input type="submit" value="Upload!" name="submit" id="submit" />
</form>
</body>
</html>

rafiki
07-27-2007, 01:56 PM
does it make much if any difference? apart from validating the html?
edit also the acceptance isnt working in FF tried no other browser. or is it the wrong parameter?

_Aerospace_Eng_
07-27-2007, 02:00 PM
You can't tell Firefox where to start. You really shouldn't be able to tell IE where to start either. As to what I posted yeah it makes a difference, it makes sure that the file upload only runs if submitted through a form, rather than running each time you run upload.php, it saves server resources. Its more efficient as well. Notice I don't use an if else statement to tell whether or not the upload is valid.

rafiki
07-27-2007, 02:11 PM
so how do other sites allow only JPG or whatnot files to be chosen whilst looking for a file to upload?
and i see what you mean about the effiency and server resources

_Aerospace_Eng_
07-27-2007, 02:24 PM
so how do other sites allow only JPG or whatnot files to be chosen whilst looking for a file to upload?
and i see what you mean about the effiency and server resources
What sites have you seen this on?

rafiki
07-27-2007, 02:28 PM
ok maybe it used to, doesnt seem like i can find one atm :)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum