...

View Full Version : File Upload Script



HDRebel88
08-14-2012, 11:58 PM
This is my first attempt at a file upload script... As of right now all I'm getting is "The file you attempted to upload is not allowed.". I've been trying to upload a .png and .doc file, and as you can see both of those are in the array.

When I echo $ext I get nothing returned.


<?php
// Configuration - Your Options
$allowed_filetypes = array('.pdf', '.doc', '.docx', '.xlsx', '.xls', '.jpg', '.gif', '.bmp', '.png'); // These will be the types of file that will pass the validation.
$max_filesize = 5242880; // Maximum filesize in BYTES (currently 5MB).
$upload_path = '/documents/invest/files/'; // The place the files will be uploaded to (currently a 'files' directory).

$filename = $_FILES['file_to_upload']['name'];// Get the name of the file (including file extension).
$ext = strrchr($filename,'.');// get everything after the LAST .(dot)

echo $ext;
// Check if the filetype is allowed, if not DIE and inform the user.
if(!in_array($ext,$allowed_filetypes)){
die('The file you attempted to upload is not allowed.');
}

// Now check the filesize, if it is too large then DIE and inform the user.
if(filesize($_FILES['file_to_upload']['tmp_name']) > $max_filesize){
die('The file you attempted to upload is too large.');
}

// Check if we can upload to the specified path, if not DIE and inform the user.
if(!is_writable($upload_path)){
die('You cannot upload to the specified directory, please CHMOD it to 777.');
}
// Upload the file to your specified path.
if(move_uploaded_file($_FILES['file_to_upload']['tmp_name'],$upload_path . $filename)){
echo 'Your file upload was successful, view the file <a href="' . $upload_path . $filename . '" title="Your File">here</a>'; // It worked.
}
else{
echo 'There was an error during the file upload. Please try again.'; // It failed :(.
}
?>


Here's the HTML form:



<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>Area 51 Entertainment - Upload Test</title>
<script type="text/javascript">
function resetField(name,value){
document.forms['upload_form'].elements[name].focus();
document.forms['upload_form'].elements[name].value = value;
}
</script>
<noscript>
<style type="text/css">
.hide{ display: none; }
</style>
</noscript>
</head>
<body>
<form action="/upload_process.php" enctype="multi-part/form-data" name="upload_form" method="post">
<p class="investor_username">
<label for="file_to_upload">Select a file to Upload</label>: <input id="file_to_upload" name="file_to_upload" multiple="multiple" type="file" />
</p>
<p>
<input name="submit" type="submit" value="Upload" />
<input class="hide" id="reset" name="reset" onclick="resetField('file_to_upload','');" type="button" value="Reset" />
</p>
</form>
</body>
</html>

LearningCoder
08-15-2012, 12:13 AM
What you could do is use the pathinfo function:


$file_info = pathinfo($_FILES['fileupload']['name']);


This returns an associative array of information about the file. Then you can access the extension by storing it in a variable as thus:


$ext = $file_info['extension'];


My guess though is that your $ext variable is holding everything AFTER the fullstop, whereas your array contains extension strings holding the fullstop and the extension. So your query will not match up and return false. You could just delete all the dots from the array elements but I believe using my method is more secure as someone could upload file such as: corruptfile.php.jpg, and when that, they can execute malicious code. I was advised to use pathinfo() from someone on this forum in a previous thread of mine.

(Hope someone can elaborate better).

Hope this helps you out.

Kind regards,

LC.

Fou-Lu
08-15-2012, 12:16 AM
This enctype is incorrect: enctype="multi-part/form-data", it should be enctype="multipart/form-data".
Make sure you enable your error reporting while authoring:


ini_set('display_errors', 1);
error_reporting(E_ALL);

as it should inform you that there is no offset $_FILES['file_to_upload'].


BTW, this above is what I had in mind too. Originally I had put to replace echo $ext; with var_dump($ext);, but then I noticed that hyphen in the enctype that didn't belong.

HDRebel88
08-15-2012, 12:21 AM
What you could do is use the pathinfo function:


$file_info = pathinfo($_FILES['fileupload']['name']);


This returns an associative array of information about the file. Then you can access the extension by storing it in a variable as thus:


$ext = $file_info['extension'];


My guess though is that your $ext variable is holding everything AFTER the fullstop, whereas your array contains extension strings holding the fullstop and the extension. So your query will not match up and return false. You could just delete all the dots from the array elements but I believe using my method is more secure as someone could upload file such as: corruptfile.php.jpg, and when that, they can execute malicious code. I was advised to use pathinfo() from someone on this forum in a previous thread of mine.

(Hope someone can elaborate better).

Hope this helps you out.

Kind regards,

LC.

No luck:



<?php
// Configuration - Your Options
$allowed_filetypes = array('.pdf', '.doc', '.docx', '.xlsx', '.xls', '.jpg', '.gif', '.bmp', '.png'); // These will be the types of file that will pass the validation.
$max_filesize = 5242880; // Maximum filesize in BYTES (currently 5MB).
$upload_path = '/documents/invest/files/'; // The place the files will be uploaded to (currently a 'files' directory).

$file_info = pathinfo($_FILES['file_to_upload']['name']);
$ext = $file_info['extension'];

echo $ext;
// Check if the filetype is allowed, if not DIE and inform the user.
if(!in_array($ext,$allowed_filetypes)){
die('The file you attempted to upload is not allowed.');
}

// Now check the filesize, if it is too large then DIE and inform the user.
if(filesize($_FILES['file_to_upload']['tmp_name']) > $max_filesize){
die('The file you attempted to upload is too large.');
}

// Check if we can upload to the specified path, if not DIE and inform the user.
if(!is_writable($upload_path)){
die('You cannot upload to the specified directory, please CHMOD it to 777.');
}
// Upload the file to your specified path.
if(move_uploaded_file($_FILES['file_to_upload']['tmp_name'],$upload_path . $file_info)){
echo 'Your file upload was successful, view the file <a href="' . $upload_path . $file_info . '" title="Your File">here</a>'; // It worked.
}
else{
echo 'There was an error during the file upload. Please try again.'; // It failed :(.
}
?>


Same result.

HDRebel88
08-15-2012, 12:24 AM
This enctype is incorrect: enctype="multi-part/form-data", it should be enctype="multipart/form-data".
Make sure you enable your error reporting while authoring:


ini_set('display_errors', 1);
error_reporting(E_ALL);

as it should inform you that there is no offset $_FILES['file_to_upload'].


BTW, this above is what I had in mind too. Originally I had put to replace echo $ext; with var_dump($ext);, but then I noticed that hyphen in the enctype that didn't belong.


This was the issue; now I'm getting the CHMOD 777 flag, which is an easy fix.

LearningCoder
08-15-2012, 12:27 AM
No luck:
Same result.

Change the name of your file field in your HTML form to file_to_upload or vice versa. Should work...

Fou-Lu
08-15-2012, 12:27 AM
Yeppers, just chmod it or force PHP to create it instead.

HDRebel88
08-15-2012, 12:38 AM
Changed the permission settings, but still getting the CHMOD 777. The directory is password protected, is that the issue? I really need it to be only accessible with a password.


Or maybe the path info needs to be the absolute path?

The script is running in a directory that's 3 steps up from where I want the files stored.

EDIT: It wanted the absolute path:



$path=dirname(__FILE__);
$upload_path = $path.'/documents/invest/files/';

Fou-Lu
08-15-2012, 01:11 AM
Nope, that will have no effect. Passworded directories are done so at the level of .htaccess, which will have no bearing on accessing directly as a filesystem.

This filepath is no good: /documents/invest/files/. This is an absolute filepath, but its 100% guaranteed that documents does not exist off of root /. What that likely should be is the root path of your http documents home.
I myself would attach to it by translating the path off of a relative one to this script file. $_SERVER['DOCUMENT_ROOT'] may exist, and can be used to hinge off of /documents, but $_SERVER['DOCUMENT_ROOT'] will only ever exist in an http environment (and also not theoretically guaranteed to exist; I've never seen it not populated by the host machine at least in apache).

So the problem is definitely the path.
This is closer to what I would do:


$path=dirname(__FILE__);
$upload_path = $path.'/documents/invest/files/';

But that means that in a subdirectory under this script is /documents, but this doesn't really jive with what I believe your intended path is in the first block of code.
So where is this script relative to the one under documents/invest/files?

HDRebel88
08-15-2012, 02:23 AM
Nope, that will have no effect. Passworded directories are done so at the level of .htaccess, which will have no bearing on accessing directly as a filesystem.

This filepath is no good: /documents/invest/files/. This is an absolute filepath, but its 100% guaranteed that documents does not exist off of root /. What that likely should be is the root path of your http documents home.
I myself would attach to it by translating the path off of a relative one to this script file. $_SERVER['DOCUMENT_ROOT'] may exist, and can be used to hinge off of /documents, but $_SERVER['DOCUMENT_ROOT'] will only ever exist in an http environment (and also not theoretically guaranteed to exist; I've never seen it not populated by the host machine at least in apache).

So the problem is definitely the path.
This is closer to what I would do:


$path=dirname(__FILE__);
$upload_path = $path.'/documents/invest/files/';

But that means that in a subdirectory under this script is /documents, but this doesn't really jive with what I believe your intended path is in the first block of code.
So where is this script relative to the one under documents/invest/files?


Right now the path to the script is: root/area51entertainment/upload.php

upload_process.php is at: root/area51entertainment/upload_process.php

Eventually the upload script will be integrated with index.php at the path of: root/area51entertainment/index.php

The path to the files folder is: root/area51entertainment/documents/invest/files

/area51entertainment is a sub-folder off my main site


I'm on 1AND1 so I don't the actually folder structure above the root of my primary domain name.

Fou-Lu
08-15-2012, 04:05 PM
That's fine, but using the code you have to resolve relative should work (or you can simply combine them into $upload_path = __DIR__ . '/documents/invest/files';).

You may want to verify the existence of that directory first:


printf('Check to see if the path %s is valid', realpath($upload_path));
if (file_exists($upload_path) && is_dir($upload_path))
{
printf('%s is a valid directory with permissions: %o', $upload_path, fileperms($upload_path));
}

What's that give you?



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum