Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 11 of 11
  1. #1
    Regular Coder
    Join Date
    May 2011
    Posts
    124
    Thanks
    12
    Thanked 6 Times in 6 Posts

    File Upload Script

    This is my first attempt at a file upload script... As of right now all I'm getting is "The file you attempted to upload is not allowed.". I've been trying to upload a .png and .doc file, and as you can see both of those are in the array.

    When I echo $ext I get nothing returned.
    PHP Code:
    <?php
    // Configuration - Your Options
    $allowed_filetypes = array('.pdf''.doc''.docx''.xlsx''.xls''.jpg''.gif''.bmp''.png'); // These will be the types of file that will pass the validation.
    $max_filesize 5242880// Maximum filesize in BYTES (currently 5MB).
    $upload_path '/documents/invest/files/'// The place the files will be uploaded to (currently a 'files' directory).
     
    $filename $_FILES['file_to_upload']['name'];// Get the name of the file (including file extension).
    $ext strrchr($filename,'.');// get everything after the LAST .(dot) 
     
     
    echo $ext;
    // Check if the filetype is allowed, if not DIE and inform the user.
    if(!in_array($ext,$allowed_filetypes)){
    die(
    'The file you attempted to upload is not allowed.');
    }
     
    // Now check the filesize, if it is too large then DIE and inform the user.
    if(filesize($_FILES['file_to_upload']['tmp_name']) > $max_filesize){
    die(
    'The file you attempted to upload is too large.');
    }
     
    // Check if we can upload to the specified path, if not DIE and inform the user.
    if(!is_writable($upload_path)){
    die(
    'You cannot upload to the specified directory, please CHMOD it to 777.');

     
    // Upload the file to your specified path.
    if(move_uploaded_file($_FILES['file_to_upload']['tmp_name'],$upload_path $filename)){
    echo 
    'Your file upload was successful, view the file <a href="' $upload_path $filename '" title="Your File">here</a>'// It worked.
    }
    else{
    echo 
    'There was an error during the file upload.  Please try again.'// It failed :(.
    }
    ?>
    Here's the HTML form:

    PHP Code:
    <!DOCTYPE html>
    <
    html xmlns="http://www.w3.org/1999/xhtml" lang="en">
    <
    head>
    <
    title>Area 51 Entertainment Upload Test</title>
    <
    script type="text/javascript">
    function 
    resetField(name,value){
    document.forms['upload_form'].elements[name].focus();    
    document.forms['upload_form'].elements[name].value value;        
    }
    </script>
    <noscript>
    <style type="text/css">
    .hide{ display: none; }
    </style>
    </noscript>
    </head>
    <body>
    <form action="/upload_process.php" enctype="multi-part/form-data" name="upload_form" method="post">
    <p class="investor_username">
    <label for="file_to_upload">Select a file to Upload</label>: <input id="file_to_upload" name="file_to_upload" multiple="multiple" type="file" />
    </p>
    <p>
    <input name="submit" type="submit" value="Upload" /> 
    <input class="hide" id="reset" name="reset" onclick="resetField('file_to_upload','');" type="button" value="Reset" />
    </p>
    </form>
    </body>
    </html> 

  • #2
    Regular Coder LearningCoder's Avatar
    Join Date
    Jan 2011
    Location
    The Pleiades
    Posts
    922
    Thanks
    76
    Thanked 29 Times in 29 Posts
    What you could do is use the pathinfo function:
    PHP Code:
    $file_info pathinfo($_FILES['fileupload']['name']); 
    This returns an associative array of information about the file. Then you can access the extension by storing it in a variable as thus:
    PHP Code:
    $ext $file_info['extension']; 
    My guess though is that your $ext variable is holding everything AFTER the fullstop, whereas your array contains extension strings holding the fullstop and the extension. So your query will not match up and return false. You could just delete all the dots from the array elements but I believe using my method is more secure as someone could upload file such as: corruptfile.php.jpg, and when that, they can execute malicious code. I was advised to use pathinfo() from someone on this forum in a previous thread of mine.

    (Hope someone can elaborate better).

    Hope this helps you out.

    Kind regards,

    LC.
    Last edited by LearningCoder; 08-14-2012 at 11:18 PM. Reason: changed wording

  • #3
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    This enctype is incorrect: enctype="multi-part/form-data", it should be enctype="multipart/form-data".
    Make sure you enable your error reporting while authoring:
    PHP Code:
    ini_set('display_errors'1);
    error_reporting(E_ALL); 
    as it should inform you that there is no offset $_FILES['file_to_upload'].

    Edit:
    BTW, this above is what I had in mind too. Originally I had put to replace echo $ext; with var_dump($ext);, but then I noticed that hyphen in the enctype that didn't belong.

  • Users who have thanked Fou-Lu for this post:

    HDRebel88 (08-14-2012)

  • #4
    Regular Coder
    Join Date
    May 2011
    Posts
    124
    Thanks
    12
    Thanked 6 Times in 6 Posts
    Quote Originally Posted by LearningCoder View Post
    What you could do is use the pathinfo function:
    PHP Code:
    $file_info pathinfo($_FILES['fileupload']['name']); 
    This returns an associative array of information about the file. Then you can access the extension by storing it in a variable as thus:
    PHP Code:
    $ext $file_info['extension']; 
    My guess though is that your $ext variable is holding everything AFTER the fullstop, whereas your array contains extension strings holding the fullstop and the extension. So your query will not match up and return false. You could just delete all the dots from the array elements but I believe using my method is more secure as someone could upload file such as: corruptfile.php.jpg, and when that, they can execute malicious code. I was advised to use pathinfo() from someone on this forum in a previous thread of mine.

    (Hope someone can elaborate better).

    Hope this helps you out.

    Kind regards,

    LC.
    No luck:

    PHP Code:
    <?php
    // Configuration - Your Options
    $allowed_filetypes = array('.pdf''.doc''.docx''.xlsx''.xls''.jpg''.gif''.bmp''.png'); // These will be the types of file that will pass the validation.
    $max_filesize 5242880// Maximum filesize in BYTES (currently 5MB).
    $upload_path '/documents/invest/files/'// The place the files will be uploaded to (currently a 'files' directory).
     
    $file_info pathinfo($_FILES['file_to_upload']['name']);
    $ext $file_info['extension'];  
     
     echo 
    $ext;
    // Check if the filetype is allowed, if not DIE and inform the user.
    if(!in_array($ext,$allowed_filetypes)){
    die(
    'The file you attempted to upload is not allowed.');
    }
     
    // Now check the filesize, if it is too large then DIE and inform the user.
    if(filesize($_FILES['file_to_upload']['tmp_name']) > $max_filesize){
    die(
    'The file you attempted to upload is too large.');
    }
     
    // Check if we can upload to the specified path, if not DIE and inform the user.
    if(!is_writable($upload_path)){
    die(
    'You cannot upload to the specified directory, please CHMOD it to 777.');

     
    // Upload the file to your specified path.
    if(move_uploaded_file($_FILES['file_to_upload']['tmp_name'],$upload_path $file_info)){
    echo 
    'Your file upload was successful, view the file <a href="' $upload_path $file_info '" title="Your File">here</a>'// It worked.
    }
    else{
    echo 
    'There was an error during the file upload.  Please try again.'// It failed :(.
    }
    ?>
    Same result.

  • #5
    Regular Coder
    Join Date
    May 2011
    Posts
    124
    Thanks
    12
    Thanked 6 Times in 6 Posts
    Quote Originally Posted by Fou-Lu View Post
    This enctype is incorrect: enctype="multi-part/form-data", it should be enctype="multipart/form-data".
    Make sure you enable your error reporting while authoring:
    PHP Code:
    ini_set('display_errors'1);
    error_reporting(E_ALL); 
    as it should inform you that there is no offset $_FILES['file_to_upload'].

    Edit:
    BTW, this above is what I had in mind too. Originally I had put to replace echo $ext; with var_dump($ext);, but then I noticed that hyphen in the enctype that didn't belong.
    This was the issue; now I'm getting the CHMOD 777 flag, which is an easy fix.
    Last edited by HDRebel88; 08-14-2012 at 11:37 PM.

  • #6
    Regular Coder LearningCoder's Avatar
    Join Date
    Jan 2011
    Location
    The Pleiades
    Posts
    922
    Thanks
    76
    Thanked 29 Times in 29 Posts
    Quote Originally Posted by HDRebel88 View Post
    No luck:
    Same result.
    Change the name of your file field in your HTML form to file_to_upload or vice versa. Should work...
    Last edited by LearningCoder; 08-14-2012 at 11:28 PM. Reason: Took big block of code out of quote

  • #7
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Yeppers, just chmod it or force PHP to create it instead.

  • #8
    Regular Coder
    Join Date
    May 2011
    Posts
    124
    Thanks
    12
    Thanked 6 Times in 6 Posts
    Changed the permission settings, but still getting the CHMOD 777. The directory is password protected, is that the issue? I really need it to be only accessible with a password.


    Or maybe the path info needs to be the absolute path?

    The script is running in a directory that's 3 steps up from where I want the files stored.

    EDIT: It wanted the absolute path:

    PHP Code:
    $path=dirname(__FILE__);
    $upload_path $path.'/documents/invest/files/'
    Last edited by HDRebel88; 08-14-2012 at 11:45 PM.

  • #9
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Nope, that will have no effect. Passworded directories are done so at the level of .htaccess, which will have no bearing on accessing directly as a filesystem.

    This filepath is no good: /documents/invest/files/. This is an absolute filepath, but its 100% guaranteed that documents does not exist off of root /. What that likely should be is the root path of your http documents home.
    I myself would attach to it by translating the path off of a relative one to this script file. $_SERVER['DOCUMENT_ROOT'] may exist, and can be used to hinge off of /documents, but $_SERVER['DOCUMENT_ROOT'] will only ever exist in an http environment (and also not theoretically guaranteed to exist; I've never seen it not populated by the host machine at least in apache).

    So the problem is definitely the path.
    This is closer to what I would do:
    PHP Code:
    $path=dirname(__FILE__);
    $upload_path $path.'/documents/invest/files/'
    But that means that in a subdirectory under this script is /documents, but this doesn't really jive with what I believe your intended path is in the first block of code.
    So where is this script relative to the one under documents/invest/files?

  • #10
    Regular Coder
    Join Date
    May 2011
    Posts
    124
    Thanks
    12
    Thanked 6 Times in 6 Posts
    Quote Originally Posted by Fou-Lu View Post
    Nope, that will have no effect. Passworded directories are done so at the level of .htaccess, which will have no bearing on accessing directly as a filesystem.

    This filepath is no good: /documents/invest/files/. This is an absolute filepath, but its 100% guaranteed that documents does not exist off of root /. What that likely should be is the root path of your http documents home.
    I myself would attach to it by translating the path off of a relative one to this script file. $_SERVER['DOCUMENT_ROOT'] may exist, and can be used to hinge off of /documents, but $_SERVER['DOCUMENT_ROOT'] will only ever exist in an http environment (and also not theoretically guaranteed to exist; I've never seen it not populated by the host machine at least in apache).

    So the problem is definitely the path.
    This is closer to what I would do:
    PHP Code:
    $path=dirname(__FILE__);
    $upload_path $path.'/documents/invest/files/'
    But that means that in a subdirectory under this script is /documents, but this doesn't really jive with what I believe your intended path is in the first block of code.
    So where is this script relative to the one under documents/invest/files?

    Right now the path to the script is: root/area51entertainment/upload.php

    upload_process.php is at: root/area51entertainment/upload_process.php

    Eventually the upload script will be integrated with index.php at the path of: root/area51entertainment/index.php

    The path to the files folder is: root/area51entertainment/documents/invest/files

    /area51entertainment is a sub-folder off my main site


    I'm on 1AND1 so I don't the actually folder structure above the root of my primary domain name.

  • #11
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    That's fine, but using the code you have to resolve relative should work (or you can simply combine them into $upload_path = __DIR__ . '/documents/invest/files';).

    You may want to verify the existence of that directory first:
    PHP Code:
    printf('Check to see if the path %s is valid'realpath($upload_path));
    if (
    file_exists($upload_path) && is_dir($upload_path))
    {
        
    printf('%s is a valid directory with permissions: %o'$upload_pathfileperms($upload_path));

    What's that give you?


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •