View Full Version : Wondering if I am using a dodgy snippit?

09-19-2011, 04:16 PM
I found code snippet off the net:

I have stripped everything I didn't need and tried to tailor it to my needs:

$uploaddir = "/var/www/https/test.com/products/'".$_POST['fordir']."/'".$_POST['category']."/'".$_POST['id']."'";
$uploadfile = $uploaddir . basename($_FILES['front']['name']);

I have only been using PHP for a month now, but it seems this code is very very wrong.
To me, all its doing is declaring foo equals bar!
Wheres the actual function in it?

09-19-2011, 04:59 PM

09-19-2011, 05:04 PM
Its not 'wrong', but it sure is insecure.
What function are you talking about? This just creates two strings for a path to upload to. It doesn't do anything beyond that.

09-19-2011, 05:08 PM
A function to actually upload the file.
Maybe I'm not sure what I want as I've never done this before. Basically, I want to create an upload form.

This is what I have so far:

HTML (index.html):

<FORM action="confirmation.html" enctype="multipart/form-data" method="post">
Product ID: <INPUT name="id" type="text">
For dir: <SELECT name="fordir"><OPTION>men</OPTION><OPTION>women</OPTION></SELECT>
Category dir: <SELECT name="category"><OPTION>belts</OPTION><OPTION>cufflinks</OPTION></SELECT>
Image: <INPUT name="front" type="file">
<INPUT type="submit" value="Submit">

PHP (confirmation.html):

$uploaddir = "/var/www/https/test.com/products/'".$_POST['fordir']."/'".$_POST['category']."/'".$_POST['id']."'";
$uploadfile = $uploaddir . basename($_FILES['front']['name']);

09-19-2011, 05:33 PM
Yes, but it doesn't actually do anything. There is no copy, rename or move_uploaded_file (which is the best one to use). But you can't use this anyway, there isn't enough verification taking place that stops me from moving around those directories. Heaven forbid if you have a / filepermission of 777 O.o

09-19-2011, 05:45 PM
I couldn't care less for security right now. I just want things to work.
This script wont be public anyway. Its an administrator script that only I will have access to via HTTPS .htaccess.

Design page 1 > security page 1 > design page 2, brakes my work flow. I design my entire site, then implement security after.

I've learn't basic PHP/MySQL over the passed month specifically for this site. I've heard of SQL injections and form input stripping and all that, but haven't looked into them yet - but I have a fair idea I know what their concepts are. I will study related security when the time comes.

Work flow is the most important thing to me. There are so many psychological reasons for me to chose this philosophy, but I won't reason them because it will spark forum preachers that will trash my thread.I just want to understand how upload works and how its implemented at the most basic level.
I've checked out every result on the 1st and 2nd page on Google for "basic PHP upload", but all I found were snippets that are pathetically documented. People bloody comment EVERYTHING! Its so fricken annoying, and people implement sh][t in there "basic scripts" that are not essential for the function to work". Its so frustrating.

I am not a forum lecher either. I ALWAYS check out official documentation first, but I found PHP's official documentation to suck hard on this account:
Fkn hell, who ever wrote that has spent his whole life on SourceForge and doesn't know how to speak like a normal person. The basic explanation of the upload function is broken down into syntaxes without any example of how their used.. but then he goes on and writes up beautiful example on an advanced use of the function in example #3 with the samestyle I did with my code in post #4. WTF is with this documentation explanation inconsistency?!!!!... so, as usual, I have to jump on a forum and ask someone because computer scientists lack the communication skills and discipline to write a simple ****in manual for their languages.

09-19-2011, 07:50 PM
That was quite uncalled for.
I don't see anything wrong with the POST method uploads page. I think everything in there is well documented and explains quite well what everything is. Its not up to a language developer to tell you how to use it, its only up to them to tell us what it is, what its signatures are, and what each offset represents in a case of an object or array. Its up to the developer to actually make use of it.
This page will not contain information about signatures for methods like move_uploaded_file. There are api pages for that.

All and all, I still don't have a clue what your question is.

09-20-2011, 02:14 AM
In the post you linked to it had everything you needed for a simple unsecure file upload but because you didn't understand the php manual you took out the most important parts one of which was already told to you e.g. move_uploaded_file.