File upload from a form / upload_tmp_dir query

Hi Everyone

This is my first day with PHP and, not surprisingly, I've run into a problem :-)

I want to allow file uploads to the server without exposing the
non-technical end-users to FTP settings, file naming protocols, etc. I've
found the following from http://www.zend.com/manual/features.file-upload.php ...

HTML FILE (uploadtest.htm l)

<form enctype="multip art/form-data" action="uploadt est.asp" method="POST">
Send this file: <input name="userfile" type="file">
<input type="submit" value="Send File">
</form>

PHP FILE (uploadtest.php )

<?php
// In PHP earlier then 4.1.0, $HTTP_POST_FILE S should be used instead of
// $_FILES. In PHP earlier then 4.0.3, use copy() and is_uploaded_fil e()
// instead of move_uploaded_f ile

$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir. $_FILES['userfile']['name'];

print "<pre>";
if (move_uploaded_ file($_FILES['userfile']['tmp_name'], $uploadfile)) {
print "File is valid, and was successfully uploaded. ";
print "Here's some more debugging info:\n";
print_r($_FILES );
} else {
print "Possible file upload attack! Here's some debugging info:\n";
print_r($_FILES );
}
print "</pre>";
?>

END OF CODE

I select a file to upload and the delay in submitting the form suggests that the file has been sent. But I always get the "possible file upload attack" result. The file info shows the correct filename and type but the filesize is always '0' and the 'tmp_name' is always 'none'.

Assuming this was the problem I did some digging using phpinfo(). The
version is 4.1.2 so I seem to be using the right commands as per the
instructions with the code. But the 'upload_tmp_dir ' variable is NOT SET
which I think might be the problem.

So, with apologies for taking so long to get here, I have two queries...

1) Is there anything wrong with the code I'm using?
2) Where do uploaded files go if 'upload_tmp_dir ' is not set and how can I
bypass this without access to the server (shared hosting)?

Any help would be appreciated.

Many thanks

Tim.

--
My real e-mail address is tim218 before the at followed by supermail.org.u k.

Sorry the form action should be uploadtest.php not uploadtest.asp (still
getting the bad M$ habits out of my head!!).

Tim.

--
My real e-mail address is tim218 before the at followed by supermail.org.u k.
"Tim218" <se***********@ for.email.addre ss.invalid> wrote in message
news:bj******** **@hercules.bti nternet.com...

Hi Everyone

This is my first day with PHP and, not surprisingly, I've run into a

problem

:-)

I want to allow file uploads to the server without exposing the
non-technical end-users to FTP settings, file naming protocols, etc. I've found the following from

http://www.zend.com/manual/features.file-upload.php

...

HTML FILE (uploadtest.htm l)

<form enctype="multip art/form-data" action="uploadt est.asp" method="POST"> Send this file: <input name="userfile" type="file">
<input type="submit" value="Send File">
</form>

PHP FILE (uploadtest.php )

<?php
// In PHP earlier then 4.1.0, $HTTP_POST_FILE S should be used instead of
// $_FILES. In PHP earlier then 4.0.3, use copy() and is_uploaded_fil e() // instead of move_uploaded_f ile

$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir. $_FILES['userfile']['name'];

print "<pre>";
if (move_uploaded_ file($_FILES['userfile']['tmp_name'], $uploadfile)) {
print "File is valid, and was successfully uploaded. ";
print "Here's some more debugging info:\n";
print_r($_FILES );
} else {
print "Possible file upload attack! Here's some debugging info:\n";
print_r($_FILES );
}
print "</pre>";
?>

END OF CODE

I select a file to upload and the delay in submitting the form suggests

that

the file has been sent. But I always get the "possible file upload

attack"

result. The file info shows the correct filename and type but the

filesize

is always '0' and the 'tmp_name' is always 'none'.

Assuming this was the problem I did some digging using phpinfo(). The
version is 4.1.2 so I seem to be using the right commands as per the
instructions with the code. But the 'upload_tmp_dir ' variable is NOT SET which I think might be the problem.

So, with apologies for taking so long to get here, I have two queries...

1) Is there anything wrong with the code I'm using?
2) Where do uploaded files go if 'upload_tmp_dir ' is not set and how can I bypass this without access to the server (shared hosting)?

Any help would be appreciated.

Many thanks

Tim.

--
My real e-mail address is tim218 before the at followed by

supermail.org.u k.

Hi Everyone
Hi Tim,
I've now solved the problem.
Would you be so kind as to let us in on the details of your solution?
Many thanks

Also sprach Tim218:

Hi Everyone

Hi Tim,

I've now solved the problem.

Would you be so kind as to let us in on the details of your solution?

Many thanks

You're welcome. :-)