By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,751 Members | 1,216 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,751 IT Pros & Developers. It's quick & easy.

File upload from a form / upload_tmp_dir query

P: n/a
Hi Everyone

This is my first day with PHP and, not surprisingly, I've run into a problem
:-)

I want to allow file uploads to the server without exposing the
non-technical end-users to FTP settings, file naming protocols, etc. I've
found the following from http://www.zend.com/manual/features.file-upload.php
....

HTML FILE (uploadtest.html)

<form enctype="multipart/form-data" action="uploadtest.asp" method="POST">
Send this file: <input name="userfile" type="file">
<input type="submit" value="Send File">
</form>

PHP FILE (uploadtest.php)

<?php
// In PHP earlier then 4.1.0, $HTTP_POST_FILES should be used instead of
// $_FILES. In PHP earlier then 4.0.3, use copy() and is_uploaded_file()
// instead of move_uploaded_file

$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir. $_FILES['userfile']['name'];

print "<pre>";
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
print "File is valid, and was successfully uploaded. ";
print "Here's some more debugging info:\n";
print_r($_FILES);
} else {
print "Possible file upload attack! Here's some debugging info:\n";
print_r($_FILES);
}
print "</pre>";
?>

END OF CODE

I select a file to upload and the delay in submitting the form suggests that
the file has been sent. But I always get the "possible file upload attack"
result. The file info shows the correct filename and type but the filesize
is always '0' and the 'tmp_name' is always 'none'.

Assuming this was the problem I did some digging using phpinfo(). The
version is 4.1.2 so I seem to be using the right commands as per the
instructions with the code. But the 'upload_tmp_dir' variable is NOT SET
which I think might be the problem.

So, with apologies for taking so long to get here, I have two queries...

1) Is there anything wrong with the code I'm using?
2) Where do uploaded files go if 'upload_tmp_dir' is not set and how can I
bypass this without access to the server (shared hosting)?

Any help would be appreciated.

Many thanks

Tim.

--
My real e-mail address is tim218 before the at followed by supermail.org.uk.
Jul 16 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a
Sorry the form action should be uploadtest.php not uploadtest.asp (still
getting the bad M$ habits out of my head!!).

Tim.

--
My real e-mail address is tim218 before the at followed by supermail.org.uk.

"Tim218" <se***********@for.email.address.invalid> wrote in message
news:bj**********@hercules.btinternet.com...
Hi Everyone

This is my first day with PHP and, not surprisingly, I've run into a problem :-)

I want to allow file uploads to the server without exposing the
non-technical end-users to FTP settings, file naming protocols, etc. I've
found the following from http://www.zend.com/manual/features.file-upload.php ...

HTML FILE (uploadtest.html)

<form enctype="multipart/form-data" action="uploadtest.asp" method="POST">
Send this file: <input name="userfile" type="file">
<input type="submit" value="Send File">
</form>

PHP FILE (uploadtest.php)

<?php
// In PHP earlier then 4.1.0, $HTTP_POST_FILES should be used instead of
// $_FILES. In PHP earlier then 4.0.3, use copy() and is_uploaded_file()
// instead of move_uploaded_file

$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir. $_FILES['userfile']['name'];

print "<pre>";
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
print "File is valid, and was successfully uploaded. ";
print "Here's some more debugging info:\n";
print_r($_FILES);
} else {
print "Possible file upload attack! Here's some debugging info:\n";
print_r($_FILES);
}
print "</pre>";
?>

END OF CODE

I select a file to upload and the delay in submitting the form suggests that the file has been sent. But I always get the "possible file upload attack" result. The file info shows the correct filename and type but the filesize is always '0' and the 'tmp_name' is always 'none'.

Assuming this was the problem I did some digging using phpinfo(). The
version is 4.1.2 so I seem to be using the right commands as per the
instructions with the code. But the 'upload_tmp_dir' variable is NOT SET
which I think might be the problem.

So, with apologies for taking so long to get here, I have two queries...

1) Is there anything wrong with the code I'm using?
2) Where do uploaded files go if 'upload_tmp_dir' is not set and how can I
bypass this without access to the server (shared hosting)?

Any help would be appreciated.

Many thanks

Tim.

--
My real e-mail address is tim218 before the at followed by supermail.org.uk.

Jul 16 '05 #2

P: n/a
Hi Everyone

I've now solved the problem.

Many thanks

Tim.

--
My real e-mail address is tim218 before the at followed by supermail.org.uk.

"Tim218" <se***********@for.email.address.invalid> wrote in message
news:bj**********@hercules.btinternet.com...
Sorry the form action should be uploadtest.php not uploadtest.asp (still
getting the bad M$ habits out of my head!!).

Tim.

--
My real e-mail address is tim218 before the at followed by supermail.org.uk.
"Tim218" <se***********@for.email.address.invalid> wrote in message
news:bj**********@hercules.btinternet.com...
Hi Everyone

This is my first day with PHP and, not surprisingly, I've run into a

problem
:-)

I want to allow file uploads to the server without exposing the
non-technical end-users to FTP settings, file naming protocols, etc. I've found the following from

http://www.zend.com/manual/features.file-upload.php
...

HTML FILE (uploadtest.html)

<form enctype="multipart/form-data" action="uploadtest.asp" method="POST"> Send this file: <input name="userfile" type="file">
<input type="submit" value="Send File">
</form>

PHP FILE (uploadtest.php)

<?php
// In PHP earlier then 4.1.0, $HTTP_POST_FILES should be used instead of
// $_FILES. In PHP earlier then 4.0.3, use copy() and is_uploaded_file() // instead of move_uploaded_file

$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir. $_FILES['userfile']['name'];

print "<pre>";
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
print "File is valid, and was successfully uploaded. ";
print "Here's some more debugging info:\n";
print_r($_FILES);
} else {
print "Possible file upload attack! Here's some debugging info:\n";
print_r($_FILES);
}
print "</pre>";
?>

END OF CODE

I select a file to upload and the delay in submitting the form suggests

that
the file has been sent. But I always get the "possible file upload

attack"
result. The file info shows the correct filename and type but the

filesize
is always '0' and the 'tmp_name' is always 'none'.

Assuming this was the problem I did some digging using phpinfo(). The
version is 4.1.2 so I seem to be using the right commands as per the
instructions with the code. But the 'upload_tmp_dir' variable is NOT SET which I think might be the problem.

So, with apologies for taking so long to get here, I have two queries...

1) Is there anything wrong with the code I'm using?
2) Where do uploaded files go if 'upload_tmp_dir' is not set and how can I bypass this without access to the server (shared hosting)?

Any help would be appreciated.

Many thanks

Tim.

--
My real e-mail address is tim218 before the at followed by

supermail.org.uk.


Jul 16 '05 #3

P: n/a
Also sprach Tim218:
Hi Everyone
Hi Tim,
I've now solved the problem.
Would you be so kind as to let us in on the details of your solution?
Many thanks


You're welcome. :-)

Jul 16 '05 #4

P: n/a
Hi

I'm afraid I couldn't resolve the PHP problem which I think was caused by
the temporary directory setting on the server not being set (I don't have
admin control over the server).

On this occasion I went back to an ASP solution which had been my original
plan. The phpinfo() function proved useful as it let me know the server was
running Chili!ASP and once I knew this I was able to find details of its
built-in file upload function.

But my brief introduction to PHP has convinced me that it is the way forward
and that my first major ASP project should be my last. So hopefully I will
see you all in here again soon.

Best wishes

Tim.

--
My real e-mail address is tim218 before the at followed by supermail.org.uk.

"Thomas Mlynarczyk" <bl*************@hotmail.com> wrote in message
news:bj*************@news.t-online.com...
Also sprach Tim218:
Hi Everyone


Hi Tim,
I've now solved the problem.


Would you be so kind as to let us in on the details of your solution?
Many thanks


You're welcome. :-)


Jul 16 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.