File Upload Problem 1

[InsaneProgrammer]

I'm new to PHP and have inherited a site that has a page for file uploading. The site doesn't work. Before jumping in and trying to fix it I thought I'd look at some examples and try to create a simple page first. My example consists of 2 pages (upload.php, upload.html). The code for both is below. After I choose the text file I want to upload I get a message saying that the file could not be moved.

--upload.php--
<html>
<head>
  <title>Uploading...</title>
</head>
<body>
<h1>Uploading file...</h1>
<?php

  // $userfile is where file went on webserver
  $userfile = $HTTP_POST_FILES['userfile']['tmp_name'];

  // $userfile_name is original file name
  $userfile_name = $HTTP_POST_FILES['userfile']['name'];

  // $userfile_size is size in bytes
  $userfile_size = $HTTP_POST_FILES['userfile']['size'];

  // $userfile_type is mime type e.g. image/gif
  $userfile_type = $HTTP_POST_FILES['userfile']['type'];

  // $userfile_error is any error encountered
  $userfile_error = $HTTP_POST_FILES['userfile']['error'];

  if ($userfile_error > 0)
  {
    echo 'Problem: ';
    switch ($userfile_error)
    {
      case 1:  echo 'File exceeded upload_max_filesize';  break;
      case 2:  echo 'File exceeded max_file_size';  break;
      case 3:  echo 'File only partially uploaded';  break;
      case 4:  echo 'No file uploaded';  break;
    }
    exit;
  }

// does the file have the right MIME type?

  if ($userfile_type != 'text/plain')
  {
    echo 'Problem: file is not plain text';
    exit;
  }

// put the file where we'd like it
   $upfile = '../test2/'.$userfile_name;

  if (is_uploaded_file($userfile)) 
  {
     if (!move_uploaded_file($userfile, $upfile))
     {
        [b][COLOR=red]echo 'Problem: Could not move file to destination directory';[/color][/b]
        exit;
     }
  } 
  else 
  {
    echo 'Problem: Possible file upload attack. Filename: '.$userfile_name;
    exit;
  }

  echo 'File uploaded successfully<br /><br />'; 

// reformat the file contents
  $fp = fopen($upfile, 'r');
  $contents = fread ($fp, filesize ($upfile));
  fclose ($fp);
 
  $contents = strip_tags($contents);
  $fp = fopen($upfile, 'w');
  fwrite($fp, $contents);
  fclose($fp);
// show what was uploaded
  echo 'Preview of uploaded file contents:<br /><hr />';
  echo $contents;
  echo '<br /><hr />';

?>
</body>
</html>

--upload.html--
<html>
<head>
  <title>Administration - upload new files</title>
</head>
<body>
<h1>Upload new files</h1>
<form enctype=&quot;multipart/form-data&quot; action=&quot;upload.php&quot; method=&quot;post&quot;>
  <input type=&quot;hidden&quot; name=&quot;MAX_FILE_SIZE&quot; value=&quot;1000000&quot;>
  Upload this file: <input name=&quot;userfile&quot; type=&quot;file&quot;>
  <input type=&quot;submit&quot; value=&quot;Send File&quot;>
</form>
</body>
</html>

Any help would be appreciated.

InsaneProgrammer.com

 

[sleipnir214]

Let's call the directory in which upload.php resides the current directory.

Is there a directory named "test2" in the parent directory of the current directory?

Would the user as which your web server runs be able to write to that directory?

If PHP's runtime configuration directive safe_mode, is set to "on", is that directory owned by the same user as which the web server runs?

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[InsaneProgrammer]

Yes, there is a folder called test2 in the current directory.

The site is hosted by a third party. How can I tell if the user which the web server runs as is able to write to that directory?

How can I find out if the PHP runtime configuration directive safe_mode, is set to "on"?



InsaneProgrammer.com

 

[sleipnir214]

You can tell a lot about PHP's settings by creating a script consisting of:

<?php
phpinfo();
?>

and pointing a web browser to it. Do a search on the output for safe_mode.

To test whether the permissions on the directory are right, you might try using PHP's fopen() function to create a new file in the same directory. If that succeeds (which you will know by fopen()'s returning a non-FALSE value), then you have permission to write to the directory.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[InsaneProgrammer]

safe_mode is off.

I will try the fopen() suggestion.

I'm use to using IIS and ASP. On a windows box you can just right click on the directory, select properties, and then security to see permissions. Isn't there a way to see what users have permissions on each of the directories in Linux?

InsaneProgrammer.com

 

[sleipnir214]

Also, while you're scrutinizing the output of phpinfo(), what is the setting for error_reporting?

When it fails to move a file, move_uploaded_file() outputs a warning that you have not reported seeing. Try adding:

error_reporting(E_ALL);

to your script somewhere ahead of the move.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[InsaneProgrammer]

Error_Reporting = 2047. Is that strange? Should it be yes/no?

I added error_reporting(E_ALL); but nothing changed.


InsaneProgrammer.com

 

[InsaneProgrammer]

I believe that I've found the problem. I think that the permissions on the folder I'm trying to upload to are incorrect. Thanks for the help.

InsaneProgrammer.com

 

[sleipnir214]

error_reporting can either be numeric or bitwise logical expressions using PHP's defined constants. The value 2047 is equivalent to E_ALL, which should show all errors, warnings, and notices. (The constants and the numeric equivalents are defined here:

http://us4.php.net/manual/en/ref.errorfunc.php)

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!