SitePoint Sponsor

User Tag List

Results 1 to 17 of 17
  1. #1
    SitePoint Guru afridy's Avatar
    Join Date
    Mar 2007
    Posts
    960
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Basic File Upload issue

    hi, i use the following code to upload a 13k jpg image to the server.
    the script works successfully. problem is, uploaded file is not there in the server's 'attachment' folder.

    Note:- The attachment folder is located at /public_html/attachment

    PHP Code:
    <?php
    if (($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/pjpeg")
       && (
    $_FILES["file"]["size"] < 20000)) {
     
      if (
    $_FILES["file"]["error"] > 0) {
        echo 
    "Return Code: " $_FILES["file"]["error"] . "<br />";
      }else{
        echo 
    "Upload: " $_FILES["file"]["name"] . "<br />";
        echo 
    "Type: " $_FILES["file"]["type"] . "<br />";
        echo 
    "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
        echo 
    "Temp file: " $_FILES["file"]["tmp_name"] . "<br />";  
        
        
    /*if (file_exists("upload/" . $_FILES["file"]["name"])) {
           echo $_FILES["file"]["name"] . " already exists. ";
        }else{ */
        
           
    move_uploaded_file($_FILES["file"]["tmp_name"]. $_FILES["file"]["name"], "attachments/" $_FILES["file"]["name"]);
           echo 
    "Stored in: " "attachments/" $_FILES["file"]["name"];
        
    //}         
        
    }
    }else{
    echo 
    "Invalid file";
    }
    ?>

  2. #2
    SitePoint Zealot Servyces's Avatar
    Join Date
    Jun 2007
    Location
    The Netherlands
    Posts
    112
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by afridy View Post
    Note:- The attachment folder is located at /public_html/attachment

    PHP Code:
    move_uploaded_file($_FILES["file"]["tmp_name"]. $_FILES["file"]["name"], "attachments/" $_FILES["file"]["name"]); 
    I see a conflict
    Last edited by Servyces; Jun 13, 2007 at 10:27.
    Servyces.com
    Where itís all about you.
    Your partner in online solutions.
    Visit our website at http://www.servyces.com/

  3. #3
    SitePoint Guru afridy's Avatar
    Join Date
    Mar 2007
    Posts
    960
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Hai, servyces, Thanks you for ther reply.
    I put this code.
    PHP Code:
    move_uploaded_file($_FILES["file"]["tmp_name"]. $_FILES["file"]["name"], "public_html/attachments/" $_FILES["file"]["name"]); 
    but no success. the file is not found in the attachments folder.
    * i use filezilla for ftp.

  4. #4
    SitePoint Enthusiast FSan's Avatar
    Join Date
    Dec 2005
    Location
    San Martin de los Andes, Patagonia Argentina
    Posts
    93
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Did you get what Servyces meant afridy?

    If

    The attachment folder is located at /public_html/attachment

    then

    "public_html/attachments/" will not work. See the extra "s"...?

    I didn't thoroughly check your code though...
    Was that just it?
    Good luck

  5. #5
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    $_FILES["file"]["tmp_name"]. $_FILES["file"]["name"]
    This is most decidedly not where you uploaded file is. Had you been checking the return code from move_uploaded_file (a good thing to do when something isn't working I would think...), you would find it returning FALSE. Had you turned on error reporting (also a good thing to do when something isn't working...), you would see an error to the effect of:
    "Unable to open stream: cannot find file /tmp/blah.tmpmyuploadedfile.jpg"
    (Where $_FILES["file"]["tmp_name"] is "/tmp/blah.tmp" and $_FILES["file"]["name"] is "myuploadedfile.jpg")

    $_FILES['file']['tmp_name'] contains the full path to the temporary file - you do not need to append anything to get to your file. In fact, appending anything will cause you to fail to locate your file in 100&#37; of cases.

    Also, very bad to trust the user's supplied filename. What if I upload the file "../../etc/passwd"? Suddenly your script has just overwritten your server's passwd file with my file, and done it quite happily, too! At worst, you must validate the supplied filename to prevent such occurrences; at best, you should ignore the user's supplied filename and generate your own.
    PHP questions? RTFM
    MySQL questions? RTFM

  6. #6
    SitePoint Guru afridy's Avatar
    Join Date
    Mar 2007
    Posts
    960
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by FSan View Post
    Did you get what Servyces meant afridy?

    If

    The attachment folder is located at /public_html/attachment

    then

    "public_html/attachments/" will not work. See the extra "s"...?

    I didn't thoroughly check your code though...
    Was that just it?
    Good luck
    Fscan, sorry. that was a typing mistake i put here in sitepoint. the folder name is really 'attachments'

    Thank you for pointing out.

  7. #7
    SitePoint Guru afridy's Avatar
    Join Date
    Mar 2007
    Posts
    960
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by kromey View Post
    $_FILES["file"]["tmp_name"]. $_FILES["file"]["name"]
    This is most decidedly not where you uploaded file is. Had you been checking the return code from move_uploaded_file (a good thing to do when something isn't working I would think...), you would find it returning FALSE. Had you turned on error reporting (also a good thing to do when something isn't working...), you would see an error to the effect of:
    "Unable to open stream: cannot find file /tmp/blah.tmpmyuploadedfile.jpg"
    (Where $_FILES["file"]["tmp_name"] is "/tmp/blah.tmp" and $_FILES["file"]["name"] is "myuploadedfile.jpg")

    $_FILES['file']['tmp_name'] contains the full path to the temporary file - you do not need to append anything to get to your file. In fact, appending anything will cause you to fail to locate your file in 100% of cases.

    Also, very bad to trust the user's supplied filename. What if I upload the file "../../etc/passwd"? Suddenly your script has just overwritten your server's passwd file with my file, and done it quite happily, too! At worst, you must validate the supplied filename to prevent such occurrences; at best, you should ignore the user's supplied filename and generate your own.
    Thank you Krome for your Very Very valuable comments.
    Let me try thouse suggessions

  8. #8
    SitePoint Guru afridy's Avatar
    Join Date
    Mar 2007
    Posts
    960
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by kromey View Post
    $_FILES["file"]["tmp_name"]. $_FILES["file"]["name"]
    This is most decidedly not where you uploaded file is. Had you been checking the return code from move_uploaded_file (a good thing to do when something isn't working I would think...), you would find it returning FALSE. Had you turned on error reporting (also a good thing to do when something isn't working...), you would see an error to the effect of:
    "Unable to open stream: cannot find file /tmp/blah.tmpmyuploadedfile.jpg"
    (Where $_FILES["file"]["tmp_name"] is "/tmp/blah.tmp" and $_FILES["file"]["name"] is "myuploadedfile.jpg")

    $_FILES['file']['tmp_name'] contains the full path to the temporary file - you do not need to append anything to get to your file. In fact, appending anything will cause you to fail to locate your file in 100&#37; of cases.

    Also, very bad to trust the user's supplied filename. What if I upload the file "../../etc/passwd"? Suddenly your script has just overwritten your server's passwd file with my file, and done it quite happily, too! At worst, you must validate the supplied filename to prevent such occurrences; at best, you should ignore the user's supplied filename and generate your own.

    Kromey, Yes, you got the point. Working !!!

    as you sad

    $_FILES['file']['tmp_name'] contains the full path to the temporary file - you do not need to append anything to get to your file. In fact, appending anything will cause you to fail to locate your file in 100% of cases.
    This is what make the code fails.

    also the path should be "../attachments/" and not "public_html....

    Follwoing is my new code.

    PHP Code:
    <?php
    if (($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/pjpeg")
       && (
    $_FILES["file"]["size"] < 20000)) {
     
      if (
    $_FILES["file"]["error"] > 0) {
        echo 
    "Return Code: " $_FILES["file"]["error"] . "<br />";
      }else{
        echo 
    "Upload: " $_FILES["file"]["name"] . "<br />";
        echo 
    "Type: " $_FILES["file"]["type"] . "<br />";
        echo 
    "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
        echo 
    "Temp file: " $_FILES["file"]["tmp_name"] . "<br />";  
        
        
    /*if (file_exists("upload/" . $_FILES["file"]["name"])) {
           echo $_FILES["file"]["name"] . " already exists. ";
        }else{ */
        
           
    if  (move_uploaded_file($_FILES["file"]["tmp_name"], "../attachments/" $_FILES["file"]["name"])) {
               echo 
    "Successfully Moved";
               }else{
               echo 
    "Unable to move the file";
           }
           
    //echo "Stored in: " . "public_html/attachments/" . $_FILES["file"]["name"];
        //}         
        
    }
    }else{
    echo 
    "Invalid file";
    }
    ?>
    Thanks Every body for helping me.
    Last edited by afridy; Jun 12, 2007 at 05:21.

  9. #9
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm still going to stubbornly persist that you should not use $_FILES["file"]["name"] as the filename for the new file, at least not without some intensive validation. As-is, you are allowing any little script kiddie the ability to overwrite nearly any file on your server with whatever they want. Maybe it's just me, but I don't think this is A Good Thing.

    Also, you're validating the file based upon the user-supplied file type ($_FILES["file"]["type"] comes from the browser and is not in any way verified by PHP or anything else on the server). This greatly exacerbates the security hole you've created by allowing me to choose the filename my file will be stored as - not only can I choose the filename and file location, but I can literally upload anything I want. Some of the things this makes possible include overwriting Apache's httpd.conf; replacing your system's /etc/passwd file, locking you out of your own server while allowing the script kiddie full access; replacing otherwise innocuous files (e.g. /bin/ls) with arbitrary binaries which would be executed with your permissions and not the (hopefully) limited permissions of Apache.

    The fix is simple: replace the check against $_FILES["file"]["type"] with one against the file's extension (this will serve double-duty in forbidding things like virus.exe and slightly mitigating the flaw in using $_FILES["file"]["name"]). Once that passes, add another check using getimagesize, verifying that the image type is what you expect (and that the file is indeed an image!).

    Then, do not use $_FILES["file"]["name"] to store the file, at least not without validating it first. See realpath, pathinfo, dirname, and basename to get you started. Best would be to generate a new filename, that way you know beyond a shadow of a doubt that you're not allowing any script kiddie to overwrite any of your files.
    PHP questions? RTFM
    MySQL questions? RTFM

  10. #10
    SitePoint Guru afridy's Avatar
    Join Date
    Mar 2007
    Posts
    960
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    kromey, this is owsome tips. ok. i have few issues.

    as in the script i upload the file to "../attachments" folder. so how can one could be put the file outside the "../attachments" unless he altred the php script which he could not? (coz he dont no the password)

  11. #11
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's very simple. Consider what would happen if the contents of $_FILES['file']['name'] are "../../etc/passwd". This means that your full path becomes "../attachments/../../etc/passwd"; if attachments is 2 directories deep in your file structure, then you've just let me overwrite /etc/passwd!

    Or consider if the name I supply is "/etc/passwd". The path would become "../attachments//etc/passwd", which may be interpreted as "/etc/passwd" (this one's been inconsistent in my testing - not sure if it's kernel version or shell or what that affects it, but safest to assume you're at risk for it!).

    Neither of these require doing anything to alter the PHP file - all it requires is manipulating the data that I'm sending to your server, data which you are treating as trustworthy and safe and which is in fact neither.

    Literally everything in $_FILES (except $_FILES['file']['error'] and $_FILES['file']['tmp_name']) is supplied by the user. This means that someone who knows what they're doing, or some script kiddie with the right software, can provide anything they want. This puts the examples I gave above within unbelievably easy reach.
    PHP questions? RTFM
    MySQL questions? RTFM

  12. #12
    SitePoint Guru afridy's Avatar
    Join Date
    Mar 2007
    Posts
    960
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    First of all sorry for the bit delayed as i had to consentrate on another issue.

    Yes, Kromey, i undestand the real security issue. Thank you so much for pointing out this threat.

    so you recon me to check the extensions of the files insted of $_FILES['file']['type']. ok . i will fix this matter now. i have to use an string manipulation function.

    So i will fix this issue and come to the next point, probably a little later.

    bye for now ..

  13. #13
    SitePoint Guru afridy's Avatar
    Join Date
    Mar 2007
    Posts
    960
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Hai Kromi,

    my native programming language is VB6. i am just 6 months old to php.
    please help me to trim the extension part from a file.

    i mean what function and how wil be the code like?

  14. #14
    SitePoint Guru afridy's Avatar
    Join Date
    Mar 2007
    Posts
    960
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    hai Kromi,

    i think it should be rtrim(string,char). am i correct?

  15. #15
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Take a look at pathinfo - it'll do all the work for you!
    PHP questions? RTFM
    MySQL questions? RTFM

  16. #16
    SitePoint Guru afridy's Avatar
    Join Date
    Mar 2007
    Posts
    960
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Yes kromey, it don the trick.

    Off Topic:
    How do i rate helpfull posts / or Give them reputaion in sitepoint?

  17. #17
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Off Topic:

    So far as I know, there is no reputation system here. Nor is there any post rating system.
    PHP questions? RTFM
    MySQL questions? RTFM


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •