SitePoint Sponsor

User Tag List

Results 1 to 8 of 8

Thread: $_FILES[] Query

  1. #1
    SitePoint Zealot
    Join Date
    Nov 2009
    Posts
    110
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    $_FILES[] Query

    Hi,


    i have built a form which is used to upload files to my server. I am currently in the process of doing validation checks and right now i am checking to see if when the user hits the submit button that it was an actual file upload given the code bellow. What i don't understand is when i do

    Code PHP:
    // Checkk if a file was actually uploaded
        if(!is_uploaded_file($_FILES['photo']['name']) )
        {
            $error = 'Error, there was no file uploaded';
            include 'error.html.php';
            exit();
        }

    and submit my form with a .jpg file i get my user generated error BUT when i change the condition to if(!is_uploaded_file($_FILES['photo']['tmp_name']) )
    and submit my form with a file it does not give the error which is fine.

    So why does it not work with i use if(!is_uploaded_file($_FILES['photo']['name']) ) ?

    Thanks

  2. #2
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    name refers to the original file name on the users computer. It's not a file on your server, so cannot be an uploaded file. tmp_name works, because that is the path to the file on your server. You should use move_uploaded_file to move the tmp_name to your preferred location if the file passes validation.

  3. #3
    SitePoint Zealot
    Join Date
    Nov 2009
    Posts
    110
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oh yes ofcouse, i will won't to move the file to my desired location, BUT i have 1 more validtion check that i'm having trouble with. I am check if the uploaded file already exists in server given the code:

    Code PHP:
     $target = "Shanghai_2010/images/";
        $target =  "Shanghai_2010/images/" . basename($_FILES['photo']['name']);
     
     
     
     if(file_exists($target)
        {
            $error = 'This file already exists on the server';
            include 'error.html.php';
            exit();
        }
        else
        {
            // move file to server
            echo 'success this file does not exist on server';
        }


    In my Shanghai_2010/images/ folder i already have an image to check aginast, however when i try to upload a file it seems to always go into my success message even if the file uploaded already exists in my server. What am i missing here?

  4. #4
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What am i missing here?
    A closing bracket at the end of if(file_exists($target)

    Your first line of code is also redundant. You overwrite the variable on the very next line.
    The second one should be joining to $target (instead of redefining the base directory).

    Also, not a good practice to use the original file name directory. It should be renamed to have only safe characters, preferably without spaces.

  5. #5
    SitePoint Zealot
    Join Date
    Nov 2009
    Posts
    110
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cranial-bore View Post
    The second one should be joining to $target (instead of redefining the base directory).
    Can you explain what you mean by this please? as i'm not following you. because i thought by doing this
    Code:
    $target =  "Shanghai_2010/images/" . basename($_FILES['photo']['name']);
    meant that i would be returning the filename and adding it to the end of the file extension and then using the if statement to see if that file actually existeded.


    [QUOTE=cranial-bore;4611941]
    Also, not a good practice to use the original file name directory. It should be renamed to have only safe characters, preferably without spaces.
    QUOTE]
    What do you mean by safe characters, are you referring to the 'safe mode restrictions' or is that i need to have lowercase letters or something?

  6. #6
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    $target =  "Shanghai_2010/images/" basename($_FILES['photo']['name']); 
    That's fine, but what is the point of defining $target right above it, if you don't use it? You're specifying Shanghai_2010/images/ twice.

    Try this:
    PHP Code:
    $target =  "Shanghai_2010/images/";
    $target .=  basename($_FILES['photo']['name']); 
    No nothing to do with safe mode. Some characters don't work as well as URLs. Spaces look ugly when they become %20 or if the file name contains single quotes it could break your HTML when you display a reference to it.
    Strip out all characers except for alpha numerics and . _ -

  7. #7
    SitePoint Zealot
    Join Date
    Nov 2009
    Posts
    110
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oh yes i know what you mean, i'm not using the variable so why have it there in the first place. I updated the $target variable code accordingly but i'm still little confused about my URL because from what i can see, all my characters are alpha numeric ie. A-Z and single underscore unless your seeing something i'm not?
    If you have a very simple example that might help me.

    Also, when updating my $target code, php still seems to gointo my success message even if the file i upload is the same on my sever. Please not i'm using WAMP, so under my www, i have Shanghai_2010\images(working on windows machine)

    Is the URL affecting my if statement i imagine then?

  8. #8
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't know why you always get the success message. Try doing some debugging by echoing $target after you append the file name.

    When I talk about the URL I mean the path to the image AFTER a user uploads a file with a funny name. I can't see any of this yet, I'm just letting you know what could happen. If a user has a file called My 'Great' Photo.jpg (legal in windows) and they upload it, you are using that name directly on your server file system. If you then echo the name of that image inside an image tag you might get code that looks like this:
    Code:
    <img src='Shanghai_2010/images/My 'Great' Photo.jpg'>
    which will break your HTML. $_FILES['photo']['name'] is the original name of the file on the users machine. This should be cleaned up as I described above.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •