$_FILES[] Query

nvidia123 · June 8, 2010, 2:40am

Hi,

i have built a form which is used to upload files to my server. I am currently in the process of doing validation checks and right now i am checking to see if when the user hits the submit button that it was an actual file upload given the code bellow. What i don't understand is when i do


// Checkk if a file was actually uploaded
    if(!is_uploaded_file($_FILES['photo']['name']) )
    {
        $error = 'Error, there was no file uploaded';
        include 'error.html.php';
        exit();
    }

and submit my form with a .jpg file i get my user generated error BUT when i change the condition to if(!is_uploaded_file($_FILES[‘photo’][‘tmp_name’]) )
and submit my form with a file it does not give the error which is fine.

So why does it not work with i use if(!is_uploaded_file($_FILES[‘photo’][‘name’]) ) ?

Thanks

cranial_bore · June 8, 2010, 3:51am

What am i missing here?

A closing bracket at the end of if(file_exists($target)

Your first line of code is also redundant. You overwrite the variable on the very next line.
The second one should be joining to $target (instead of redefining the base directory).

Also, not a good practice to use the original file name directory. It should be renamed to have only safe characters, preferably without spaces.

nvidia123 · June 8, 2010, 3:28am

Oh yes ofcouse, i will won’t to move the file to my desired location, BUT i have 1 more validtion check that i’m having trouble with. I am check if the uploaded file already exists in server given the code:


 $target = "Shanghai_2010/images/";
    $target =  "Shanghai_2010/images/" . basename($_FILES['photo']['name']);
    


 if(file_exists($target)
    {
        $error = 'This file already exists on the server';
        include 'error.html.php';
        exit();
    }
    else
    {
        // move file to server
        echo 'success this file does not exist on server';
    }

In my Shanghai_2010/images/ folder i already have an image to check aginast, however when i try to upload a file it seems to always go into my success message even if the file uploaded already exists in my server. What am i missing here?

cranial_bore · June 8, 2010, 6:21am

I don’t know why you always get the success message. Try doing some debugging by echoing $target after you append the file name.

When I talk about the URL I mean the path to the image AFTER a user uploads a file with a funny name. I can’t see any of this yet, I’m just letting you know what could happen. If a user has a file called My ‘Great’ Photo.jpg (legal in windows) and they upload it, you are using that name directly on your server file system. If you then echo the name of that image inside an image tag you might get code that looks like this:


<img src='Shanghai_2010/images/My 'Great' Photo.jpg'>

which will break your HTML. $_FILES[‘photo’][‘name’] is the original name of the file on the users machine. This should be cleaned up as I described above.

nvidia123 · June 8, 2010, 6:10am

Oh yes i know what you mean, i’m not using the variable so why have it there in the first place. I updated the $target variable code accordingly but i’m still little confused about my URL because from what i can see, all my characters are alpha numeric ie. A-Z and single underscore unless your seeing something i’m not?
If you have a very simple example that might help me.

Also, when updating my $target code, php still seems to gointo my success message even if the file i upload is the same on my sever. Please not i’m using WAMP, so under my www, i have Shanghai_2010\images(working on windows machine)

Is the URL affecting my if statement i imagine then?

cranial_bore · June 8, 2010, 3:14am

name refers to the original file name on the users computer. It’s not a file on your server, so cannot be an uploaded file. tmp_name works, because that is the path to the file on your server. You should use [fphp]move_uploaded_file[/fphp] to move the tmp_name to your preferred location if the file passes validation.

cranial_bore · June 8, 2010, 5:50am

$target =  "Shanghai_2010/images/" . basename($_FILES['photo']['name']);

That’s fine, but what is the point of defining $target right above it, if you don’t use it? You’re specifying Shanghai_2010/images/ twice.

Try this:


$target =  "Shanghai_2010/images/";
$target .=  basename($_FILES['photo']['name']);

No nothing to do with safe mode. Some characters don’t work as well as URLs. Spaces look ugly when they become %20 or if the file name contains single quotes it could break your HTML when you display a reference to it.
Strip out all characers except for alpha numerics and . _ -

nvidia123 · June 8, 2010, 4:24am

Can you explain what you mean by this please? as i’m not following you. because i thought by doing this

$target =  "Shanghai_2010/images/" . basename($_FILES['photo']['name']);

meant that i would be returning the filename and adding it to the end of the file extension and then using the if statement to see if that file actually existeded.

[QUOTE=cranial-bore;4611941]
Also, not a good practice to use the original file name directory. It should be renamed to have only safe characters, preferably without spaces.
QUOTE]
What do you mean by safe characters, are you referring to the ‘safe mode restrictions’ or is that i need to have lowercase letters or something?