File upload script issue

I have issue with a php script i tried to use for file upload (ref: sitepoint 2015)
===index.html========

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>form upload</title>
</head>

<body>
<form action="control.php" method="post"
enctype="multipart/form-data">
<p><label id="upload">Select file to upload:
<input type="hidden" name="MAX_FILE_SIZE" value="1024">
<input type="file" id="upload" name="upload"></label></p>
<p>
<input type="hidden" name="action" value="upload">
<input type="submit" value="Submit">
</p>
</form>
</body>
</html>

============END OF Index.html============
Below is the php script

==== control.php============

<?php
// Pick a file extension
if (preg_match('/^image\/p?jpeg$/i', $_FILES['upload']['type']))
{
$ext = '.jpg';
}
else if (preg_match('/^image\/gif$/i', $_FILES['upload']['type']))
{
$ext = '.gif';
}
else if (preg_match('/^image\/(x-)?png$/i',
$_FILES['upload']['type']))
{
$ext = '.png';
}
else
{
$ext = '.unknown';

}

// The complete path/filename

$filename = 'C:/xampp/htdocs/Php_Msql/fileUp/uploads/' . time() . $_SERVER['REMOTE_ADDR'] . $ext;

// Copy the file (if it is deemed safe)
if (!is_uploaded_file($_FILES['upload']['tmp_name']) or
!copy($_FILES['upload']['tmp_name'], $filename))
{
$error = "Could not save file as $filename!";
include $_SERVER['DOCUMENT_ROOT'] . '/Php_Msql/fileUp/includes/error.html.php';
exit();
}

===============END OF Control.php==================

The error message i get for trying different files is below
==>Error<==: Could not save file as C:/xampp/htdocs/Php_Msql/fileUp/uploads/1449047923::1.unknown!

It can not save it as the extension is set as unknown; you also have :: in the file path that may be a problem.

I assume your extension test is failing and the preg_match seems a bit over complicated to me. I would simplfy the extension check first and get it working and then add the preg_match if you want it.

You are aslo saving to a computer path where I would use a relative path so again try something simple like saving to the same folder first and see what happens. I use xampp and never need to use $filename = ‘C:/xampp/htdocs/Php_Msql/fileUp/uploads/’ I would just have something like $filename = ‘/fileUp/uploads/’

I always recommend taking little steps and get each to work before going onto the next rather than go for the whole code in one go. You can also add some echo’s at various parts within the code to confirm the variable contains what you expect.

1 Like

===index.html========

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>form upload</title> </head> 
<body> 
<form action="control.php" method="post"
enctype="multipart/form-data"> <p><label id="upload">Select file to upload:
<input type="hidden" name="MAX_FILE_SIZE" value="1024"> <input type="file" id="upload" name="upload"></label></p> <p> <input type="hidden" name="action" value="upload"> <input type="submit" value="Submit"> </p> </form> </body> </html>

Thank you Rubble for your time i appreciate.
You are right the preg_match() is failing, but even when i try to hard code the variable ($ext = .jpg) and try uploading a a JPEG file it still gives same error.
the additional character ** :: ** is from the function ($_SERVER[‘REMOTE_ADDR’]) which actually returns ::1
thank you again for your time as i await your assistance

This is the IPV6 equivalent of localhost, or 127.0.0.1. The issue is you’re not validating what comes back as that address, so you need a short function to strip out characters you can’t use as part of a filename. I’m not even sure I’d like to leave the full-stop characters in if it came back as an IPV4 address.

I don’t really understand preg_match() at all, but are you checking for a file to be uploaded with the “.jpg” extension? I can see you check for jpeg, gif and png, would the first check also match for jpg?

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.