Upload images via form

PHP
1

I am having some troubles :frowning:

I have a script to upload images via a form…

<?php  

// filename: upload.processor.php

// first let's set some variables

// make a note of the current working directory, relative to root.
$directory_self = str_replace(basename($_SERVER['PHP_SELF']), '', $_SERVER['PHP_SELF']);

// make a note of the directory that will recieve the uploaded files
$uploadsDirectory = $_SERVER['DOCUMENT_ROOT'] . $directory_self . '/uploaded_files/';

// make a note of the location of the upload form in case we need it
$uploadForm = 'http://' . $_SERVER['HTTP_HOST'] . $directory_self . 'upload.form.php';

// make a note of the location of the success page
$uploadSuccess = 'http://' . $_SERVER['HTTP_HOST'] . $directory_self . 'upload.success.php';

// name of the fieldname used for the file in the HTML form
$fieldname = 'file';



// Now let's deal with the upload

// possible PHP upload errors
$errors = array(1 => 'php.ini max file size exceeded', 
                2 => 'html form max file size exceeded', 
                3 => 'file upload was only partial', 
                4 => 'no file was attached');

// check the upload form was actually submitted else print form
isset($_POST['submit'])
	or error('the upload form is neaded', $uploadForm);

// check for standard uploading errors
($_FILES[$fieldname]['error'] == 0)
	or error($errors[$_FILES[$fieldname]['error']], $uploadForm);
	
// check that the file we are working on really was an HTTP upload
@is_uploaded_file($_FILES[$fieldname]['tmp_name'])
	or error('not an HTTP upload', $uploadForm);
	
// validation... since this is an image upload script we 
// should run a check to make sure the upload is an image
@getimagesize($_FILES[$fieldname]['tmp_name'])
	or error('only image uploads are allowed', $uploadForm);
	
// make a unique filename for the uploaded file and check it is 
// not taken... if it is keep trying until we find a vacant one
$now = time();
while(file_exists($uploadFilename = $uploadsDirectory.$now.'-'.$_FILES[$fieldname]['name']))
{
	$now++;
}

// now let's move the file to its final and allocate it with the new filename
@move_uploaded_file($_FILES[$fieldname]['tmp_name'], $uploadFilename)
	or error('receiving directory insuffiecient permission', $uploadForm);
	
// If you got this far, everything has worked and the file has been successfully saved.
// We are now going to redirect the client to the success page.
header('Location: ' . $uploadSuccess);

// make an error handler which will be used if the upload fails
function error($error, $location, $seconds = 5)
{
	header("Refresh: $seconds; URL=\\"$location\\"");
	echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"'."\
".
	'"http://www.w3.org/TR/html4/strict.dtd">'."\
\
".
	'<html lang="en">'."\
".
	'	<head>'."\
".
	'		<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">'."\
\
".
	'		<link rel="stylesheet" type="text/css" href="stylesheet.css">'."\
\
".
	'	<title>Upload error</title>'."\
\
".
	'	</head>'."\
\
".
	'	<body>'."\
\
".
	'	<div id="Upload">'."\
\
".
	'		<h1>Upload failure</h1>'."\
\
".
	'		<p>An error has occured: '."\
\
".
	'		<span class="red">' . $error . '...</span>'."\
\
".
	'	 	The upload form is reloading</p>'."\
\
".
	'	 </div>'."\
\
".
	'</html>';
	exit;
} // end error handler

?>

When I use it it seems to work correctly I get the success message in my browser but no image is saved to the folder named in the script. The folder does exist on the server in the right place.

Can anyone spot what I’m doing wrong?

2

getimagesize() on it’s own isn’t sufficient security against malicious file uploads

3

use the move_uploaded_file function


<?php

if (isset($_POST['submit']))
{
	$uploaddir = './uploaded_files/';
	$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

	if (is_uploaded_file($_FILES['userfile']['tmp_name']))
	{
		// move the file to the desired place
		if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile))
		{
			echo "File is valid, and was successfully uploaded.\
";
		}
		else
		{
		   echo "Possible file upload attack!\
";
		}
	}
}

?>

<form action="x.php" method="post" enctype="multipart/form-data">
 Send the file:<br />
 <input name="userfile" type="file" /><br />
 <input type="submit" name="submit" value="Send file" />
</form>
4

Try to see if the photo’s source is written correct in the HTML code. Every wrong point, every wrong space it matters and cancels your photo posting.

5

Thanks for all the help guys - I’m sure I’ll have more questions soon :slight_smile:

6

Hi niallmeera,
Best way to track is , just give a


echo "<pre>";
print_r( $_POST ); //if post , or $_REQUEST for both GET and POST . 
echo "</pre>";

Looking this will make sure that you are getting the values accordingly .

When doing file upload , please do check your form is with multipart/formdata .

Also you don’t want the whole junk of html in echo :slight_smile: . Ernie1 example is a good one :slight_smile: .

Hope it helps :slight_smile: