Upload script

[VHockey86]

I'm trying to impliment a system on a webpage where people can upload screenshots to a webserver. Kind of similar to how you can upload pictures to your photo gallary here at techimo by browsing and sending the file, but alot simpilar.

I tried using this page:
http://us3.php.net/manual/en/feature...ad.post-method
I put the little php script towards the bottom in a file and called it "upload.php" and uploaded it to my webserver. Then I put the form code into a normal web document called "upload.htm"
All I changed was the "_URL_" thing which it said to change to the location of the php script (which I did).
However I cant get the thing working.
It comes back with an error saying.

Code:

Possible file upload attack!  Here's some debugging info:
Array
(
    [userfile] => Array
        (
            [name] => perfect.gif
            [type] => image/gif
            [tmp_name] => /tmp/phpz0HdEk
            [error] => 0
            [size] => 4542
        )

)

Anyone know how I can impliment a system like this? My programing knowledge is slim to none so I'd need help there if scripts were neccesary.

If anyone has an entirely different approach to the link I posted above thats fine too, just as long as it works and is relatively secure.
I also want to be able to control where it uploads the files too... like what directory on the webserver. The webserver is at www.1and1.com so I dont have direct access to the server.

I managed to setup a phpBB and linked it to a mysql database, however there doesnt appear to be any direct access to the mysql so I dont know if thats a possibility. I tried beforehand on another project to create a "shoutbox" but I couldnt figure out how to run the .sql file that the tutorial told me to. Only thing I could figure was to login with SSH and try to run the file, but it just told me "permission denied".

If anyone has any ideas please lemme know.
thanks in advance for any help

Vhockey86

[noseBleeD]

Quote:

[tmp_name] => /tmp/phpz0HdEk

Does this refer to temporary filename given for the image that is being uploaded, and if so, should it be given a name with same extention (which shows that this hasn't been done), and should it go to tmp directory (do you have tmp directory)?

I don't have any other ideas, sorry.

[VHockey86]

Ya I created a /tmp/ directory on the server the first time I saw that error, still got the same thing. Not sure how it gets the name though. Everytime I run it, the part after "/tmp/php" changes.

[noseBleeD]

Do you have the move_uploaded_file function written in page, or did you not use that function?

with function:

Code:

if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {

without function:

Code:

if ($_FILES['userfile']['tmp_name'], $uploadfile) {
   print "File is valid, and was successfully uploaded. ";
   print_r($_FILES);
} else {
   print "Unable to Upload Fiile: \n";
   print_r($_FILES);
}

If that didn't help (probably didn't),
then do you have a size limit function that might be throwing away the upload?

Also from php script website:

Quote:

Warning

max_input_time sets the maximum time, in seconds, the script is allowed to receive input; this includes file uploads. For large or multiple files, or users on slower connections, the default of 60 seconds may be exceeded.

If post_max_size is set too small, large files cannot be uploaded. Make sure you set post_max_size large enough.

Not validating which file you operate on may mean that users can access sensitive information in other directories.

Please note that the CERN httpd seems to strip off everything starting at the first whitespace in the content-type mime header it gets from the client. As long as this is the case, CERN httpd will not support the file upload feature.

Due to the large amount of directory listing styles we cannot guarantee that files with exotic names (like containing spaces) are handled properly.

A developer may not mix normal input fields and file upload fields in the same form variable (by using an input name like foo[]).

#3: Not validating which file....
Maybe cause.

[VHockey86]

hmm, well I found this other gallery program at source forge and managed to get that installed (it did all the config pages via the browser, I just had to execute a shell script on the server to get it going).
http://s90390266.onlinehome.us/gallery/

Thx for the help though nosebleed, give me a second and i'll try the stuff that you posted just to see if it works.

[VHockey86]

hmm,
replaced the section of code that you gave me such that I had..

Code:

<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body><?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.

$uploaddir = '/';
$uploadfile = $uploaddir . $_FILES['userfile']['name'];

print "<pre>";
if ($_FILES['userfile']['tmp_name'], $uploadfile) {
   print "File is valid, and was successfully uploaded. ";
   print_r($_FILES);
} else {
   print "Unable to Upload Fiile: \n";
   print_r($_FILES);
}
print "</pre>";

?> 

</body>
</html>

but now it gave me the error
Parse error: parse error, unexpected ',' in /homepages/36/d90390248/htdocs/upload.php on line 16
Apparently without that initial function the syntax is all messed up

[noseBleeD]

seems like a needed function. oh well, thnx for trying it out.

I like just about everything on sourceforge.
Good and better choice!
Stick w/them there.
Great site.
Alot of good open source programs as well.
Cya