Jump to content

PHP, having issues making and inserting files in the proper directory

seaturtleftw's Photo Asked by seaturtleftw
Posted Jan 21 2010 05:12 AM
2774 Views
hey guys i'm new to the o'reilly community and i was wondering if someone could help me out on a probably easy issues.
So here's the deal i have a upload system works smoothly until it gets down to moving the files. the code checks if there is a directory with that name and if so it's suppose to put it in there if not create the directory and still put the file in that directory. So obiviously there's something wrong with my if statement could someone work this one out with me?
	  if(file_exists("vaksites/uploads/" . $_POST["subject"]))
	  {
	  move_uploaded_file($_FILES["file"]["tmp_name"],
      "vaksites/uploads/" . $_POST["subject"] . $_FILES["file"]["name"]);
      echo "Stored in: " . "vaksites/uploads/" . $_POST["subject"];
	  }
	  else
	  {
	  mkdir("vaksites/uploads/" .$_POST["subject"]);
	  move_uploaded_file($_FILES["file"]["tmp_name"],
      "vaksites/uploads/" . $_POST["subject"] . $_FILES["file"]["name"]);
      echo "Stored in: " . "vaksites/uploads/" . $_POST["subject"];
	  }


thanks for the helpful eye guys
Tags:
0 Subscribe


4 Replies

+ 2
  Robin Nixon's Photo Answered by Robin Nixon O'Reilly Author Peacock
Posted Jan 21 2010 07:35 AM
At first glance I note that you are trying to move the uploaded file if 'subject', another posted variable, has been set. But that isn't a guarantee that the file was also uploaded. I think you should make a check as follows to ensure a file has been uploaded:

if ($_FILES["file"]["tmp_name"] != "")

It also seems to me that it would be sensible to create the vaksites/uploads folder in advance, rather than having to test for its existence and create it every time a file is uploaded.

You may find the following example code from my book Learning PHP, MySQL & Javascript helpful. It allows the uploading and saving of an image file:

<?php //upload.php
echo <<<_END
<html><head><title>PHP Form Upload</title></head><body>
<form method='post' action='upload.php' enctype='multipart/form-data'>
Select a JPG, GIF, PNG or TIF File:
<input type='file' name='filename' size='10' />
<input type='submit' value='Upload' /></form>
_END;

if ($_FILES)
{
	$name = $_FILES['filename']['name'];

	switch($_FILES['filename']['type'])
	{
		case 'image/jpeg': $ext = 'jpg'; break;
		case 'image/gif':  $ext = 'gif'; break;
		case 'image/png':  $ext = 'png'; break;
		case 'image/tiff': $ext = 'tif'; break;
		default:	   $ext = '';    break;
	}
	if ($ext)
	{
		$n = "image.$ext";
		move_uploaded_file($_FILES['filename']['tmp_name'], $n);
		echo "Uploaded image '$name' as '$n':<br />";
		echo "<img src='$n' />";
	}
	else echo "'$name' is not an accepted image file";
}
else echo "No image has been uploaded";

echo "</body></html>";
?>

Comment by seaturtleftw  : Jan 22 2010 01:04 AM
The problem is even if the directory is there it still puts the file outside of the folder personally i dont see the error but i'm still a newbie ;) it seems to me that i do something wrong with assigning the URL for the uploaded file being moved to;
if(file_exists("vaksites/uploads/" . $_POST["subject"]))          {          move_uploaded_file($_FILES["file"]["tmp_name"],      "vaksites/uploads/" . $_POST["subject"] . $_FILES["file"]["name"]);      
echo "Stored in: " . "vaksites/uploads/" . $_POST["subject"];          }


The way i see it this line of code checks if the map excists and if so it moves the uploaded file from the temporary folder to the new one i'm assigning but for some reason it ends up outside of the folder instead of inside of it. The echo however does say the file has been uploaded to the proper directory
Comment by Robin Nixon O'Reilly Author Peacock  : Jan 22 2010 04:52 AM
You actually have a lot of duplicated code there. In essence you are saying "If the upload folder specified in the $_POST["subject"] doesn't exist then make it, and after that move the uploaded file into it." So you can reduce your code down to the following:

$uploadfolder = "vaksites/uploads/";
$subject      = $_POST["subject"];
$temp         = $_FILES["file"]["tmp_name"];
$name         = $_FILES["file"]["name"];

if (!file_exists("$uploadfolder$subject")) mkdir("$uploadfolder$subject");

move_uploaded_file($temp, "$uploadfolder$subject$name");
echo "Stored in: $uploadfolder$subject";

Now it's easier to see what the program flow is doing.

The first thing I see is that there is no / between $subject and $name. So the statement that moves the file should look like the following to do what you want:

move_uploaded_file($temp, "$uploadfolder$subject/$name");

Therefore the change to make to your original code is as follows (although I would recommend sticking with the shorter version):

          if(file_exists("vaksites/uploads/" . $_POST["subject"]))
          {
          move_uploaded_file($_FILES["file"]["tmp_name"],
      "vaksites/uploads/" . $_POST["subject"] . "/" . $_FILES["file"]["name"]);
      echo "Stored in: " . "vaksites/uploads/" . $_POST["subject"];
          }
          else
          {
          mkdir("vaksites/uploads/" .$_POST["subject"]);
          move_uploaded_file($_FILES["file"]["tmp_name"],
      "vaksites/uploads/" . $_POST["subject"] . "/" . $_FILES["file"]["name"]);
      echo "Stored in: " . "vaksites/uploads/" . $_POST["subject"];
          }

Note the extra "/" that I have inserted in two places.
0
  DarkFlib's Photo Answered by DarkFlib Peacock
Posted Jan 24 2011 05:47 PM
Please consider sanitising your post data...

What if I put in your form '../../filename'

where would the file end up? Certainly not in your upload directory, that's for sure.

The function you need to be aware of is basename()

http://uk2.php.net/basename

This returns the trailing part of the filename (with or without the extension) and can be used to safely sanitise the filename before applying it to the filesystem.

I'm suprised noone else spotted this problem.
Sysdom.com - Monitoring and Support Services (Launching Feb 2011)

 
Sign up today to receive special discounts,
product alerts, and news from O'Reilly.
Privacy Policy >
View Sample Newsletter >