File upload from a form / upload_tmp_dir query

[Tim218]

Hi Everyone

This is my first day with PHP and, not surprisingly, I've run into a problem
:-)

I want to allow file uploads to the server without exposing the
non-technical end-users to FTP settings, file naming protocols, etc. I've
found the following from [url]http://www.zend.com/manual/features.file-upload.php[/url]
....

HTML FILE (uploadtest.html)

<form enctype="multipart/form-data" action="uploadtest.asp" method="POST">
Send this file: <input name="userfile" type="file">
<input type="submit" value="Send File">
</form>

PHP FILE (uploadtest.php)

<?php
// In PHP earlier then 4.1.0, $HTTP_POST_FILES should be used instead of
// $_FILES. In PHP earlier then 4.0.3, use copy() and is_uploaded_file()
// instead of move_uploaded_file

$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir. $_FILES['userfile']['name'];

print "<pre>";
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
print "File is valid, and was successfully uploaded. ";
print "Here's some more debugging info:\n";
print_r($_FILES);
} else {
print "Possible file upload attack! Here's some debugging info:\n";
print_r($_FILES);
}
print "</pre>";
?>

END OF CODE

I select a file to upload and the delay in submitting the form suggests that
the file has been sent. But I always get the "possible file upload attack"
result. The file info shows the correct filename and type but the filesize
is always '0' and the 'tmp_name' is always 'none'.

Assuming this was the problem I did some digging using phpinfo(). The
version is 4.1.2 so I seem to be using the right commands as per the
instructions with the code. But the 'upload_tmp_dir' variable is NOT SET
which I think might be the problem.

So, with apologies for taking so long to get here, I have two queries...

1) Is there anything wrong with the code I'm using?
2) Where do uploaded files go if 'upload_tmp_dir' is not set and how can I
bypass this without access to the server (shared hosting)?

Any help would be appreciated.

Many thanks

Tim.

--
My real e-mail address is tim218 before the at followed by supermail.org.uk.

[Tim218]

Sorry the form action should be uploadtest.php not uploadtest.asp (still
getting the bad M$ habits out of my head!!).

Tim.

--
My real e-mail address is tim218 before the at followed by supermail.org.uk.

"Tim218" <see.signature@for.email.address.invalid> wrote in message
news:bj7eio$424$1@hercules.btinternet.com...

> Hi Everyone
>
> This is my first day with PHP and, not surprisingly, I've run into a

problem

> :-)
>
> I want to allow file uploads to the server without exposing the
> non-technical end-users to FTP settings, file naming protocols, etc. I've
> found the following from

[url]http://www.zend.com/manual/features.file-upload.php[/url]

> ...
>
> HTML FILE (uploadtest.html)
>
> <form enctype="multipart/form-data" action="uploadtest.asp" method="POST">
> Send this file: <input name="userfile" type="file">
> <input type="submit" value="Send File">
> </form>
>
> PHP FILE (uploadtest.php)
>
> <?php
> // In PHP earlier then 4.1.0, $HTTP_POST_FILES should be used instead of
> // $_FILES. In PHP earlier then 4.0.3, use copy() and is_uploaded_file()
> // instead of move_uploaded_file
>
> $uploaddir = '/var/www/uploads/';
> $uploadfile = $uploaddir. $_FILES['userfile']['name'];
>
> print "<pre>";
> if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
> print "File is valid, and was successfully uploaded. ";
> print "Here's some more debugging info:\n";
> print_r($_FILES);
> } else {
> print "Possible file upload attack! Here's some debugging info:\n";
> print_r($_FILES);
> }
> print "</pre>";
> ?>
>
> END OF CODE
>
> I select a file to upload and the delay in submitting the form suggests

that

> the file has been sent. But I always get the "possible file upload

attack"

> result. The file info shows the correct filename and type but the

filesize

> is always '0' and the 'tmp_name' is always 'none'.
>
> Assuming this was the problem I did some digging using phpinfo(). The
> version is 4.1.2 so I seem to be using the right commands as per the
> instructions with the code. But the 'upload_tmp_dir' variable is NOT SET
> which I think might be the problem.
>
> So, with apologies for taking so long to get here, I have two queries...
>
> 1) Is there anything wrong with the code I'm using?
> 2) Where do uploaded files go if 'upload_tmp_dir' is not set and how can I
> bypass this without access to the server (shared hosting)?
>
> Any help would be appreciated.
>
> Many thanks
>
> Tim.
>
> --
> My real e-mail address is tim218 before the at followed by

supermail.org.uk.

>
>

[Tim218]

Hi Everyone

I've now solved the problem.

Many thanks

Tim.

--
My real e-mail address is tim218 before the at followed by supermail.org.uk.

"Tim218" <see.signature@for.email.address.invalid> wrote in message
news:bj7epf$4eh$1@hercules.btinternet.com...

> Sorry the form action should be uploadtest.php not uploadtest.asp (still
> getting the bad M$ habits out of my head!!).
>
> Tim.
>
> --
> My real e-mail address is tim218 before the at followed by

supermail.org.uk.

>
> "Tim218" <see.signature@for.email.address.invalid> wrote in message
> news:bj7eio$424$1@hercules.btinternet.com...

> > Hi Everyone
> >
> > This is my first day with PHP and, not surprisingly, I've run into a

> problem

> > :-)
> >
> > I want to allow file uploads to the server without exposing the
> > non-technical end-users to FTP settings, file naming protocols, etc.

I've

> > found the following from

> [url]http://www.zend.com/manual/features.file-upload.php[/url]

> > ...
> >
> > HTML FILE (uploadtest.html)
> >
> > <form enctype="multipart/form-data" action="uploadtest.asp"

method="POST">

> > Send this file: <input name="userfile" type="file">
> > <input type="submit" value="Send File">
> > </form>
> >
> > PHP FILE (uploadtest.php)
> >
> > <?php
> > // In PHP earlier then 4.1.0, $HTTP_POST_FILES should be used instead of
> > // $_FILES. In PHP earlier then 4.0.3, use copy() and

is_uploaded_file()

> > // instead of move_uploaded_file
> >
> > $uploaddir = '/var/www/uploads/';
> > $uploadfile = $uploaddir. $_FILES['userfile']['name'];
> >
> > print "<pre>";
> > if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
> > print "File is valid, and was successfully uploaded. ";
> > print "Here's some more debugging info:\n";
> > print_r($_FILES);
> > } else {
> > print "Possible file upload attack! Here's some debugging info:\n";
> > print_r($_FILES);
> > }
> > print "</pre>";
> > ?>
> >
> > END OF CODE
> >
> > I select a file to upload and the delay in submitting the form suggests

> that

> > the file has been sent. But I always get the "possible file upload

> attack"

> > result. The file info shows the correct filename and type but the

> filesize

> > is always '0' and the 'tmp_name' is always 'none'.
> >
> > Assuming this was the problem I did some digging using phpinfo(). The
> > version is 4.1.2 so I seem to be using the right commands as per the
> > instructions with the code. But the 'upload_tmp_dir' variable is NOT

SET

> > which I think might be the problem.
> >
> > So, with apologies for taking so long to get here, I have two queries...
> >
> > 1) Is there anything wrong with the code I'm using?
> > 2) Where do uploaded files go if 'upload_tmp_dir' is not set and how can

I

> > bypass this without access to the server (shared hosting)?
> >
> > Any help would be appreciated.
> >
> > Many thanks
> >
> > Tim.
> >
> > --
> > My real e-mail address is tim218 before the at followed by

> supermail.org.uk.

> >
> >

>
>

[Thomas Mlynarczyk]

Also sprach Tim218:

> Hi Everyone

Hi Tim,

> I've now solved the problem.

Would you be so kind as to let us in on the details of your solution?

> Many thanks

You're welcome. :-)

[Tim218]

Hi

I'm afraid I couldn't resolve the PHP problem which I think was caused by
the temporary directory setting on the server not being set (I don't have
admin control over the server).

On this occasion I went back to an ASP solution which had been my original
plan. The phpinfo() function proved useful as it let me know the server was
running Chili!ASP and once I knew this I was able to find details of its
built-in file upload function.

But my brief introduction to PHP has convinced me that it is the way forward
and that my first major ASP project should be my last. So hopefully I will
see you all in here again soon.

Best wishes

Tim.

--
My real e-mail address is tim218 before the at followed by supermail.org.uk.

"Thomas Mlynarczyk" <blue_elephant55@hotmail.com> wrote in message
news:bj840j$2c7$00$1@news.t-online.com...

> Also sprach Tim218:
>

> > Hi Everyone

>
> Hi Tim,
>

> > I've now solved the problem.

>
> Would you be so kind as to let us in on the details of your solution?
>

> > Many thanks

>
> You're welcome. :-)