[Wylug-help] PHP file upload problem
Gary Stainburn
gary.stainburn at ringways.co.uk
Mon May 23 17:34:56 BST 2005
Hi folks.
I've decided to have a look at writng a page with a file upload form on
it. I've lifted the example form and handler direct from the PHP docs,
and it has worked once.
However, it now does not work, nor can I get enough info on how to fix
it. Below is the page I'm using, along with the output I'm getting.
The bit that looks dodgy is the tmp_name field.
<file upload form>
uploadfile=/var/www/html/stainburn.com/uploads/bookmarks.html
Possible file upload attack!
Here is some more debugging info:Array
(
[userfile] => Array
(
[name] => bookmarks.html
[type] => text/html
[tmp_name] => none
[size] => 0
)
)
<!-- The data encoding type, enctype, MUST be specified as below -->
<form enctype="multipart/form-data" action="/upload.html" method="POST">
<!-- MAX_FILE_SIZE must precede the file input field -->
<input type="hidden" name="MAX_FILE_SIZE" value="30000" />
<!-- Name of input element determines name in $_FILES array -->
Send this file: <input name="userfile" type="file" />
<input name="submit" type="submit" value="Send File" />
</form>
<?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used
instead
// of $_FILES.
$uploaddir = '/var/www/html/stainburn.com/uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
echo
"uploadfile=$uploadfile<br>tmp_name=".$_FILES['userfile']['tmp_filename']."<p>";
echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "Possible file upload attack!\n";
}
echo 'Here is some more debugging info:';
print_r($_FILES);
print "</pre>";
?>
--
Gary Stainburn
This email does not contain private or confidential material as it
may be snooped on by interested government parties for unknown
and undisclosed purposes - Regulation of Investigatory Powers Act, 2000
More information about the Wylug-help
mailing list