[Wylug-help] PHP file upload problem

Dave Brotherstone davebrotherstone at gmail.com
Mon May 23 20:35:20 BST 2005 

Just check that you have file_uploads set to on in your php.ini, and
that the maximum size (in php.ini) is bigger than your file (presuming
bookmarks.html contains the obvious, it should be).  Other than that I
can't see anything obvious in the source.

Dave.


On 23/05/05, Gary Stainburn <gary.stainburn at ringways.co.uk> wrote:
> Hi folks.
> 
> I've decided to have a look at writng a page with a file upload form on
> it.  I've lifted the example form and handler direct from the PHP docs,
> and it has worked once.
> 
> However, it now does not work, nor can I get enough info on how to fix
> it.  Below is the page I'm using, along with the output I'm getting.
> The bit that looks dodgy is the tmp_name field.
> 
> <file upload form>
> 
> uploadfile=/var/www/html/stainburn.com/uploads/bookmarks.html
> 
> Possible file upload attack!
> Here is some more debugging info:Array
> (
>     [userfile] => Array
>         (
>             [name] => bookmarks.html
>             [type] => text/html
>             [tmp_name] => none
>             [size] => 0
>         )
> 
> )
> 
> <!-- The data encoding type, enctype, MUST be specified as below -->
> <form enctype="multipart/form-data" action="/upload.html" method="POST">
>     <!-- MAX_FILE_SIZE must precede the file input field -->
>     <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
>     <!-- Name of input element determines name in $_FILES array -->
>     Send this file: <input name="userfile" type="file" />
>     <input name="submit" type="submit" value="Send File" />
> </form>
> <?php
> // In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used
> instead
> // of $_FILES.
> 
> $uploaddir = '/var/www/html/stainburn.com/uploads/';
> $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
> 
> echo
> "uploadfile=$uploadfile<br>tmp_name=".$_FILES['userfile']['tmp_filename']."<p>";
> echo '<pre>';
> if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
>    echo "File is valid, and was successfully uploaded.\n";
> } else {
>    echo "Possible file upload attack!\n";
> }
> 
> echo 'Here is some more debugging info:';
> print_r($_FILES);
> 
> print "</pre>";
> 
> ?>
> --
> Gary Stainburn
> 
> This email does not contain private or confidential material as it
> may be snooped on by interested government parties for unknown
> and undisclosed purposes - Regulation of Investigatory Powers Act, 2000
> 
> _______________________________________________
> Wylug-help mailing list
> Wylug-help at wylug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/wylug-help
> 
>

More information about the Wylug-help mailing list