[PHP] Image Uploads beeing corupted
Hey guys, I got my uploads to work thanks to some peoples help here in this newsgroup but now im having a problem with the files beeing corrupted upon upload. not sure why any help would be greatly apreciated. I have included my code again if it helps any. function UploadImage(){ global $HTTP_POST_FILES; global $ImageFile; reset($HTTP_POST_FILES); $pic_file = $HTTP_POST_FILES['ImageFile']; copy ($pic_file['tmp_name'], ../images/$ImageFile_name); } FORM ACTION=?php $SCRIPT_NAME ? Method=Post ENCTYPE=multipart/form-data INPUT TYPE=hidden name=MAX_FILE_SIZE value=100 Input Type=File Name=ImageFile Input Type=Submit Name=Submit /FORM I've found that just doing this seems to do the same function UploadImage(){ global $ImageFile; copy ($ImageFile, ../images/$ImageFile_name); } Thanks Ryan Stephens -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Image Uploads beeing corupted
the funny thing is this the information is beeing inserted into the database... the file is beeing uploaded (as i can see it in the directory). I can get results from $ImageFile $ImageFile_name $ImageFile_size but i cant get a result for $ImageFile_type this comes up blank there is obviously some connection, but just not sure what. Ryan Andrey Hristov [EMAIL PROTECTED] wrote in message 0b0c01c177e5$f0e15580$0b01a8c0@ANDreY">news:0b0c01c177e5$f0e15580$0b01a8c0@ANDreY... The problem is in that you do global only for $ImageFile, but not for $ImageFile_name. Big flaw is that if someone make a form FORM ACTION=?php $SCRIPT_NAME ? Method=Post ENCTYPE=multipart/form-data INPUT TYPE=hidden name=MAX_FILE_SIZE value=100 Input Type=text Name=ImageFile__name value=../../../../etc/passwd Input Type=Submit Name=Submit /FORM may be can make a big shot. Depends on under which user Apache is running. The best technique is to use $HTTP_POST_FILES. Since PHP4.1.0 there will be new name for it = $_FILES .This array will be global, so there is no need to write global $_FILES . The same is done for $_GET, $_POST, $_COOKIE. $_REQUEST is merged array of $_GET,$_POST,$_COOKIE in the order of gpc(from php.ini). Regards, Andrey Hristov IcyGEN Corporation http://www.icygen.com BALANCED SOLUTIONS - Original Message - From: Ryan Stephens [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 28, 2001 10:12 AM Subject: [PHP] Image Uploads beeing corupted Hey guys, I got my uploads to work thanks to some peoples help here in this newsgroup but now im having a problem with the files beeing corrupted upon upload. not sure why any help would be greatly apreciated. I have included my code again if it helps any. function UploadImage(){ global $HTTP_POST_FILES; global $ImageFile; reset($HTTP_POST_FILES); $pic_file = $HTTP_POST_FILES['ImageFile']; copy ($pic_file['tmp_name'], ../images/$ImageFile_name); } FORM ACTION=?php $SCRIPT_NAME ? Method=Post ENCTYPE=multipart/form-data INPUT TYPE=hidden name=MAX_FILE_SIZE value=100 Input Type=File Name=ImageFile Input Type=Submit Name=Submit /FORM I've found that just doing this seems to do the same function UploadImage(){ global $ImageFile; copy ($ImageFile, ../images/$ImageFile_name); } Thanks Ryan Stephens -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Problem Solved
I figured i would post my solution to the problem that i found somewhere. It had nothing to do with anything i was doing. Its a bug in some versions of PHP. here is the function i had to use to fix this function fix_php_upload_bug($tmp){ $infile=fopen($tmp,r); // Open the file for the copy $outfile=fopen($tmp.new,w); // create a new temp file $header=fgets($infile,255); //get the 1st line (netscape sometimes doesn't add a Content-type line) //if its more than just a \r\n sequence then if (strlen($header)2) $header=fgets($infile,255); //get next line also while(!feof($infile)) { // Loop through the remaining file $temp=fread($infile,128); fwrite($outfile,$temp,strlen($temp)); //copying contents to new temp file } fclose($outfile); fclose($infile); copy($tmp.new,$tmp); //replace the original with our new bug fixed file unlink($tmp.new); //and delete the new file return $tmp; } Ryan Andrey Hristov [EMAIL PROTECTED] wrote in message 0b4501c177eb$8b02c900$0b01a8c0@ANDreY">news:0b4501c177eb$8b02c900$0b01a8c0@ANDreY... As I showed by this : FORM ACTION=http://your.domain.com/your.script.php; Method=Post ENCTYPE=multipart/form-data Input Type=text Name=ImageFile_name value=../../../../etc/passwd Input Type=Submit Name=Submit /FORM I can write this in a simple html, press the submit button and instead of file you will receive $ImageFile_name as a text variable. I can write in it everything but you rely on that PHP made it. No PHP didn't. Also in such form $ImageFile_tmpname can be supplied and if someone does this : ?php echo (implode('',file($ImageFile_tmpname))); ? The /etc/passwd file can be shown easily. My suggestion : rely on $HTTP_POST_FILES . Yes it is long to type but it's secured. Also as I said. Since the new PHP 4.1.0 there will be $_FILES array, equivalent of $HTTP_POST_FILES(which will exists also). The GD extension is used for dynamic construction of jpg,png,gif(up to some 1.x version). The constructed image can be saved to file or sent to the browser. GetImageSize() is one of the many functions provided by GD. http://www.php.net/manual/en/ref.image.php Best regards, Andrey Hristov - Original Message - From: Ryan Stephens (Hotmail) [EMAIL PROTECTED] To: Andrey Hristov [EMAIL PROTECTED] Sent: Wednesday, November 28, 2001 10:51 AM Subject: Re: [PHP] Image Uploads beeing corupted this means nothing to me... sorry, i've only been working with PHP for a couple weeks. and a few month of web learning. the site im working on is hosted by some other guy, so i dont have access to it if i had to change anything there. Why is $ImageFile a possible security hole? What is GD extension? I dont need to find the type... i just used that as a test to see if that might have anything to do with my corrupted file problem. And i found that all the information beeing entered into the database re: its name and size is fine... but it wont return a type... Im thinking if it cant return a type (but still uploads the file) there must be a connection to it beeing corrupt. Ryan - Original Message - From: Andrey Hristov [EMAIL PROTECTED] To: Ryan Stephens [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, November 28, 2001 12:46 AM Subject: Re: [PHP] Image Uploads beeing corupted If you have GD extension build in your PHP use it to find the type(if you are limited ot jpeg/gif/png files). I want to say again that the using of $ImageFile* is a possible security hole. Regards, Andrey Hristov - Original Message - From: Ryan Stephens [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 28, 2001 10:39 AM Subject: Re: [PHP] Image Uploads beeing corupted the funny thing is this the information is beeing inserted into the database... the file is beeing uploaded (as i can see it in the directory). I can get results from $ImageFile $ImageFile_name $ImageFile_size but i cant get a result for $ImageFile_type this comes up blank there is obviously some connection, but just not sure what. Ryan Andrey Hristov [EMAIL PROTECTED] wrote in message 0b0c01c177e5$f0e15580$0b01a8c0@ANDreY">news:0b0c01c177e5$f0e15580$0b01a8c0@ANDreY... The problem is in that you do global only for $ImageFile, but not for $ImageFile_name. Big flaw is that if someone make a form FORM ACTION=?php $SCRIPT_NAME ? Method=Post ENCTYPE=multipart/form-data INPUT TYPE=hidden name=MAX_FILE_SIZE value=100 Input Type=text Name=ImageFile__name value=../../../../etc/passwd Input Type=Submit Name=Submit /FORM may be can make a big shot. Depends on under which user Apache is running. The best technique is to use $HTTP_POST_FILES. Since PHP4.1.0 there will be new name for it = $_FILES .This array will be global, so
Re: [PHP] Newbie Image uplaod question
ok... ive tried this but no go: - function UploadImage(){ global $HTTP_POST_FILES; global $image; reset($HTTP_POST_FILES); $pic_file = $HTTP_POST_FILES['image']; copy ($pic_file['tmp_name'], ../images); } FORM ACTION=?php $SCRIPT_NAME ? Method=Post ENCTYPE=multipart/form-data Input Type=File Name=$image Input Type=Submit Name=Submit /FORM - all i get returned is an empty filename () and an error. please help! Ryan Hank Marquardt [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... http://www.php.net/manual/en/features.file-upload.php On Tue, Nov 27, 2001 at 08:14:48PM -0800, Ryan Stephens wrote: Hey guys... Im new to PHP and am trying to upload images to the server and store the file name into mySQL database.. but i dont have a clue how to do this... all i know is i need to use Input Type=File other than that im lost. Any help would be great. Thanks Ryan Stephens -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- Hank Marquardt [EMAIL PROTECTED] http://web.yerpso.net GPG Id: 2BB5E60C Fingerprint: D807 61BC FD18 370A AC1D 3EDF 2BF9 8A2D 2BB5 E60C *** Web Development: PHP, MySQL/PgSQL - Network Admin: Debian/FreeBSD *** PHP Instructor - Intnl. Webmasters Assn./HTML Writers Guild *** Beginning PHP -- Starts January 7, 2002 *** See http://www.hwg.org/services/classes -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Newbie Image uplaod question
Sorry... i changed Input Type=File Name=$image to Input Type=File Name=image but still no luck. it returns Array as the file name and doesnt upload the file. Whats up?? Ryan Ryan Stephens [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... ok... ive tried this but no go: - function UploadImage(){ global $HTTP_POST_FILES; global $image; reset($HTTP_POST_FILES); $pic_file = $HTTP_POST_FILES['image']; copy ($pic_file['tmp_name'], ../images); } FORM ACTION=?php $SCRIPT_NAME ? Method=Post ENCTYPE=multipart/form-data Input Type=File Name=$image Input Type=Submit Name=Submit /FORM - all i get returned is an empty filename () and an error. please help! Ryan Hank Marquardt [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... http://www.php.net/manual/en/features.file-upload.php On Tue, Nov 27, 2001 at 08:14:48PM -0800, Ryan Stephens wrote: Hey guys... Im new to PHP and am trying to upload images to the server and store the file name into mySQL database.. but i dont have a clue how to do this... all i know is i need to use Input Type=File other than that im lost. Any help would be great. Thanks Ryan Stephens -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- Hank Marquardt [EMAIL PROTECTED] http://web.yerpso.net GPG Id: 2BB5E60C Fingerprint: D807 61BC FD18 370A AC1D 3EDF 2BF9 8A2D 2BB5 E60C *** Web Development: PHP, MySQL/PgSQL - Network Admin: Debian/FreeBSD *** PHP Instructor - Intnl. Webmasters Assn./HTML Writers Guild *** Beginning PHP -- Starts January 7, 2002 *** See http://www.hwg.org/services/classes -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]