Re: [PHP] file uploads grief on linux, but okay on BSD
Are you using move_uploaded_file() to move the file into place? On Thu, 6 Sep 2001, Justin French wrote: Hi all, My understanding of the whole file uploading thing is not fantastic, and i'm unsure where to go next with this one. I have a file-upload script which works fine on my test server (FreeBSD/PHP4/MySQL/Apache)... when I upload the script to my host, change the config as needed (different document root), the script falls over with the following warning: --- Warning: SAFE MODE Restriction in effect. The script whose uid is 10619 is not allowed to access /tmp/phpMHBFJk owned by uid 0 in /usr/local/plesk/apache/vhosts/soundpimps.com/httpdocs/admin/inc/pimp_add_pic.php on line 112 --- The script DOES NOT upload the image as a blob into MySQL, it just copies the file into a directory i have specified. To me, it looks like the permissions for PHP's temp directory (where file uploads temporarily go??) are not right, so I should be contacting the Hosting ISP. But before I do, I want to make sure this is the case, or find out if there are any work arounds that enable me to skip the whole temp dir thing. Maybe I've got it all wrong. The target server is a Linux box. Justin French Indent.com.au -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] file uploads grief
Hi all,
I know this topic get's covered all the time, but i've copied this code
direct from the online manual, and it still fails to work!!
My environment is PHP4.0.1, under FreeBSD.
To my knowledge, NONE of the php.ini file has been changed at all, and
the rest of PHP has been working finr for 6 months, although this is the
first time i've attempted file uploads.
This code is in the php manual:
The HTML form:
---
FORM ENCTYPE=multipart/form-data ACTION=upload.php METHOD=POST
INPUT TYPE=hidden name=MAX_FILE_SIZE value=5000
Send this file: INPUT NAME=userfile TYPE=fileBR
INPUT TYPE=submit VALUE=Send File
/FORM
---
The PHP code (as I understand from the man page, PHP4 4.0.2 requires
different code. Since i'm on 4.0.1, I've used this block of code, which
I believe is the correct code for my environment), copied accross line
for line.
---
/* Userland test for uploaded file. */
function is_uploaded_file($filename){
if (!$tmp_file = get_cfg_var('upload_tmp_dir')) {
$tmp_file = dirname(tempnam('', ''));
}
$tmp_file .= '/' . basename($filename);
/* User might have trailing slash in php.ini... */
return (ereg_replace('/+', '/', $tmp_file) == $filename);
}
if (is_uploaded_file($userfile)) {
copy($userfile, /usr/local/share/doc/apache/tests/images);
//changed this line for new file location
echo file uploaded successfully; //
added this line
} else {
echo Possible file upload attack: filename '$userfile'.;
}
}
The Errors:
With the above code, I get this error when I submit:
---
Warning: Max file size exceeded - file [userfile] not saved in Unknown
on line 0
Possible file upload attack: filename 'none'.
---
So I commented out INPUT TYPE=hidden name=MAX_FILE_SIZE
value=5000 in the HTML for the moment. What does 5000 represent?
Bytes? KiloBytes?
With this line commented out, I get:
---
Possible file upload attack: filename '/var/tmp/phpzlv472'.
---
The image i'm attempting to upload is a 44k GIF file from via Netscape
4.6 on a Mac, but I can't see that this is the problem, since I've never
been refused an upload at any website.
What I've tried:
I've read all the documentation I could find online
I've tried different permission settings for the target directory
I've looked for a simple upload script at all the usual PHP sites, but
couldn't find anything that wasn't mega complex.
Questions:
I find it hard to believe it's the code that is the problem, since it's
copied striaght from the website, so maybe it's a problem on my server,
or something else i'm missing. Any ideas? What else SHOULD I add to
this code (once it's functional) to handle errors properly, etc etc.
Many thanks in advance
Justin French
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] file uploads grief
the 5000 represent byter try making it 500 i.e 5 megabytes i think
the file you are trying to upload might be bigger than 5k and 5M is safe
you can keep the fileseize fixed to a large value to be safe. and instead
all the fancy code just try the move_uploaded_file() command to see if it
works
Good luck!
On Sat, 21 Jul 2001, Justin French wrote:
Hi all,
I know this topic get's covered all the time, but i've copied this code
direct from the online manual, and it still fails to work!!
My environment is PHP4.0.1, under FreeBSD.
To my knowledge, NONE of the php.ini file has been changed at all, and
the rest of PHP has been working finr for 6 months, although this is the
first time i've attempted file uploads.
This code is in the php manual:
The HTML form:
---
FORM ENCTYPE=multipart/form-data ACTION=upload.php METHOD=POST
INPUT TYPE=hidden name=MAX_FILE_SIZE value=5000
Send this file: INPUT NAME=userfile TYPE=fileBR
INPUT TYPE=submit VALUE=Send File
/FORM
---
The PHP code (as I understand from the man page, PHP4 4.0.2 requires
different code. Since i'm on 4.0.1, I've used this block of code, which
I believe is the correct code for my environment), copied accross line
for line.
---
/* Userland test for uploaded file. */
function is_uploaded_file($filename) {
if (!$tmp_file = get_cfg_var('upload_tmp_dir')) {
$tmp_file = dirname(tempnam('', ''));
}
$tmp_file .= '/' . basename($filename);
/* User might have trailing slash in php.ini... */
return (ereg_replace('/+', '/', $tmp_file) == $filename);
}
if (is_uploaded_file($userfile)) {
copy($userfile, /usr/local/share/doc/apache/tests/images);
//changed this line for new file location
echo file uploaded successfully; //
added this line
} else {
echo Possible file upload attack: filename '$userfile'.;
}
}
The Errors:
With the above code, I get this error when I submit:
---
Warning: Max file size exceeded - file [userfile] not saved in Unknown
on line 0
Possible file upload attack: filename 'none'.
---
So I commented out INPUT TYPE=hidden name=MAX_FILE_SIZE
value=5000 in the HTML for the moment. What does 5000 represent?
Bytes? KiloBytes?
With this line commented out, I get:
---
Possible file upload attack: filename '/var/tmp/phpzlv472'.
---
The image i'm attempting to upload is a 44k GIF file from via Netscape
4.6 on a Mac, but I can't see that this is the problem, since I've never
been refused an upload at any website.
What I've tried:
I've read all the documentation I could find online
I've tried different permission settings for the target directory
I've looked for a simple upload script at all the usual PHP sites, but
couldn't find anything that wasn't mega complex.
Questions:
I find it hard to believe it's the code that is the problem, since it's
copied striaght from the website, so maybe it's a problem on my server,
or something else i'm missing. Any ideas? What else SHOULD I add to
this code (once it's functional) to handle errors properly, etc etc.
Many thanks in advance
Justin French
--
Saquib Farooq
@
Systems @ SDNPK
Islamabad
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
