Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Help with file upload

0 views
Skip to first unread message

Bunmi Akinmboni

unread,
Oct 16, 2003, 12:20:38 AM10/16/03
to php...@lists.php.net
Pls Help.
I have done a lot of reading prior to this yet I just can't seem make it
work. I wrote an upload program as seen below but the response I got was:

Possible file upload attack. Filename: ayservenet.jpg Array ( [ufile1]
=> Array ( [name] => ayservenet.jpg [type] => image/pjpeg [tmp_name] =>
/tmp/phpIMEhdh [error] => 0 [size] => 3030 ) )

My codes are:
File UPLOAD.HTM:
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<form method="post" action="fuprocess.php" enctype="multipart/form-data">
<input type="file" name="ufile1" size="20">
<input type="submit" name="submit" value="submit">
</form>
</body>
</html>

File FUPROCESS.PHP:
<?php
// In PHP earlier then 4.1.0, $HTTP_POST_FILES should be used instead
of $_FILES.
// $realname = $_FILES['ufile1']['name'];

if (is_uploaded_file($_FILES['ufile1']['name'])) {
copy($_FILES['ufile1']['name'], ".");
echo "$ufile1_name ";
echo "DONE";
echo " ";
print_r($_FILES);
} else {
echo "Possible file upload attack. Filename: " .
$_FILES['ufile1']['name'];
echo " ";
print_r($_FILES);
}
?>

Thanks.
--
'Bunmi Akinmboni
5, Aibu Street, Off Bode Thomas Street,
P.O. Box 6235, Surulere, Lagos, NIGERIA.
Tel: (234) 1-813-3335
Fax: (234) 1-583-2585 (Nigeria Only)
Fax: 1 (309) 285-2383 (International)
Email: bunmi.a...@ayserve.net
Web site: http://www.budelak.com
http://www.ayserve.net

Web Design, Web Hosting, Domain Registration, ICT Consultancy,
Networking, Internet, eCommerce, System Integrator
===================================================

George Patterson

unread,
Oct 16, 2003, 12:59:32 AM10/16/03
to Bunmi Akinmboni, php...@lists.php.net
This in in the php manual
(http://www.php.net/manual/en/features.file-upload.php) but anyway...

The value contained in $_FILES['ufile1']['name'] is not the name of the
temporary file on the server. Try $_FILES['ufile1']['tmp_name'] instead

Hence the lines


if (is_uploaded_file($_FILES['ufile1']['name'])) {
copy($_FILES['ufile1']['name'], ".");

become
if (is_uploaded_file($_FILES['ufile1']['tmp_name'])) {
copy($_FILES['ufile1']['tmp_name'], $_FILES['ufile1']['name']);

That is copy the temporary file to the name that the user specified when
uploading.

BTW: Make sure you move or copy the temporary file before the php script
ends as the temporary file will not exist afterwards.


George Patterson

On Thu, 16 Oct 2003 05:20:38 +0100
Bunmi Akinmboni <bunmi.a...@ayserve.net> wrote:

> Pls Help.
> I have done a lot of reading prior to this yet I just can't seem make
> it work. I wrote an upload program as seen below but the response I
> got was:
>
> Possible file upload attack. Filename: ayservenet.jpg Array ( [ufile1]
>
> => Array ( [name] => ayservenet.jpg [type] => image/pjpeg [tmp_name]
> => /tmp/phpIMEhdh [error] => 0 [size] => 3030 ) )
>
>

Gabriel Peugnet

unread,
Oct 16, 2003, 3:10:03 AM10/16/03
to php...@lists.php.net
I made a mistake in my last message:

The lines that say:
ftp_chdir( $site , $folder );
ftp_site( $site , "chmod $mode $folder" );
should say:
ftp_chdir( $site , $folderbase ); // this is the one that
was wrong
ftp_site( $site , "chmod $mode $folder" );

"Bunmi Akinmboni" <bunmi.a...@ayserve.net> escribió en el mensaje
news:2003101604224...@pb1.pair.com...

Gabriel Peugnet

unread,
Oct 16, 2003, 3:34:36 AM10/16/03
to php...@lists.php.net
The message "About security" is for "Help with file upload".
I placed the message outside.

Gabriel Peugnet

unread,
Oct 16, 2003, 3:14:17 AM10/16/03
to php...@lists.php.net
Have in mind that some permissions can be changed only via FTP but some
other can only be changed useing chmod().

If you want more security you should set the permission in the moment of the
upload and change it again after it.

0 new messages