file upload - not so simple...

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • TomR
    #1

    file upload - not so simple...

    I can't find an answer to a seemingly simple question. I have three files:

    form.php:
    <form enctype="multip art/form-data" action="process .php" method="POST">
    <input type="hidden" name="MAX_FILE_ SIZE" value="1024000" />
    Send this file: <input name="userfile" type="file" />
    <input type="submit" name="Submit" value="Send File" />
    </form>

    index.php:
    if ($mode == 'addfile') include ('form.php');

    process.php:
    if ($Submit == "Send File") {
    $uploaddir = '/katalog/';
    $uploadfile = $uploaddir . basename($_FILE S['userfile']['name']);
    echo '<pre>';
    if (move_uploaded_ file($_FILES['userfile']['tmp_name'], $uploadfile)) {
    echo "File is valid, and was successfully uploaded.\n";
    } else { echo "Possible file upload attack!\n";}
    echo 'Here is some more debugging info:';
    print_r($_FILES );
    print "</pre>";}

    When I run form.php - the upload is working fine, I don't understand why the
    identical form, which is printed at "index.php?mode =addfile", doesn't work
    (message "Possible file upload attack!", array $_FILES empty). The same
    happens when the upload form is printed with "echo" instead of "include
    ('form.php')". Does anyone know what is going on?

    I'll appreciate any hint, cheers!

    Tom


    Tags: None
    • 2metre
      #2
      Re: file upload - not so simple...

      TomR wrote:[color=blue]
      > I can't find an answer to a seemingly simple question. I have three files:
      >
      > form.php:
      > <form enctype="multip art/form-data" action="process .php" method="POST">
      > <input type="hidden" name="MAX_FILE_ SIZE" value="1024000" />
      > Send this file: <input name="userfile" type="file" />
      > <input type="submit" name="Submit" value="Send File" />
      > </form>
      >
      > index.php:
      > if ($mode == 'addfile') include ('form.php');
      >
      > process.php:
      > if ($Submit == "Send File") {
      > $uploaddir = '/katalog/';
      > $uploadfile = $uploaddir . basename($_FILE S['userfile']['name']);
      > echo '<pre>';
      > if (move_uploaded_ file($_FILES['userfile']['tmp_name'], $uploadfile)) {
      > echo "File is valid, and was successfully uploaded.\n";
      > } else { echo "Possible file upload attack!\n";}
      > echo 'Here is some more debugging info:';
      > print_r($_FILES );
      > print "</pre>";}
      >
      > When I run form.php - the upload is working fine, I don't understand why the
      > identical form, which is printed at "index.php?mode =addfile", doesn't work
      > (message "Possible file upload attack!", array $_FILES empty). The same
      > happens when the upload form is printed with "echo" instead of "include
      > ('form.php')". Does anyone know what is going on?[/color]

      Where are you expecting the file to be saved? Don't forget filesystem
      function work on the server root (not the document root.)

        Comment

        Previous template Next
        Working...