Jump to content

Uploading Problems


OJB

Recommended Posts

Hey all

 

I am currently developing a PHP/MySQL site whereby clients are able to upload certain file types (.zip and .rar) for a specific use.

 

I have written an upload script but first of all it doesn't seem to be limiting the file types to just zip and rar

 

Basically what the code does is creates a directory for each client (if there isnt one already) based on their user ID which is stored in their session header.... then from a form on a different page it is supposed to upload the file they choose to their directory. It is working correctly in the sense that the files are going to the correct folder but I can upload any file type at the moment.

 

><?php
 $dir = "/home/*******/public_html/******/upload/";
$dir .= $_SESSION['userID'];
if (($_FILES["thefile"]["type"] == "application/zip")
|| ($_FILES["thefile"]["type"] == "application/x-rar-compressed")
|| ($_FILES["thefile"]["type"] == "application/x-zip-compressed"
|| ($_FILES["thefile"]["type"] == "application/octet-stream")
&& ($_FILES["thefile"]["size"] < 20000000))
 	{ 
 		if ($_FILES["thefile"]["error"] > 0)
  		{
   		echo "Return Code: " . $_FILES["thefile"]["error"] . "<br />";
  		}
		else
   	{
   		echo "Upload: " . $_FILES["thefile"]["name"] . "<br />";
	    echo "Type: " . $_FILES["thefile"]["type"] . "<br />";
	    echo "Size: " . ($_FILES["thefile"]["size"] / 1024) . " Kb<br />";
 			echo "Temp file: " . $_FILES["thefile"]["tmp_name"] . "<br />";

   		if (file_exists($dir. "/" . $_FILES["thefile"]["name"]))
     		{
     			echo $_FILES["thefile"]["name"] . " already exists. ";
     		}
   		else
     		{
     			move_uploaded_file($_FILES["thefile"]["tmp_name"],
     			$dir. "/" . $_FILES["thefile"]["name"]);
     			echo "Stored in: " . $dir. "/" . $_FILES["thefile"]["name"];
     		}
   	}
	}
else
 	{
 		echo "Invalid file";
 	}
	?>

 

however even when I upload MP3s or other file types it still allows the upload

 

 

Secondly, Having created the folder and now having uploaded some files I don't actually want I can't seem to delete either the folder or the files within. I keep getting a permission denied error in SmartFTP, and nothing happens when I try to delete them through CPanel (legacy) file manager.

 

Surely this shouldnt be happening. When I create the folders I am CHMODing them to 0777 so I should be able to remove the files and directories.

 

 

Any help for a confused little man would go down a charm...

Link to comment
Share on other sites

You also need to change the files being uploaded to 666 permissions to be able to delete them.

 

I would check hotscripts.com for an upload script that you could check out how they are testing MIME types. I've never seen anyone check for a file type as you are doing. Usually you strip the filename into two pieces and test the extension for zip, jpg, mp3, etc...

Link to comment
Share on other sites

Thanks for the info Bruce.

 

I shall contact the help-desk and get them to delete the files for me for now..

 

The mime-type check I actually got from the w3 school site:

http://www.w3schools.com/php/php_file_upload.asp

 

most of my upload script is the same, but obviously modified to suit my particular needs.

 

I shall browse hotscripts for a more suitable upload script

 

 

Cheers again

Link to comment
Share on other sites

I downloaded that upload script you suggested bruce. It looks good, but instead of just using it as is I wanted to try get my head around the code and make sure I understand what is going on.

 

The problem I have at the moment is that I have managed to change the permissions on my uploaded files successfully to 666 (and whatever else I wanted them to be) but I still can't delete the files.

 

The reason for this is not permissions but rather file ownership. All the files I upload have the ownership set to UID: 99 GID:99

 

Basically I think this means they are set to "nobody". I already contacted the help desk once and they changed the ownership of the files I had already uploaded and I deleted them. I would rather not contact them again until I have properly sorted this issue and it won't happen again because I don't want to pester them.

 

 

Anyway, can anyone explain how to set the ownership of a file when you upload it? I have tried to use chown() to change the ownership to a different user id AFTER uploading, but I am not permitted to do so. I can't see where this occurs in that script you have linked me to, Bruce. If I could find this out, I think I could even write my own script, or at least tweak that one to my own tastes.

 

At the bottom of this post I have pasted the PHP part of the upload script you linked me to. I can see the file permissions being set here:

 

> $result  =  move_uploaded_file($temp_name, $file_path);
 if (!chmod($file_path,0777))

 

and the permissions of the folder here:

>if (!chmod($upload_dir,0755))
  die ("change permission to 755 failed.");

 

But have no idea where the ownership is done. Any help would be awesome.

 

Cheers guys.

 

 

 

 

>$site_name = $_SERVER['HTTP_HOST'];
$url_dir = "http://".$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']);
$url_this =  "http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];

$upload_dir = "files/";
$upload_url = $url_dir."/files/";
$message ="";

/************************************************************
*	 Create Upload Directory
************************************************************/
if (!is_dir("files")) {
 if (!mkdir($upload_dir))
  die ("upload_files directory doesn't exist and creation failed");
 if (!chmod($upload_dir,0755))
  die ("change permission to 755 failed.");
}

/************************************************************
*	 Process User's Request
************************************************************/
if ($_REQUEST[del] && $DELETABLE)  {
 $resource = fopen("log.txt","a");
 fwrite($resource,date("Ymd h:i:s")."DELETE - $_SERVER[REMOTE_ADDR]"."$_REQUEST[del]\n");
 fclose($resource);
 
 if (strpos($_REQUEST[del],"/.")>0);				  //possible hacking
 else if (strpos($_REQUEST[del],$upload_dir) === false); //possible hacking
 else if (substr($_REQUEST[del],0,6)==$upload_dir) {
unlink($_REQUEST[del]);
print "<script>window.location.href='$url_this?message=deleted successfully'</script>";
 }
}
else if ($_FILES['userfile']) {
 $resource = fopen("log.txt","a");
 fwrite($resource,date("Ymd h:i:s")."UPLOAD - $_SERVER[REMOTE_ADDR]"
		.$_FILES['userfile']['name']." "
		.$_FILES['userfile']['type']."\n");
 fclose($resource);

 $file_type = $_FILES['userfile']['type']; 
 $file_name = $_FILES['userfile']['name'];
 $file_ext = strtolower(substr($file_name,strrpos($file_name,".")));

 //File Size Check
 if ( $_FILES['userfile']['size'] > $MAX_SIZE) 
 $message = "The file size is over 2MB.";
 //File Extension Check
 else if (!in_array($file_ext, $FILE_EXTS))
 $message = "Sorry, $file_name($file_type) is not allowed to be uploaded.";
 else
 $message = do_upload($upload_dir, $upload_url);
 
 print "<script>window.location.href='$url_this?message=$message'</script>";
}
else if (!$_FILES['userfile']);
else 
$message = "Invalid File Specified.";

/************************************************************
*	 List Files
************************************************************/
$handle=opendir($upload_dir);
$filelist = "";
while ($file = readdir($handle)) {
  if(!is_dir($file) && !is_link($file)) {
  $filelist .= "<a href='$upload_dir$file'>".$file."</a> - URL: <b>$upload_url$file</b>";
  if ($DELETABLE)
	
  $filelist .= " Added at  ".date("d-m H:i", filemtime($upload_dir.$file))
			   ."";
$filelist .= " <a style='text-decoration:none; font-weight:bold'  href='?del=$upload_dir".urlencode($file)."' title='delete'>x</a>";
  $filelist .="<br>";
  }
}

function do_upload($upload_dir, $upload_url) {

$temp_name = $_FILES['userfile']['tmp_name'];
$file_name = $_FILES['userfile']['name']; 
 $file_name = str_replace("\\","",$file_name);
 $file_name = str_replace("'","",$file_name);
$file_path = $upload_dir.$file_name;

//File Name Check
 if ( $file_name =="") { 
  $message = "Invalid File Name Specified";
  return $message;
 }

 $result  =  move_uploaded_file($temp_name, $file_path);
 if (!chmod($file_path,0777))
  	$message = "change permission to 777 failed.";
 else
$message = ($result)?"$file_name was uploaded successfully." :
 		  "Something is wrong with uploading the file.";
 return $message;
}

Link to comment
Share on other sites

  • 2 weeks later...

I thought I would update this in case someone else has the same problem.

 

Today I finally solved the problem. As mentioned before it was setting the folder ownership to be "nobody"

 

In order to over come this I used umask()

 

>if (!is_dir($dir))
		{
			$oldumask = umask(0);
			mkdir($dir, 0777);
			umask($oldumask);
			
		}

 

Now the folders and files created within them I can remove via FTP, which is a relief.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...