I am quite new to php.I was going through an example on file uploading.Here inside getimagesize() function $_FILES['file']['temp_name'] is used.and when i echoed $_FILES['file']['temp_name'] it shows the following output:
C:\xampp\tmp\phpDE4B.tmp
my questions are:
1.why use tmp_name instead of original name inside getimagesize() function.
2.For what reason this tmp_name is created ?
3.How it is generated?
$target_dir = "uploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;
$imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
$check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
if($check !== false) {
echo "File is an image - " . $check["mime"] . ".";
$uploadOk = 1;
} else {
echo "File is not an image.";
$uploadOk = 0;
}
}
The temporary file is generated as part of the file upload process, handled directly between PHP and the web server.
A temp file is used so that userland code can move the file to its final destination folder on the server - the final destination folder isn't information that can be passed in the http request, or handled by the web server, because it depends entirely on your application. If the file isn't moved to its final destination folder, then the temporary file will be deleted automatically at the end of the request
In this case, the code is part of a validation process to ensure that the file is what it claims to be before moving it to its final destination folder (assuming that it is a valid file).
When some file is uploaded to the server, it is placed in temporary directory to work with it. In order to not have collisions in names temporary name is assigned.
1) You need to pass the path to file to getimagesize(), because you can want to work not only with saved files.
2) Tmp_name is created to avoid collisions, but you can get original name if you need.
3) Just some random generated name inside of a temp directory.
Related
Hi can someone help with this bit of code I am trying use to handle and test my file uploads in PHPMailer? It basically checks that the file is correct and then renames the file name by using the users name plus field name and a date and time. There are multiple files but I am not using a multi uploader but instead separate fields so I can keep a track of which file is which.
The script seems to work and there are no errors in the php error logs but I'm told this is a security flaw in my previous post and that my "pathinfo call should be testing the path to the tmp_name of the actual file and NOT the given original name. This is a serious security flaw."
Unfortunately I'm not sure which of the 2 usages of pathinfo is wrong. If I change $file["name"] to $file["tmp_name"] for $imageFileExt then I don't get a file extension and if I change $file["name"] to $file["tmp_name"] on $imageFileType then I just get wrongfile error. Any help would be much appreciated. Thanks.
foreach ( $_FILES as $key => $file ) {
//get the file extension
$imageFileExt = strtolower( pathinfo( $file["name"], PATHINFO_EXTENSION ) );
//change the name of each file in $_FILES array to
//the persons name plus file field plus date plus time plus file extension
//such as :joe_bloggs_bank_statement_1_9_10_21_10_55.jpg
//and joe_bloggs_pay_slip_1_9_10_21_10_55.jpg
$file['name'] = clean($_POST['appName']). "_" . $key . "_" . $dateKey . "." . $imageFileExt;
// get the file type
$target_file = $target_dir . basename($file["name"]);
$imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));
// get file size
$check = getimagesize($file["tmp_name"]);
if($check === false) {
$fileMessage .= $key."=noimage,";
$uploadOk = 0;
}
// Allow certain file formats
else if($imageFileType !== "jpg" && $imageFileType !== "png" && $imageFileType !== "jpeg"
&& $imageFileType !== "gif" ) {
$fileMessage .= $key."=wrongfile,";
$uploadOk = 0;
}
// Check if file already exists
else if (file_exists($target_file)) {
$fileMessage .= $key."=fileexists,";
$uploadOk = 0;
}
// Check file size
else if ($file["size"] > 20000000) { //20mb
$fileMessage .= $key."=toobig,";
$uploadOk = 0;
}
// creates a set of links to the uploaded files on the server
// to be placed in the body of the email (the files themselves do not get attached in the email
$fileString .= strtoupper($key).": <a href='example.com/uploads/".$file['name']."'>".$file['name']."</a><br>";
}
I think you may be confused by the distinction between these things. The file itself is a bunch of bytes provided by the user. Its filename is metadata about that file, also supplied by the user. The tmp_name is also metadata about the file, but is safe because it is not supplied by the user.
At no point are you using move_uploaded_file() or is_uploaded_file(). These are necessary to validate that the uploaded files are real uploaded files that have been handled correctly by PHP before your script is run. That's the very first thing you should do before trusting anything else in $_FILES.
The reason it's important to not trust the name property is that filenames can be used as an attack vector, for example by including path traversal sequences (such as ../), SQL escapes ('), or characters that might do unexpected things if used in shell contexts (\, >, etc). The tmp_name is generated by PHP itself and does not contain user-supplied data, though you need to use the functions mentioned above to ensure that this is real data and not also injected
by the user.
Similarly, the filename can't be relied upon to tell you accurately what type a file is – search for "polyglot files" for why that can be a problem.
You don't show what's in your clean() function, so we can't say whether what it does is effective.
In your previous question I referred you to the PHPMailer send file upload example. This shows how to handle an upload safely. For example, it takes whatever name is provided and hashes it, producing a string that is guaranteed to be safe from user-supplied data that is not.
How to upload default image file in folder PHP? I am trying to upload selected file or default file in particular folder, but I can't make good.
target_file = $target_dir . time()."_abc.jpg";
or
basename($_FILES["files"]["name"]="abc.jpg";
You cannot upload directly by using the filename. Every file has a temporary path where it is stored when it is uploaded. this is referred to by tmp_name. You'll have to upload this tmp_name to the specific directory. Consider below code:
$target_file = $target_dir . time()."_abc.jpg";
if (file_exists($target_file)) {
if (move_uploaded_file($_FILES['files']['tmp_name'], $target_file)) {
echo "File Uploaded";
} else {
echo "File Not Uploaded";
}
}
Hope this helps.
Its not clear about the scenario in which you are trying to upload default file or selected file. Generally if one selected a file then only the need to upload the file arises otherwise you just keep a default file in folder and show that. If you are concerned about file uploads in php,
you need to follow certain procedures to upload files into folder using any programming language. For the case of PHP first need to check in php.ini whether
file_uploads = On if it is On then you can proceed for file uploading. The form should enable enctype to enctype="multipart/form-data"
Next you can restrict the image format that is to be uploaded, image size etc based on different php functions belong to $_FILES variable.
Please refer this
https://www.w3schools.com/Php/php_file_upload.asp
I am completely a novice in all this ...
I have created a Social Networking project in which there is a module which allows user to upload photos..
I have hosted this project in my college server
I access that server using bitvise client with my server credentials.
My problem is i don't know how to setup upload mechanism for remote server ... In my localhost i simply use
move_uploaded_file($_FILES['file']['tmp_name'],$target_file);
function but i don't know how to do this for remote server ...
I tried FTP by looking at some tutorials but that didn't worked for me.
In my project structure there is a directory
users/user_id (diff for all users)/photos
here i want to place the uploaded files....
A proper description with example and proper functioning might be very helpful for me.... Thank you
EDIT:
Below is my code.
Photos.php
<form class="input-group-btn" method="post" action="editPhotos.php"enctype="multipart/form-data" id="myForm">
<input type="file" name="file" id="imgInp">
<button type="submit" class="btn btn-primary" name="form-submit">Done</button>
</form>
editPhotos.php
if( isset($_POST['form-submit']) ){
$target_file = "users/".$email."/pictures/Photos/" . basename($_FILES["file"]["name"]);
$imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
move_uploaded_file($_FILES['file']['tmp_name'],$target_file);
$img =str_replace(" ", "",basename($_FILES["file"]["name"]));
rename($target_file, "users/".$email."/pictures/Photos/".$img);
header('Refresh: 1; url=Photos.php?user='.$email);
}
Small tutorial how to upload file.
For sure, you need correct encryption and file's type in your form (ommited other fields, to clear example):
form.html
< form action="upload.php" method="post" enctype="multipart/form-data">< /form>
< input name="test" type=file>
upload.php
In $_FILES you have all data of uploaded file. In given example, we have field named test.
Advice, to always first check error $_FILES['test']['error'] - the values you can find in here.
If this is correct, then prepare upload path. Some advices:
remember that if you use original filename ($_FILES['test']['name']), then is User upload second file, with same name, you will need overwrite file or ignore upload. Other way, is to save data to database and generate temporary name form him.
destination path(target_file) - regardless if upload folder is in the same catalog, you should always use global path, as good practice. You can use DIR for that.
don't use in path data, like email - is you have project, and want give opportunity to change email in configuration, what you will do with files? Better save user to Database and use his ID as key.
If you have path, then you simply need only use of move_uploaded_file, but remember to check result, as it not always will return true. You can have error, when you don't have permissions to destination folder (you'll need debug this).
I see that you, first upload file, then rename (then you should check, if rename was success). Don't extends this process, if it not necessary. Upload file for final path and name.
Example of code (I this rattle off)
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
$fileName = basename($_FILES["file"]["name"]);
$fileName = str_replace(" ", "", $fileName);
$target_file = sprintf(__DIR__ . "/users/%s/pictures/Photos/%s", $email, $fileName);
if (move_uploaded_file($_FILES['file']['tmp_name'], $target_file)) {
// File was uploaded
header('Refresh: 1; url=Photos.php?user=' . $email);
} else {
// File was not uploaded;
throw new \Exception('File was not uploaded. Check warnings.');
}
}
Used other method to check, if this is POST
use method sprintf, for better code quality
checked effect of move_uploaded_file
use global path for destination file
Below code is risky in live environment, please use cautiously
Use a relative path to the uploads folder. For example, if your uploads folder is placed outside your current folder. Then
$PATH = '/absolute/example/path/to/uploads';//from config file
$target_file = "$PATH/file_name";
move_uploaded_file($_FILES['file']['tmp_name'],$target_file);
The above code will work both in local and remote server.
Other checks are below:
Check for errors while uploading file in server
To enable error handling use below code in your upload logic:
ini_set('display_errors', 1);
error_reporting(E_ALL);
Another important note is to make uploads folder writable otherwise file upload wont work.
I am uploading a file using PHP to a folder in my directory and am unable to rename it using the following code
$da = date("dmY");
$ja = $uid.$da;
$mukesh = $app.$ja;
// If no errors, upload the image, else, output the errors
if($err == '') {
if(move_uploaded_file($_FILES['userfile'][$mukesh], $uploadpath));
Here's PHP's official document about how to handle uploads: http://www.php.net/manual/en/features.file-upload.post-method.php
The method move_uploaded_file() requires two parameters, a filename of the temp file, and a new location.
$tmp = $_FILES['userfile']['tmp_name']; // temp path
move_uploaded_file($tmp, $uploadpath . '/' . $mukesh);
You will need to name your input element userfile.
<input type="file" name="userfile" />
Based on code snippet provided, you can do following
move_uploaded_file ($_FILES["userfile"]["tmp_name"], $uploadpath);
When you upload a file, files will be store in upload location specified in php.ini using a temporary name. This file location with name can be accessed by $_FILES["userfile"]["tmp_name"]
Lets say you upload an image.if no error then
$uploads_dir = 'as per you defined';
$tmp_name = $_FILES["userfile"]["tmp_name"];
$name = 'custom_file_name.png';//$_FILES["userfile"]["name"];
move_uploaded_file($tmp_name, $uploads_dir."/".$name);
You are renaming the temp name of file ...
When you want to rename the change the name with which you want to store the file
$filename = time().$_FILES['userfile']['name'];
$upload_path = 'path_to_ur_upload_folder'.$filename;
move_uploaded_file($_FILES['userfile']['tmp_name'],$upload_path );
first param in move_upload_file is temporary name that will be used by stream while copying an d uploading .. the second parameter is path where your file will be saved (along with file name).. it is the second parameter which will help you in renaming of file which is being uploaded
I am sending image from android apps to server. The problem is image not moving to the correct path, but only at current directory (only in which that php script stored). I tested this codes on local server and webserver, getting same result. Any one can find out whats problems.
Local Server: XAMPP 1.7.7
My PHP Script :
<?php
$base=$_REQUEST['image'];
$Username=$_REQUEST['Username'];
$binary=base64_decode($base);
header('Content-Type: bitmap; charset=utf-8');
$file = fopen($Username.'.png', 'w');
fwrite($file, $binary);
$uploadFilename = '/htdocs/android/ProfileImage/';
$tr =move_uploaded_file($_FILES[$file]['tmp_name'], $uploadFilename);
if($tr)
echo 'true';
else
echo 'false';
echo 'Successfully Uploaded';
?>
Showing Output and Error in Local Server
Strict Standards: Resource ID#3 used as offset, casting to integer (3) in C:\xampp\htdocs\android\uploadSimage.php on line 12
Notice: Undefined offset: 3 in C:\xampp\htdocs\android\uploadSimage.php on line 12
falseSuccessfully Uploaded
Showing Output and Error in Webserver
Notice: Undefined offset: 3 in C:...\uploadSimage.php on line 12
falseSuccessfully Uploaded
move_uploaded_file() expects the second parameter to be a string representing the new path and filename of upload. Currently, you are passing only a path. I also question whether the path is correct. It must be a full path, or a relative path.
You are also using the $_FILES array incorrectly. Are you uploading the image by encoding it in base64 and passing it via the URL's query string? Or are you actually uploading it using a multipart/form-data file upload field?
If you uploaded a file belonging to the upload field called image then you would get access to the file like this:
$origname = $_FILES['image']['name']; // the name from the client device
$temppath = $_FILES['image']['tmp_name']; // the temp location on the PHP server
$error = $_FILES['image']['error']; // > 0 if there was an error
$size = $_FILES['image']['size']; // size of the file
$type = $_FILES['image']['type']; // mime type, cannot be trusted though
You would then move it like this:
// Be careful using the original file name.
// If the user uploads a file with a .php extension, they may be
// able to run PHP code on your server if they can access the upload folder
// You should either generate a random file name or remove the extension
// IF THE DESTINATION FILE EXISTS, IT WILL BE OVERWRITTEN
$newPath = '/home/yoursite/htdocs/uploads/' . $origname;
$moved = move_uploaded_file($_FILES['image']['tmp_name'], $newPath);
if ($moved) {
echo "File was moved successfully.";
} else {
echo "Failed to move file.";
}
EDIT:
If you are in fact uploading the image by encoding it in base64 and sending it over the URL, then you don't need move_uploaded_file at all; in that case you can just write the decoded contents to a file anywhere you like. Keep in mind, the length of the URL may be limited so sending the image in the URL via base64 may not be a good idea.
EDIT 2:
To comment on the questions in your subsequent answer: The php function move_uploaded_file() should only be used when the file you are trying to move was uploaded to PHP using an HTTP POST method upload. It does an internal check to see if the file you are trying to move was uploaded to PHP. If it was not, then it won't move the file. Therefore you shouldn't be using move_uploaded_file() since you confirmed you were uploading the image through the URL.
Since your PHP script's path is C:\xampp\htdocs\android, this means the root path is C:\. The server root is different from your web root or document root which are both relative to your public directory. Any time you are dealing with reading/writing files in PHP, you use the full server path (relative to C:\ or /).
Given the new facts, try some code like this to "upload" the image:
<?php
$base = (isset($_REQUEST['image'])) ? $_REQUEST['image'] : '';
$Username = (isset($_REQUEST['Username'])) ? trim($_REQUEST['Username']) : '';
$binary = #base64_decode($base);
if (empty($Username)) {
die('no username specified');
}
if (!$binary) {
// data was not in base64 or resulted in an empty string
die('invalid image uploaded');
}
$basePath = 'C:\\xampp\\htdocs\\android\\ProfileImage\\';
$imagePath = $basePath . $Username . '.png';
$file = #fopen($imagePath, 'w+');
if (!$file) {
die('failed to open ' . $imagePath . ' for writing');
}
fwrite($file, $binary);
fclose($file);
echo 'Successfully Uploaded';
Make sure to take the necessary precautions so I can't upload an image for another user.
per to this document http://php.net/manual/en/function.move-uploaded-file.php another reason for this problem is invalid File name if your file Name in
move_uploaded_file ( string $filename , string $destination ) be invalid
this function return false
I accessed my server using file zilla and give write Group permissions to the target folder and then it worked.
If you're using XAMPP:
sudo chmod 777 -R /opt/lampp/htdocs/