im using this code to upload a CSV file to my server folder and extract the data to be inserted to the database. what if the user accidentally uploaded a CSV file with virus? does the system/server be enfected with the virus since the system does not execute the file?
$name = ($_FILES['fileuploaded']['name']);
$tmp_name = ($_FILES['fileuploaded']['tmp_name']);
$_SESSION['username']=$username;
if($name){
$location = "files/$name";
move_uploaded_file($tmp_name,$location);
$file_handle = fopen("files/".$name, "r");
}
"what if the user accidentally uploaded a CSV file with virus?". I would be more concerned with the question "what if the user INTENTIONALLY uploaded a CSV file with virus". Since you are not checking for the file type, someone could upload a file called bad.php and guess that you might put it in a folder called files and then they could execute it and do all sorts of damage.
Related
I have a upload form for registration picture of user by PHP.
I use Wamp Server.
I want that when the user starts the uploading file and then abandons the upload form (for any reason), that the uploaded files get deleted after 10 minutes.
how do I remove temporary files on server left from these abandoned upload forms?
OR
How do I create a temporary folder for uploaded files and empty it after a period of time?
How without using PHP code can I do this because maybe after uploading a file the user doesn't continue and the PHP script doesn't process it, so the file doesn't get deleted, but it should be deleted.
How without using PHP code can do this?
OR
How to run a PHP code without user request and by server to delete old upload files?
You can set your temp_folder with http://php.net/manual/en/ini.core.php#ini.upload-tmp-dir in the ini file or using ini function
You can get he temporary folder loaction with http://php.net/manual/en/function.sys-get-temp-dir.php
Temporary file ( ei : $_FILES['userfile']['tmp_name']) are deleted right after the script is done according to this php:: how long to tmp files stay? and the php documentation.
If you are talking about file you moved somewhere else and your server have the permission to write/delete in the folder you could do something like
foreach (glob("your_temp_folder/*") as $Filename) {
// Read file creation time
$FileCreationTime = filectime($Filename);
// Calculate file age in seconds
$FileAge = time() - $FileCreationTime;
// Is the file older than the given time span?
if ($FileAge > ($expire_time * 60)){
// Now do something with the olders files...
print "The file $Filename is older than $expire_time minutes\n";
// For example deleting files:
//unlink($Filename);
}
}
Code snippet credit to => http://www.jonasjohn.de/snippets/php/delete-temporary-files.htm
My purpose is uploading a remote file create from my PC to specific folder, but I don't know whats wrong with my code below. It uploads the file with the name and the .jpg extension, but it is not moving the file to the specified folder.
if(isset($_POST["image"])){
define("SITE_NAME","project_name/"); //constant for project name
define("SITE_PATH",$_SERVER['DOCUMENT_ROOT']."/".SITE_NAME); //constant for project base directory
define("IMAGES_URL",SITE_URL."images/"); //constant for image directory
$upload_base_dir=IMAGES_URL;
$upload_time_dir=date('Y')."/".date('m')."/".date('d')."/"; // setup directory name
$upload_dir = $upload_base_dir.$upload_time_dir;
if (!file_exists($upload_dir)) {
mkdir($upload_dir, 0777, true); //create directory if not exist
}
$input = $_POST["image"];
$file = fopen(time()."image.jpg", 'wb');
fwrite($file, $input);
//$image_name=basename($_FILES['image']['name']);
$image=time().'_'.$image_name;
move_uploaded_file($file,$upload_dir.$image);
fclose($file);
}
Any suggestions? Thank you in advance.
move_uploaded_file($file,$upload_dir.$image) will only work for items within temp, that are accessable via $_FILES superglobal. If you are sending your file as a strieam within post, that wont work.
1) If file is a form upload make sure form is a multipart and access your file via $_FILES superglobal
move_uploaded_file($_FILES['userfile']['tmp_name'], $yourDirectory.$yourFilename);
2) If you post the file as a stream via post (keep in mind this will only work for small files as large ones will exceed request limit). Save the file directly to it's destiantion using fopen or to move it after you created it use rename() - http://php.net/manual/en/function.rename.php
rename($currentFilePath, $newFilePath)
P.S. sending files as post streams is a very very bad idea.
Got the server, got the domain, got the code, getting the images successfully, making the products for the customers from the image files they upload. Yay!
Problem: all my image names are image_0001 etc.
Customers can't rename image files from iPhones and do not care to from PCs.
So I was thinking about putting a short form on the upload page asking for customer's last name and having the PHP code attach that name to the image file(s) being uploaded.
If it's not possible, I'm sorry for the inconvenience.
You can rename files after they have been saved to your server, check out the PHP manual for the rename function - http://www.php.net/manual/en/function.rename.php, or just while you are moving them from the tmp directory, you can specify a different name for the uploaded file. See http://www.php.net/manual/en/function.move-uploaded-file.php
Be careful to include something in your code for dealing with naming conflicts.
This one might help :
$imagename = basename($_FILES['file']['name']);
$ext = pathinfo($imagename , PATHINFO_EXTENSION); //we want to change the file name but not the extension
$newImagename= $imageName.$username.'.'.$ext; //assuming you hold the username in $username
if (move_uploaded_file($_FILES['file']['tmp_name'], "/path/{$newImagename}"))
{
....
}
I have the following php code that runs when someone uploads a file:
if ($_FILES['files']['error'] === UPLOAD_ERR_OK) {
die("Upload failed with error " . $_FILES['file']['error']);
}
$namme = $_FILES['files']['name'][0];
$namme = substr($namme, strpos($namme,"."), strlen($namme));
$ok = false;
switch ($namme) {
case '.docx':
case '.txt':
case '.pdf':
break;
default:
die("Unknown/not permitted file type");
}
$filename = $_FILES['files']['tmp_name'][0];
$file = _file_get_contents('./'.$_FILES['files']['name'][0], true);
I want to print all of the content out but i don't wish to save the file first and then open it.
My question is: Is it possible to open the text file print the content without saving the file first?
When the user uploads a file, it gets saved in a temp location. That's just how the HTTP server works, before your PHP script ever gets called. It would be bad if the server held all uploaded files in memory; what if the user is uploading a dozen files that are all 10 MB?
The only way to avoid that is to not use file upload (for example, have the user paste the file contents into a text area that gets submitted), or write your own HTTP server and don't use PHP (not a practical solution, most likely).
I have a problem with saving PDF files to folders on my server. The code worked at one time and now it doesn't. What I want it to do is to check if someone is trying to upload a PDF when a form is submitted, and if there is a PDF in the file field it uploads it and then saves the path to the mysql database. Code is below:
if (!empty($_FILES['pdf'])){
$idir = "../files/PDF/"; //my directory file is supposed to be saved in
$randomd=rand(0000000,9999999); //creates a random number as filename
$domain = "http://".$_SERVER['HTTP_HOST'];
$file_ext = strrchr($_FILES['pdf']['name'], '.'); grabs file extension. my code checked if the file was a pdf a different way and neither seems to work.
$destination=$randomd.$file_ext; //new filename
if ($file_ext=='pdf') {
move_uploaded_file($_FILES['pdf']['tmp_name'], "$idir" . $destination);
$pdf= $domain."/files/PDF/".$destination; } else { echo("File type not supported.");
mysql_query("UPDATE tbl_listings SET pdf='$pdf' WHERE listing_id='$lid'");
}
The if not empty does not work and it always tries to upload a file, but when I check the folder nothing is in there and it doesnt update the mysql.
$_FILES['pdf'] will never be empty(when the form has been submitted), no matter if a file has been selected or not, it will always return an array.
Check $_FILES['pdf']['error'] , it will be 4 when no file has been uploaded.