I'm trying to upload a zip file and a csv file from HTML form.
On PHP, When I printed $_FILES (Actually $request->getFiles() in symfony), I got following.
Array
(
[zipfile] => Array
(
[name] => tempfiles.zip
[type] => application/octet-stream
[tmp_name] => C:\wamp\tmp\php5D42.tmp
[error] => 0
[size] => 850953
)
[csvfile] => Array
(
[name] => test.csv
[type] => application/vnd.ms-excel
[tmp_name] => C:\wamp\tmp\php5D52.tmp
[error] => 0
[size] => 312
)
)
I'm wondering with the type and tmp_name. I need to take few decisions based on type. Is it safe to take decisions on existing type? Will I get same result for similar files on Linux server?
Again tmp_name have .tmp extension. Is it consistent on both windows/linux? If not, is there any way that the code I write on windows (decision using type) will work on linux without any issue?
Using this type can be dangerous Because user can change the type of the files and can upload a php script.
You should validate the type first just like get_image_size() to validate a image file.I have no idea about .zip file
It is not safe to trust the type form $_FILES, you need to validate the file type in server side.
For .tmp extension, it is ok both on windows or linux.
Related
I am using Scrapy to gather images. I would like to simulate a post onto a PHP script with multiple files. Similar to when someone uploads 10 files and they get processed by a PHP script using $_FILES['name']. I would also like to pass $_POST data as well.
Here is my Python.
post_array={
'parse':'listing'
}
files_array=response.xpath(root+'/photos//url/text()').extract()
returned=requests.post(php-script.php,data=post_array,files=files_array).text
pprint(returned)
So this is suppose to create a $_POST variable and a $_FILES variable with multiple files. How can I convert the list of URLs in files_array to become a $_FILES array in the php-script.php?
Python data input:
post_array={
'parse':'listing'
}
files_array=['https://example.co/123.jpg','https://example.co/124.jpg','https://example.co/125.jpg']]
into PHP data output inside php-script.php (desired result):
$_POST=['parse'=>'listing'];
$_FILES=['images'=>[
[0] => Array
(
[name] => 123.jpg
[type] => image/jpeg
[tmp_name] => /tmp/php/php6hst32
[error] =>
[size] => 98174
)
[1] => Array
(
[name] => 124.jpg
[type] => image/jpeg
[tmp_name] => /tmp/php/php6hst32
[error] =>
[size] => 98174
)
[2] => Array
(
[name] => 125.jpg
[type] => image/jpeg
[tmp_name] => /tmp/php/php6hst32
[error] =>
[size] => 98174
)
]];
I have also tried this:
returned=requests.post(triggers,data=post_array,files={'images':[url for url in files_array requests.get(url).content]}).text
pprint(returned)
The only way to convert list of URLs to a $_FILES array in PHP script is to actually upload these files (via POST request with enctype="multipart/form-data").
Here it's how you can do it with requests:
files_array = [('images', ('123.jpg', open('123.jpg', 'rb'), 'image/jpeg')),
('images', ('124.jpg', open('124.jpg', 'rb'), 'image/jpeg')),
('images', ('125.jpg', open('125.jpg', 'rb'), 'image/jpeg'))]
r = requests.post(url, data=post_array, files=files_array)
You can find detailed example in Advanced Usage documentation for Requests
Scrapy does not yet have file upload support, so you have to build such requests manually, which might not be trivial for you.
Adding file upload support to Scrapy has been requested, and there is an unfinished implementation that you could try out, or even try to finish.
Whatever approach you decide to follow, mind that you won’t be able to build such requests based on file URLs. To upload a file, you must have it in your computer; if you do not have it, you must download it.
I have a page that will allow me to upload a CSV file. Using PHP I then take the contents of the CSV file and insert them into a MySQL database. I've been doing this with no problems for awhile now. Then today, I tried uploading the file and it didn't work. The problem is that there appears to be no file type associated with the CSV file. For example, on a good upload, the debug messages I spit out look like this:
You uploaded a file: buylist_235.csv
file type: application/vnd.ms-excel
file size: 10456
File is valid, and was successfully uploaded. Here is some more debugging info:Array (
[csv] => Array
(
[name] => buylist_235.csv
[type] => application/vnd.ms-excel
[tmp_name] => C:\xampp\tmp\php3C1E.tmp
[error] => 0
[size] => 10456
)
)
However, when I upload the problem file with the debug messages on I noticed the file type and file size is empty.
You uploaded a file: buylist_235_1.csv
file type:
file size: 0
Possible file upload attack!
Here is some more debugging info:Array
(
[csv] => Array
(
[name] => buylist_235_1.csv
[type] =>
[tmp_name] =>
[error] => 2
[size] => 0
)
)
Anyone have any ideas why the file type is empty? In Windows Explorer, if I hover over either of these files the info balloon over the files say "Type: Microsoft Excel Comma Separated Values File". But there is something wrong with the second file that causes my PHP to puke and not recognize the file type.
The file type is not the problem (I don't think).
You'll see error code 2 was returned during the attempted file upload in your second example block, and it was NOT written to temporary storage (tmp_name is empty, size is 0).
You uploaded a file: buylist_235_1.csv
file type:
file size: 0
Possible file upload attack!
Here is some more debugging info:Array
(
[csv] => Array
(
[name] => buylist_235_1.csv
[type] =>
[tmp_name] =>
[error] => 2
[size] => 0
)
)
Error code 2 is: UPLOAD_ERR_FORM_SIZE: The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form.
Adjust this value larger in your form HTML.
while uploading MP4 video $_FILES array comes like this..
Array
(
[qqfile] => Array
(
[name] => video.mp4
[type] => video/mpeg4
[tmp_name] => /tmp/php74N9mR
[error] => 0
[size] => 199160
)
)
But while uploading .FLV file $_FILES array coming like this , why it is not coming proper?
Array
(
[qqfile] => Array
(
[name] => YouTube - My Youtube Contest Announcement.flv
[type] =>
[tmp_name] =>
[error] => 1
[size] => 0
)
)
please suggest.
The file you are trying to upload is too large. From the PHP manual's chapter on file uploads:
Since PHP 4.2.0, PHP returns an appropriate error code along with the file array. The error code can be found in the error segment of the file array that is created during the file upload by PHP. In other words, the error might be found in $_FILES['userfile']['error'].
...
UPLOAD_ERR_INI_SIZE
Value: 1; The uploaded file exceeds the upload_max_filesize directive in php.ini.
i think its related to the file name you upload ,
when you call to the php function wrap your file name with ''
can anyone shed some light on this:
Array
(
[video] => Array
(
[name] => 20051210-w50s.flv
[type] =>
[tmp_name] => /tmp/php38JFea
[error] => 0
[size] => 669036
)
)
I'm uploading an flv file, but the [type] is not being filled, is this common?
cheers in advance!
The type field is a MIME type set by the client. In this case, it just didn't know what a flv file is, and didn't set it. It is a good thing not to rely on this information, as it can be freely altered by an attacker.
If you want to get reliable info about an uploaded video file, you need to do a server-side check. The getid3 for example seems to be able to recognize flv files.
The built-in getimagesize() function can do the same for many image formats.
I can't understand why my file uploaded through a form that used to be working just fine, is now returning an empty image type. Below is the printed array of $_FILES:
[file] => Array ( [media_image] => Array ( [name] => 001_ac.jpg [type] => [tmp_name] => [error] => 1 [size] => 0 )
According to the File error #1, the file you are uploading is larger than the upload_max_filesize allowed in php.ini. See the error codes in the manual here: http://php.net/manual/en/features.file-upload.errors.php
Hence, the file upload is being rejected, so it hasn't got a size or most of its other normal attributes. Your code can check for such errors and handle them by giving the user feedback, such as informing them of file size restrictions, file types, etc.