I have currently made a script which allows uploading for files within our company. I am looking to improve this script to allow for the directory of the uploaded file to masked within the download link (Don't really want people knowing the directory structure) Is there a way I can encode the link and then once a successful upload is made echo out the masked URL available for our clients to download.
<?php
$target = "upload/";
$target = $target . basename( $_FILES['uploaded']['name']) ;
$ok=1;
//This is our size condition
if ($uploaded_size > 350000)
{
echo "Your file is too large.<br>";
$ok=0;
}
//This is our limit file type condition
if ($uploaded_type =="text/php")
{
echo "No PHP files<br>";
$ok=0;
}
//Here we check that $ok was not set to 0 by an error
if ($ok==0)
{
Echo "Sorry your file was not uploaded";
}
//If everything is ok we try to upload it
else
{
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded";
}
else
{
echo "Sorry, there was a problem uploading your file.";
}
}
?>
Thanks Guys :)
I won't give you the code, but here is my strategy for implementing file sharing without giving away their location.
Create a file that takes as a parameter the name of the file to be retrieved. It's only purpose is to open the file and stream it out. It should know ahead of time what to do with the file, where to look for it, and how to return it(stream). Let's call it getFile($filename)
In your main PHP file, call the function and store the result in a variable:
$file = getFile($_POST['filename']);
Now send the user the file, and he will be none the wiser about where it came from.
You could make a script that the file bounces. It just accepts the filename as parameter. Something like:
download.php?file=myfile.txt
that way you don't say where you put your files, and it's easy to implement. You could add headers to actually download the file.
Related
Whenever I try to move a file it does not work and shows "Image file not uploaded"... I just want to know where the error is...
$target = '/var/www/student/public/myimage.jpg';
$destination = '/var/www/student/public/images/myimage.jpg';
if( move_uploaded_file( $target, $destination ) ) {
echo "Image file is successfully loaded";
} else {
echo "Image file not uploaded.";
}
I have checked error log (tail -f /var/log/apache2/error.log) but found nothing.
target and destination both directories have 777 permissions.
Can someone tell me that how to find out the error. Any idea ?
If you are not using HTTP POST upload method then you can use rename()
rename($target, $destination);
Has the file been uploaded in the current request?
move_uploaded_file will refuse to move files that are not uploads. (i.e. $target must equal $_FILES[$field_name]['tmp_name']
If it has been uploaded previously, move_uploaded_file will refuse to work (if it is even still there - PHP will delete it if you don't handle the file on that upload if I remember correctly)
If it is in fact not a file that has been uploaded with this request you'll want to use rename
move_uploaded_file() only works on http post files. http://php.net/manual/en/function.move-uploaded-file.php
to move a file already on the server, you will have to copy the file and unlink the old file
$target = '/var/www/student/public/myimage.jpg';
$destination = '/var/www/student/public/images/myimage.jpg';
if (copy($target, $destination)) {
unlink($target);
} else {
echo "Unable to copy $target to $destination.";
}
I have a script that uploads a file and then moves it to a directory. However the script does not know the name of the file its creating because it hasn't created it yet and cannot find the file to update.
So either one requires a way to make the file first or there is another way of doing this. The code.
<?php
$filename = '/home/divethe1/public_html/update/z-images/admin/upload/test/';
if ($_FILES['thumbfile']['error'] === UPLOAD_ERR_OK) {
$info = getimagesize($_FILES['thumbfile']['tmp_name']);
if (($info[2] !== IMG_GIF) && ($info[2] !== IMG_JPEG)) {
die("not a gif/jpg");
}
if (filesize($_FILES['thumbfile']['tmp_name']) > 100000) {
die("larger than 100000");
}
move_uploaded_file($_FILES['thumbfile']['tmp_name'], $filename . $_FILES['thumbfile']['name']);
echo '<script type="text/javascript">
parent.document.getElementById("thumbprogress").innerHTML = "Archiving"</script>Archiving';
}
else
{
echo '<script type="text/javascript">
parent.document.getElementById("thumbprogress").innerHTML = "Invalid File Format"</script>Invalid File Format';
}
?>
Any ideas?
I think you're misunderstanding how move_uploaded_file() works. It doesn't create a file for you. It:
Takes the temporary filethat PHP created for you to hold the upload (the filename/path for which is in $_FILES['thumbfile']['tmp_name'])
does a few security checks to make sure no one's tampered with the file between the time the upload completed and the move_uploaded_file call was issued
then MOVES the file to the location you specify.
It doesn't handle the upload, or receive the file - by the time your upload-handling script gets fired up, the upload has already been completed and the file is waiting in that tmp_name location.
If the move can't be completed for any reason, move_uploaded_file() returns false. It won't warn you if you're overwriting a file in the destination, on the assumption that you know what you're doing.
My mistake. I left the directory test in place. That should have gone. Thanks anyway for all help.
how can i make sure that no php/html files are uploaded to my server? this is my code i have so far but it isn't working.
<?php
$target = "upload/";
$target = $target . basename( $_FILES['uploaded']['name']) ;
$ok=1;
//This is our size condition
if ($uploaded_size > 35000)
{
echo "Your file is too large.<br>";
$ok=0;
}
//This is our limit file type condition
if ($uploaded_type =="text/php")
{
echo "No PHP files<br>";
$ok=0;
}
//Here we check that $ok was not set to 0 by an error
if ($ok==0)
{
Echo "Sorry your file was not uploaded";
}
//If everything is ok we try to upload it
else
{
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded and will be revied by moderators. You will recieve points based on the review.";
}
else
{
echo "Sorry, there was a problem uploading your file.";
}
}
?>
Your code uses variables which are not set, for example, $uploaded_size which will be NULL unless you do something like...
$uploaded_size = $_FILES['uploaded']['size'];
Also, checking the MIME is not too great at telling you whether the file has PHP or not. It just means it has the php extension (that is if you are inspecting type in $_FILES).
For security, move uploads outside of the docroot, rename and drop any extension (to prevent Apache trying to run any malicious file). The original filename and type can be stored safely in a database, with a reference to the (perhaps hashed) new name.
You may also want to ensure if you are streaming the content later to always echo the content using readfile() and not something like include (which will run your PHP code, even if embedded in an image with image/gif MIME, which can be told it is a GIF if it includes the GIF header).
Check out http://www.php.net/manual/en/function.exif-imagetype.php - this checks for certain magic numbers that all JPG's have at the beginning. Also, as others have pointed out, you're using undefined variables... check out the PHP tutorial for file uploading ( which also documents the contents of $_FILE).
http://www.php.net/manual/en/features.file-upload.post-method.php
Here is a problem.
I have an HTML form with several fields in it.
One of the fields - 'Upload file'.
When I upload a file, everything works properly. But when I choose to submit the form without a file, it gives me the error message: "There was an error uploading the file, please try again". Looks to me that the script thinks that uploading a file is mandatory.
How do I change it?
Here is my PHP:
//File upload
// Where the file is going to be placed
$target_path = "uploads/";
// Add the original filename to our target path.
//Result is "uploads/filename.extension"
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ". basename( $_FILES['uploadedfile']['name']).
" has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}
//End of file upload
Thank you!
You should check using the function is_uploaded_file
try adding the following condition before calling the function move_uploaded_file
if (is_uploaded_file($_FILES['uploadedfile']['tmp_name'])) {
The target path of move_uploaded_files should be a folder, not a file.
You should also check if the folder is_writeable and is_dir.
move_uploaded_file returns a bool, true or false, depending on the success of the operation.
A solution would be to check more rigorously, e.g. if a file was uploaded at all via is_uploaded_file function.
For proper working, the function is_uploaded_file() needs an argument like $_FILES['userfile']['tmp_name'], - the name of the uploaded file on the clients machine $_FILES['userfile']['name'] does not work.
I need to resize an uploaded image.
The class that resizes needs to get the location of the image to be worked with.
It returns the image in a variable.
However, when I try to get the path to the image, I get from $_FILES['profile_upload']['tmp_name'] the following: C:\xampp\tmp\php1C5.tmp
I don't get the actual file, even though the tmp folder contains it!
How can I get the actual filename? Another question - for how long are the files stored in tmp, and when do they get deleted?
By the way, does the Zend Framework have a good image manipulation interface?
You should complete the whole file upload setup with something similar and then the variable $_FILES['uploadedfile']['name'] will also contain the original file name:
$target_path = "uploads/";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ". basename( $_FILES['uploadedfile']['name']).
" has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}
To address your second point: Files are stored until the script they were uploaded to finishes.