I can't seem to find clarification. I have 7 steps and the second one is to upload a file. The problem I am having is that on the final step when I finalize the form and try and access the temp file it says "Could not access file: ..." (saved in the default tmp folder).
Other multi-step tutorials say to keep it in a temp folder and then move to the appropriate folder when complete. So do they mean I move it from the default temp folder into a temp folder I manage and then when they complete the form move it again to a final folder?
So do they mean I move it from the default temp folder into a temp folder I manage and then when they complete the form move it again to a final folder?
Yes, exactly. You do the first move on the request that receives the files, because when that request is finished PHP would delete them if they still exist.
See move_uploaded_fileDocs and Handling File Uploads.
With "temp folder" they don't mean /temp.
After the upload, you should actually save the file in some folder, maybe with the user's session id as name. Then, with the last step, you should move that file to its definitive location.
Temp files (like, actual temporary file) are destroyed once the program who created them exits (that means usually, in php, after the next output page is sent to the client).
Related
I am thinking about solving the problem of uploading files by store visitors. Let's imagine a simple store. On the product page, the customer sees an additional "File Upload" field. The uploaded file will be added to the order.
The customer uploads the file when adding the product to the cart.
Then I have two scenarios - A: The customer makes a purchase, B: The customer abandons the cart and never returns to the store. But what to do with uploaded files?
I wonder what the best approach would be for scenario B?
Upload the file to the /guest_files directory (accessible only for admin)
If the customer places an order, move the file to another directory, eg "order/1234/client_files"
Run CRON job once a day at night - clean the /guest_file directory
or
Upload the file to the /client_files directory
If the session has expired, delete the files uploaded by the user
But, Is it possible to call an event in PHP when the session ends?
or
I know that during the upload, files go to the temporary directory and then are deleted, unless move_uploaded_file is called. Is it possible to extend the time of a file's presence in the temporary directory?
or
All sessions are stored in /tmp directory. For example current session has id: 0pnkm91lcgjtikftoe1imedt07 and the session file is /tmp/sess_0pnkm91lcgjtikftoe1imedt07
I upload files to the: /tmp/uploads/0pnkm91lcgjtikftoe1imedt07/ directory. CRON job run every 5-15 mins (algorithm below):
GET all sess_* file names from /tmp
FOR every directory in /tmp/uploads ($dir_name) check if '/tmp/sess_'.$dir_name exists
IF sess_ does not exist THEN delete /tmp/uploads/{sessionid} directory
Thanks for any reply
Ok, so I've tried several options. I think that IndexedDB is the right answer.
Here, I prepared simple lib to handle a files queue and store to the IDB.
filequeue.js repo
I am learning "penetration testing of web server / websites". I am testing a web server security with the following steps:
Test 1:
Through inspect element tools I added new form element
Test 2:
I filled the form elements which were already exists and browse php file through my injected input file tag, when i submit the form,
it submitted and also uploaded the file (sure the uploaded file would
be pitched in temp folder of that website temp folder)
Test 3:
Now I am hanged here, because I don't know how to access that php file i uploaded with Step 2?
Any idea would be appreciated.
Thanks for your cooperation.
For the uploaded file to be run directly from the browser would imply that the temporary folder is inside the web root which is a major security flaw that you will not find frequently.
Hopefully very few people are stupid enough to change that default configuration option to put temporary files in the web root.
I'm uploading files using php. The file has to be below a certain size. If it's not, the script returns an error.
I've noticed that php stores the uploaded file in (my case) C:\Windows\Temp\filename.extension
Right now, if the file is above the Max size, the script only returns an error. So what happens to the file that got uploaded? Does php delete it automatically or do I have to do that? Even if the the file was the right size, the temp file still remains there I guess. Should I be deleting this file in my script?
No, from the manual:
The file will be deleted from the temporary directory at the end of
the request if it has not been moved away or renamed.
I have a form page that posts to another page where multiple fields as well as file uploads are processed. Just wondering what happens to the 'tmp_name' files when/if the user enters some incorrect info and I send them back to the form page with a meta refesh?
If successful, I move the file to a new location. But if not successful, do the files get unset or erased if the user gets redirected? If they don't, can I reaccess them again so the user doesnt have to reupload? OTOH if there is a problem with the file, say it is not the expected MIME type, should I unlink($_FILES['userFile']['tmp_name']? Its easy to force the user to re-upload again, i think, but I dont want the server being filled up with files that will never be used? If the form passes inspection, and I use rename() to move the file, is the temp file really gone? Did it ever exist on the server's hard drive, or was it only in RAM? Whats the best practice here?
do the files get unset or erased if the user gets redirected?
The uploaded files are stored in the /tmp directory (or whatever is specified as PHP's temporary location). Once your script has run, files left there are subject to deletion any time. I don't think they usually get deleted straight away, but the contents of /tmp will be automatically purged by the OS when necessary.
/tmp is usually located on a hard drive, not in RAM.
Managing this is usually nothing you need to worry about.
If the form passes inspection, and I use rename() to move the file, is the temp file really gone?
Yes, but you must use move_uploaded_file() on uploaded files instead of rename() for security reasons.
The file is stored in the tmp folder and if you don't move it elsewhere it will stay there. It will be removed automatically by the OS on next cleanup.
Edit:
Please look at Marc's comment below.
http://www.php.net/manual/en/features.file-upload.post-method.php
The file will be deleted from the
temporary directory at the end of the
request if it has not been moved away
or renamed.
I'm uploading files via JS and storing the temp path in the session.
Than i use the following code to move the files.
if(move_uploaded_file($_SESSION['temp_img'][$key]['path'], $dest.$bigimg)){
$dest and $bigimg are defined earlier in the script with the id from the database.
Any Ideas or alternatives ?
MANCHUCK's answer was close but not quite there. You must call move_uploaded_file within the script where the file was uploaded. You cannot do what you're doing, that is, "storing temp path in the session" because that path is only valid for one request.
From the PHP manual:
The file will be deleted from the
temporary directory at the end of the
request if it has not been moved away
or renamed.
(Emphasis mine)
move_uploaded_file checks that a file has been uploaded to that page. You are actually uploading the file to a different PHP script then storing in a session. Instead of using move_upload_file use rename.
What is the output of $_SESSION['temp_img'][$key]['path'], also do you have permission to write to the web directory your placing the files. You may need to set it to 777 for some hosts to allow the webserver to write there.