I've created an upload script in php that takes a file, resizes it, and creates a cropped square thumbnail. The script itself seems to work fine.
However, when I tried to upload an image through Firefox, on clicking the submit button the browser shows the loading animation, but it never calls the script, it just stays on the current page. If don’t upload an image, then the script can be found and is run.
I tried in safari, and I don’t get the same problem, I can upload an image from the form, it will process it and take me the correct page.
I’ve tired just calling a basic script from the form, it just prints out the $_POST and $_FILES, and I get the same result, if an image is present, it won’t get to the script, if no image is present, it runs fine.
I’m just wondering if anyone has any idea what’s going on?
=Update=
Okay, so I’ve still got this problem, I seem to think I’ve found out what’s causing it then, but then I find something that contradicts it completely.
At the moment, I’ve noticed that I can successfully upload after I clear my Firefox cache, but I can only upload one image, then when I try to upload another, I can’t, it just resets the connection after "Loading..." for a bit.
Also, I’ve noticed that I can Ctrl+F5 a few times and get another upload through.
Although there are ways around this, I don’t want to have a form that requires users to clear cookies or refresh every time they need to upload. And as I’ve mentioned before, this error does not occur in IE/Opera/Safari/Chrome.
It seems like Firefox is storing something, I’m not sure what.
Any help would be gratefully appreciated.
If it helps here is the code I’m using.
The HTML Form
<form enctype="multipart/form-data" action="<?php echo $_SERVER["PHP_SELF"]; ?>" method="POST">
<label for="file">Choose a file to upload</label>
<input id="file" name="file" type="file" /><br />
<input type="submit" value="Upload File" name="submit" />
And the PHP:
if (isset($_POST['submit'])) {
echo "Processing...<br/>";
if (isset($_FILES['file']['name'])) {
$file_array = $_FILES['file'];
echo "Uploading...";
upload File($file_array);
echo "...Done";
}
}
The echos are for me to see what’s going on. If none of them are actually being output. So for some reason the form is not being submitted. Which is why it’s not getting to the script. I’ve no idea why though. I’ve got no CSS, or JavaScript errors.
== Update ==
Okay I’ve being trying some more things and still no luck, the HTML, CSS and JavaScript is all valid. I’ve done an IIS Reset, I’ve recreated my Firefox profile. And still now luck.
I was testing it again, and this time I stopped it in the middle of loading (before the connection was reset) and then tried to go to a different page of the website, and the freezing continued, it would still say "Loading..." and "Waiting for localhost...". Not really sure what to make of that, is it some settings that I have? But then why doesn’t it affect other browsers?
== Update ==
As I mentioned below, it seems that AVG Linkscanner/Active surf shield seems to causing this issue, and there are many reports of others having similar problems with it. I updated from AVG Free v9.0.733 to v9.0.790 and I STILL have the same problem. I’m going to browse the AVG support forums and maybe post something over there since it seems to be an AVG issue.
If anyone does have any more insight, please post below. It’s much appreciated :)
Okay, im getting somewhere with this, you may think this is just a stupid mistake but read on.
If i dont have the < html >< body >..etc tags and just have..
<form enctype="multipart/form-data" action="up.php" method="POST">
<label for="file">Choose a file to upload</label>
<input id="file" name="file" type="file" /><br />
<input type="submit" value="Upload File" name="submit" />
</form>
Then i get this issue, where firefox will hang, on form submission.
If i have the correct tags like..
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title></title>
<link href="style.css" rel="stylesheet" type="text/css" />
</head>
<body >
<form enctype="multipart/form-data" action="up.php" method="POST">
<label for="file">Choose a file to upload</label>
<input id="file" name="file" type="file" /><br />
<input type="submit" value="Upload File" name="submit" />
</form>
</body>
</html>
Then it seems that this works. Now this looks simple, but i build my pages up dynamically so i just have one file that contains just the form code that gets included in the page.
Thats as far as ive got, althought having the form code in a separate file should make no difference since its all put together server side.
Sometimes, relative paths are perceived differently by different browsers, not that sure actually but try to specify current directory by prefixing path with ./, eg:
$target_path = "./public/photos/";
Rest of the code looks fine to me.
Just in case you are using the latest FF 3.6 I'm experiencing exactly the same problem, Any form loading a big file (1MB it's enought) seem to block FF upload.
On IE7/Safari/Opera it works.
Then when you right click in FF and view source, it should look exactly like it does in your code above (below "If i have the correct tags like..").
From the xhtml 1.0 specification
HTML 4 defined the name attribute for
the elements a, applet, form, frame,
iframe, img, and map. HTML 4 also
introduced the id attribute. Both of
these attributes are designed to be
used as fragment identifiers.
In XML, fragment identifiers are of
type ID, and there can only be a
single attribute of type ID per
element. Therefore, in XHTML 1.0 the
id attribute is defined to be of type
ID. In order to ensure that XHTML 1.0
documents are well-structured XML
documents, XHTML 1.0 documents MUST
use the id attribute when defining
fragment identifiers on the elements
listed above.
Maybe adding an id to the form could fix your problem.
Maybe shomething wrong with if (isset($_POST['submit'])) { and the variable $_POST['submit'] is not included by FireFox?
<pre>
<?PHP
print_r($_POST);
?>
</pre>
This isn't going to help you much but I am having EXACTLY the same problem. I have even re-installed FF, cleared cache, stripped the code right down (to a very simple form without validation and with all PHP stripped out - both on load and on post back). I have the problem in FF 3.6.13 and have tested against current versions of Safari(win), Chrome, Opera and IE where the code all works perfectly. My code validates as strict XHTML and all the suggestions above are already in there... what's more I am using my local (on the same computer) web site.
MANY thanks for pointing me towards AVG Link scanner... disabling it does fix the problem but that still leaves me thinking FF has a bug as "all" other browsers play nicely with the AVG Link scanner on.
Related
Please consider this PHP page below, named xss1.php. You can upload it to any LAMP server or VM you have, to understand my conundrum.
<?php
ob_start();
session_start();
$searchValue = "";
if ($_SERVER["REQUEST_METHOD"] === "POST") {
$searchValue = trim($_POST["txtSearch"]);
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>XSS: Sample 1</title>
</head>
<body>
<form name="xssForm" method="POST" action="xss1.php">
<input type="text" id="txtSearch" name="txtSearch" maxlength="128" value="<?php print($searchValue); ?>"/>
<input type="Submit" id="btnSubmit" value="Submit"/>
</form>
</body>
</html>
<?php
ob_end_flush();
?>
I was under the impression, data in text-fields are displayed as is, and need minimal or no-XSS checking. In this text-field, If I were to stick in <script>alert(1);</script> and the form gets posted, the value gets displayed back in the text-field again, with no XSS execution or injection. I'm running Firefox 50.0.2. on my Mac OS X.
Now, if I stick in "><script>alert(1);</script>, there is XSS and I see a Javascript alert pop-out with 1 in it. The characters "/> come after the text-field, rendered as text on the page, not inside the text-field. What changed here? I'm a little perplexed and will perhaps spend the next hour trying to find the answer on XSS Filter Evasion Cheat Sheet, at https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
In Safari though, I don't see the Javascript alert pop-out, but "/> gets written outside the text-field, right after it on the page.
It's 2:01 am PT and I'm Sleepless in Seattle :)
I was under the impression, data in text-fields are displayed as is, and need minimal or no-XSS checking
Your impression was wrong. Any user input into an HTML document needs to be considered for XSS. It must be either:
Escaped
Passed through a really good white listing filter
From a trusted source (and that means trusted to not be malicious, and to write code without accidently writing something dangerous, and to not copy/paste code they don't understand).
The characters "/> come after the text-field, rendered as text on the page, not inside the text-field. What changed here?
You added a " character. A " ends an attribute value.
Then you added a >. Inside a tag, but outside of an attribute value, a > ends the tag.
The "/> that were in the original document (i.e. the ones that are not part of the user input) no longer have an attribute and tag to close (because the "> from the user input did that) so are rendered as text.
now first thing is I've seen everywhere over the net what to do in the case that what I'm trying to do doesn't work, I've tried all of the solutions and they don't work, I'm obviously missing something.
I'm uploading multiple files from a form field. This works perfectly and runs some code that resizes etc deletes tmp files blah blah.
The problem is if I don't want to upload any files the upload and image processing script still runs throwing a bunch of errors.
I've tried the following... plus a bunch more with some weird variations :P
if($_FILES['gallery']['name']!=""){ // if files then...
include_once("gallery_edit_script.php");
}
and
if (count($_FILES["gallery"]["name"] > 0)){ // if files count is more than 0 then...
include_once("gallery_edit_script.php");
}
Would the fact that the gallery_edit_script.php is an include have something to do with it?
I checked the file error with...
$_FILES["gallery"]["error"]
It showed no files were selected to upload which was exactly what I wanted.
Any ideas people?
Thanks for anyone who has a look at this.
Cheers
Added HTML but like I said upload is working fine, it's when I want to post the form and not include files to upload that I want it to skip the gallery script. This is on an edit page, so the user has submitted form, data added to db and files uploaded, then comes back and wants to edit data but not upload files.
HTML (simplified as there are heaps of fields etc)
<form action="inventory_edit_lease.php" enctype="multipart/form-data" name="myForm" id="myForm" method="post">
Gallery Photos <input class="input-file" type="file" name="gallery[]" id="gallery" multiple="multiple" />
<input class="button-edititem" type="submit" name="submit" id="button" value="" onclick="javascript:return validateMyForm();"/>
</form>
Sorry I didn't add HTML first time round, form works so didn't think I really needed it ;)
Few check lists...
Make sure you have named your <input type="file" /> as gallery:
<input type="file" />
Make sure the <form> tag has a method="post" and action="" to the correct URL.
Also, make sure your <form> tag has enctype="multipart/form-data" else you won't be able to upload files via that form!
We need to see the HTML Code of your file before we can suggest something. Make sure you have followed the above checklists and even then if it isn't working, post the code and let us know!
Without HTML form I'm just guessing:
for multiple file uploads with same name you must have the filed as
on server side you will receive them as $_FILES["gallery"]
$_FILES["gallery"] will be an array of elements, eg:
foreach($_FILES["gallery"] as $file){
var_export($file);
}
For those interested this is what worked :)
I got this from another thread if($_FILES['files']['name']!="") run if files, don't run if no files headache
if(!empty($_FILES['gallery']['tmp_name']))
{
include_once("gallery_edit_script.php");
}
else
{
header("Location: inventory_list_sales.php");
}
Funny thing is I tried this with another site I'm working on with almost identical code as I copied all the files and only edited small parts and it doesn't work lol
Thanks for everyone's help :)
I have a php form on my website and it works well under firefox. But whenever I tested on IE(v8 and 9), the form doesn't get sent, and it returns a "IE can't display the webpage" error.
The script is located at http://www.fitnessgrace.com/Vancouver-Personal-Trainers/Vancouver-Personal-Trainers-Contact-Fitness-Grace.htm
Any insights would be very much appreciated.
you are posting the page to http://www.FitnessGrace.com/gdform.php
and you have a hidden input
<input type="hidden" name="redirect" value="../index.html" />
after this point, I can only guess, but I think you are trying to redirect to "../index.html", and since gdform.php is already at the root directory, ../ is meaningless. I think firefox somehow understands that you've made a mistake and doesn't care, but ie doesn't understand.
I have a simple HTML form, sending a post request to a php script. In IE8, the form only works intermittently - most of the time the PHP script sees an empty $_POST variable.
Here's my code:
<html>
<head>
<title>Post test</title>
</head>
<body style="text-align: center;">
<?php
echo "<pre>".print_r($_POST, TRUE)."</pre>";
?>
<form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
<input type="text" name="name">
<input type="hidden" name="hidden" value="moo" >
<input type="submit" value="Search" >
</form>
</body>
</html>
Sometimes the print_r gives the response you'd expect (i.e. it's populated with the data from the form), most of the time it's empty.
Not being able to use POST is a bit of a problem for web applications - anyone got any ideas what's going on, and how to fix it?
Thanks everyone for wading in on this one.
It turns out the problem lay in an Apache module I had enabled.
It's a module to allow apache to use Windows authentication to identify a user via their Windows User id - mod_auth_sspi
The effect is caused by a known bug, in the module, but with a simple extra directive this can be worked around, until a fix is added in the next update, as described here:
http://sourceforge.net/projects/mod-auth-sspi/forums/forum/550583/topic/3392037
That sounds very very bizarre. Does it happen in other versions of IE as well?
I can't tell you what the problem is, but here are my suggestions on how to diagnose it:
Print $_REQUEST rather than just $_POST, to see if the data is coming in via another method.
Use a tool like Fiddler or Wireshark to track exactly what is actually being sent by the browser.
Fiddler in particular has been very helpful for me a few times (mainly when debugging Ajax code), and will tell you exactly what was posted by the browser. If your web server is localhost, you can also use Fiddler to track what is received before PHP gets its hands on it. If not, you can use wireshark on the server if you have permissions for installing that sort of thing.
In addition to Fiddler, I would have suggested a browser-based tool like Firebug, but I don't know of one for IE that is good enough (The IE dev toolbar doesn't give you details of request and response data, as far as I know).
I'm suspicious that when the script is telling you that $_POST is empty, you did not actually POST the form. You can check by adding print($_SERVER['REQUEST_METHOD']); after your print_r($_POST);
If you are posting a file some of the time (i.e. with a file input) then make sure you set enctype="multipart/form-data" in your <form> element.
Have you checked the generated html? Is it possible that echo $_SERVER['PHP_SELF'] isn't producing the output you're after, which messes up the form html, which messes up the POST?
My PHP book gives a template HTML form for uploading a file:
<form action="upload.php" method="post" enctype="multipart/form-data"/>
<div>
<input type="hidden" name="MAX_FILE_SIZE" value="10000000"/>
<label for="userfile">Upload a file:</label>
<input type="file" name="userfile" id="userfile"/>
<input type="submit" value="Send File"/>
</div>
</form>
The book displays it as "Upload a file:" [textbox] [Browse...] [Send File]
I copied it verbatim, and the result I'm getting is "Upload a file:" [Choose File] "no file chosen" [Send File]
I'm wondering why the discrepancy exists. Is there a way around it? I'm using XHTML Transitional. No doctype is given in the book. But I doubt that's the issue.
The script I'm writing aims to take the file the user chooses, process it, and write the result into another file that doesn't exist yet. I'm asking this question because it would be useful to let the user more easily copy the initial file path/name, paste it into the other field, and just change a part of it.
(Also: why the difference between "Browse..." and "Choose File"? I tried manually setting the value of the "userfile" field to "Browse..." but nothing happened. This is less important but I'm curious nonetheless.)
It is probably showing a different browser and/or version.
It sounds like you are looking at it under Safari and the book has screenshots of IE, for example.
There are a few ways to get complete control of file uploading and the <input type="file" /> element. You can use Flash, or you can set the input to opacity: 0 and then position what you want beneath it.
Some time ago the browser engines took almost complete control over the input type="file" - fields, since it nowadays is regarded as a security issue. For example the days before that you could easily prefill the file input filed with some path and filename (e.g. something like /etc/passwd) and hide the field, so sending the form you would not remark that you're also sending the file...
That's why for example you could not preset the filename of such a field and that's also why browsers now all do their own thing with these special input fields.
As Alex said above, you could get around this, but it will be some hassle, because it would mean to "fake" the file input field.