Handling file uploads

[Truman]

I wrote this correct code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Upload a File</title>
</head>
<body>
<?php // Script 11.4 - upload_file.php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
  if (move_uploaded_file($FILES['the_file']['tmp_name'],"../uploads/{$_FILES['the_file']['name']}")) {
    print '<p>Your file has been uploaded.</p>';
  } else {
    print '<p style="color:red;">Your file could not be uploaded because: ';
	switch($_FILES['the_file']['error']) {
	case 1:
	  print 'The file exeeds upload_max_filesize setting in php.ini';
	  break;
	case 2:
	  print 'The file exeeds MAX_FILE_SIZE setting in the HTML form';
	  break;
	case 3:
	  print 'The file was only partially uploaded';
	  break;
	case 4:
	  print 'No file was uploaded.';
	  break;
	case 6:
	  print 'The temporary folder does not exist.';
	default:
	  print 'Somethin unforseen happened.';
	  break;
	  print '.</p>';
	}
  }
}
?>
<form action="upload_file.php" enctype="multipart/form-data" method="post">
 <p>Upload a file using this form: </p>
 <input type="hidden" name="MAX_FILE_SIZE" value="300000" />
 <p><input type="file" name="the_file" /></p>
 <p><input type="submit" name="submit" value="Upload this file" /></p>
</form>
</body>
</html>

I ran this code through browser, uploaded a file that I named 'the_file' and I received error 6:

Your file could not be uploaded because: Something unforseen happened.

 

Is there something that I'm missing here?

[Ingolme]

You forgot a break; after case 6.

 

You should put print '.</p>'; outside of the switch statement.

 

If there's no temporary folder then you'll have to set up your server to provide PHP with a temporary folder for uploaded files.

[davej]

It seems silly to me to have a hidden input specify MAX_FILE_SIZE. You should put enforced limits and validation in your Php code where they will be safe from any possibility of external manipulation. I see you do have a php.ini limit. Where do you test the file type?

[justsomeguy]

You should test for upload errors before trying to move the uploaded file. You left out a couple error codes also, one of which might be the problem:

 

http://php.net/manual/en/features.file-upload.errors.php

[Truman]

You forgot a break; after case 6.

 

You should put print '.</p>'; outside of the switch statement.

 

If there's no temporary folder then you'll have to set up your server to provide PHP with a temporary folder for uploaded files.

After making those changes I still receive the same note. I use XAMPP server, can you please shortly explain me how to set it up?

[Truman]

You should test for upload errors before trying to move the uploaded file. You left out a couple error codes also, one of which might be the problem:

 

http://php.net/manual/en/features.file-upload.errors.php

After adding error 7 and error 8 I still receive the default error message.

Edited June 3, 2016 by Truman

[Ingolme]

Have you seen what error code is actually being used?

 

You can update the default message to show it:

default:
     print 'Something unforeseen happened. Error code: ' . $_FILES['the_file']['error'];

[davej]

What if ../uploads does not exist?

 

--update edit--

 

Yes, this would definitely cause a failure.

  $target_dir = "../uploads/";
  if (!file_exists($target_dir)){
     mkdir($target_dir);
  }
  if (move_uploaded_file($FILES['the_file']['tmp_name'],"{$target_dir}{$_FILES['the_file']['name']}")) {

[Ingolme]

Ideally you would check for errors first, then move the uploaded file after as mentioned here http://w3schools.invisionzone.com/index.php?showtopic=55426#entry304332

[davej]

I'm beginning to suspect that Php is written by mentally ill people. That MAX_FILE_SIZE suggestion is straight from their recommended approach here...

 

http://php.net/manual/en/features.file-upload.post-method.php

 

...where they then say...

 

 

Keep in mind: fooling this setting on the browser side is quite easy, so never rely on files with a greater size being blocked by this feature. It is merely a convenience feature for users on the client side of the application.

 

No it isn't a "convenience feature" -- it is "a stupid suggestion."

[justsomeguy]

If move_uploaded_file returns false then it should also output an error message. Make sure you have all errors enabled:

 

ini_set('display_errors', 1);
error_reporting(E_ALL);

[davej]

I see the problem. Your code has $FILES rather than $_FILES.

 

But also the uploads directory must exist, as I mentioned above.

[Truman]

I see the problem. Your code has $FILES rather than $_FILES.

 

But also the uploads directory must exist, as I mentioned above.

Actually this '$FILES' was a mistake, when I corrected it worked! I already made uploads directory for this purpose.

 

I will also take a look on other suggestions that you and your colleagues gave me on this topic.

[Chikwado]

If you use example given by w3schools it will work. Try it.