Jump to content
Sign in to follow this  
Truman

Handling file uploads

Recommended Posts

I wrote this correct code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Upload a File</title>
</head>
<body>
<?php // Script 11.4 - upload_file.php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
  if (move_uploaded_file($FILES['the_file']['tmp_name'],"../uploads/{$_FILES['the_file']['name']}")) {
    print '<p>Your file has been uploaded.</p>';
  } else {
    print '<p style="color:red;">Your file could not be uploaded because: ';
	switch($_FILES['the_file']['error']) {
	case 1:
	  print 'The file exeeds upload_max_filesize setting in php.ini';
	  break;
	case 2:
	  print 'The file exeeds MAX_FILE_SIZE setting in the HTML form';
	  break;
	case 3:
	  print 'The file was only partially uploaded';
	  break;
	case 4:
	  print 'No file was uploaded.';
	  break;
	case 6:
	  print 'The temporary folder does not exist.';
	default:
	  print 'Somethin unforseen happened.';
	  break;
	  print '.</p>';
	}
  }
}
?>
<form action="upload_file.php" enctype="multipart/form-data" method="post">
 <p>Upload a file using this form: </p>
 <input type="hidden" name="MAX_FILE_SIZE" value="300000" />
 <p><input type="file" name="the_file" /></p>
 <p><input type="submit" name="submit" value="Upload this file" /></p>
</form>
</body>
</html>

I ran this code through browser, uploaded a file that I named 'the_file' and I received error 6:

Your file could not be uploaded because: Something unforseen happened.

 

Is there something that I'm missing here?

Share this post


Link to post
Share on other sites

You forgot a break; after case 6.

 

You should put print '.</p>'; outside of the switch statement.

 

If there's no temporary folder then you'll have to set up your server to provide PHP with a temporary folder for uploaded files.

Share this post


Link to post
Share on other sites

It seems silly to me to have a hidden input specify MAX_FILE_SIZE. You should put enforced limits and validation in your Php code where they will be safe from any possibility of external manipulation. I see you do have a php.ini limit. Where do you test the file type?

Share this post


Link to post
Share on other sites

You forgot a break; after case 6.

 

You should put print '.</p>'; outside of the switch statement.

 

If there's no temporary folder then you'll have to set up your server to provide PHP with a temporary folder for uploaded files.

After making those changes I still receive the same note. I use XAMPP server, can you please shortly explain me how to set it up?

Share this post


Link to post
Share on other sites

Have you seen what error code is actually being used?

 

You can update the default message to show it:

default:
     print 'Something unforeseen happened. Error code: ' . $_FILES['the_file']['error'];

Share this post


Link to post
Share on other sites

What if ../uploads does not exist?

 

--update edit--

 

Yes, this would definitely cause a failure.

  $target_dir = "../uploads/";
  if (!file_exists($target_dir)){
     mkdir($target_dir);
  }
  if (move_uploaded_file($FILES['the_file']['tmp_name'],"{$target_dir}{$_FILES['the_file']['name']}")) {

Share this post


Link to post
Share on other sites

I'm beginning to suspect that Php is written by mentally ill people. That MAX_FILE_SIZE suggestion is straight from their recommended approach here...

 

http://php.net/manual/en/features.file-upload.post-method.php

 

...where they then say...

 

 

Keep in mind: fooling this setting on the browser side is quite easy, so never rely on files with a greater size being blocked by this feature. It is merely a convenience feature for users on the client side of the application.

 

No it isn't a "convenience feature" -- it is "a stupid suggestion."

Share this post


Link to post
Share on other sites

If move_uploaded_file returns false then it should also output an error message. Make sure you have all errors enabled:

 

ini_set('display_errors', 1);
error_reporting(E_ALL);

Share this post


Link to post
Share on other sites

I see the problem. Your code has $FILES rather than $_FILES.

 

But also the uploads directory must exist, as I mentioned above.

Share this post


Link to post
Share on other sites

I see the problem. Your code has $FILES rather than $_FILES.

 

But also the uploads directory must exist, as I mentioned above.

Actually this '$FILES' was a mistake, when I corrected it worked! I already made uploads directory for this purpose.

 

I will also take a look on other suggestions that you and your colleagues gave me on this topic.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×