renaming an uploaded file

[djp1988]

I have the following php code :

$user = $_SESSION['user_id'];					$type = $_FILES['thefile']['type'];				if(move_uploaded_file(($_FILES['thefile']['tmp_name']), "path/{$_FILES['thefile']['name']}")){					$image = $_FILES['thefile']['name'];

I want to rename the file as : memberid.gif or .jpgso something like :$user.jpgBut I can't seem to be able to do soOne of my other attempts:

				if(move_uploaded_file(($_FILES['thefile']['tmp_name']), "path/{$_FILES['thefile']}".$user."{$_FILES['name']}")){}

But that failed, that was a compromise to have at least the member id at the start of the file name, but.... what I really want is:member 22 uploaded: 22.jpgmember 156 uploaded: 156.gif...

[Jesdisciple]

First, this will make it easier for both humans and machines to read your code:

				if(move_uploaded_file(($_FILES['thefile']['tmp_name']), "path/{$_FILES['thefile']}{$user}{$_FILES['name']}")){}

Are you sure $user has been assigned? Better yet, can we see your full code?

[jeffman]

Just your basic debug suggestions:Have you echoed your destination string to make sure it's formed correctly?Is "path/ written that way just for our benefit? You're not missing a $ ?Is the path correctly formed relative to the location of your script? (This one burns people all the time.)Are you reporting all errors and warnings? Do they say anything?

[djp1988]

No all that is correct, the file is being placed there but not named as I want it to be

[jeffman]

Oh. So the problem is constructing the correct file name? Try tinkering with this.

$ext = array_pop( explode('.', $_FILES['thefile']['name']) );// add some lines to validate $ext$fname = "$user.$ext";

Explode() takes a string and turns it into an array, using another string (in this case '.') as a delimiter. Since we don't need the whole array, I don't assign it to anything. I immediately pop the final value off the array, and assign that to $ext. Since it's the final value, it should be the file extension. Then I concatenate that to $user, which I guess is the username you're after.Just to be safe, you should validate that $ext exists and is a valid image extension in your context.

[djp1988]

thanks, now what about this 'security' issues on allowing a directory to be uploaded on? Am I in danger? I have in my script only allowed jpg's to be the file to be uploaded, but, is that enough?

[Jesdisciple]

Where did you see mention of security issues? The only one I know of is if you let an executable (e.g. .exe or .php) file be uploaded. (Although I'm not sure how a client would execute a .exe... Oh well.)

[jeffman]

The easiest thing is to store all your data in a directory (and its sub directories) that has an .htaccess file denying access to all. Such denial applies just to http requests, not to your own php reading and writing. So even if a hacker guessed at your directory structure and file naming scheme, and they did manage to store a nasty executable, any requests to access such a file would be denied.If you're not sure what I mean, google "htaccess deny" -- you'll find something.

[djp1988]

Ok well I don't think I need to worry, I am only allowing jpg's to be uploaded