[PHP] file upload temp file is and isn't there
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Solaris 7 Apache 1.3.14 PHP 4.0.4p1 For the life of me I can't figure out what's going on. I have: form enctype='multipart/form-data' action='/admin/upload.php' method='post' input type=hidden name=MAX_FILE_SIZE value=5000 input type=hidden name=uploadingfile value=true Choose File: input name=userfile size=69 type=fileP input type=submit value='Send File'/form and I can try to upload a file, but then the HTTP_POST_FILES hash doesn't get properly populated and no file is stored in the upload directory. Basically: HTTP_POST_FILES["userfile"] Array ( [name] =1323.txt [type] =text/plain [tmp_name] =none [size] = 0 ) I've set my php.ini with: upload_tmp_dir = /tmp and nothing gets put in there (I've verified that the dir has world r/w w/ suid). Any ideas of how to debug this futher? - -- Aaron Turner [EMAIL PROTECTED]|synfin.net|linuxkb.org URI:www.synfin.net They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin pub 1024D/F86EDAE6 Sig: 3167 CCD6 6081 0FFC B749 9A8F 8707 9817 F86E DAE6 All emails by me are PGP signed; a lack of a signature indicates a forgery. I have retired my PGP 2.6.2 key: FBE1 CEED 57E4 AB80 596E 60BF 451B 20E8 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc iEYEARECAAYFAjqJwWEACgkQhweYF/hu2uYnjgCfbXQVLYBwVnmAE5RHRxeTtdFI YgAAoIf9w7fNcbFmxyT/LlRUHa3lHfqB =Jqdm -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] file upload temp file is and isn't there
A lil clip from Devedge.. you need a VALUE="" field along w/ a NAME="" maybe? This places an element on an HTML form that lets the user supply a file as input. When the form is submitted, the content of the specified file is sent to the server as the value portion of the name/value pair for this input element. Netscape Navigator displays a "Browse" button next to the file input element that lets users select a file from their system to use as the value of the file input element. *Navigator 2.0* If a a form contains a file input element, the value of the ENCTYPE attribute of the FORM tag should be |"multipart/form-data"|. Syntax |INPUT TYPE="FILE" NAME="|/|name" |/| VALUE="|/|filename" |/|| */ NAME=name/* specifies the name of the input element. This value is used as the name portion of the name/value pair for this element that is sent to the server when the form is submitted. The name is not displayed on the form. */ VALUE=filename/* specifies the initial value of the input element. |FORM ENCTYPE="multipart/form-data" ACTION="/cgi-bin/example.cgi" METHOD="POST" PFile name: INPUT TYPE="file" /FORM| Aaron D. Turner wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Solaris 7 Apache 1.3.14 PHP 4.0.4p1 For the life of me I can't figure out what's going on. I have: form enctype='multipart/form-data' action='/admin/upload.php' method='post' input type=hidden name=MAX_FILE_SIZE value=5000 input type=hidden name=uploadingfile value=true Choose File: input name=userfile size=69 type=fileP input type=submit value='Send File'/form and I can try to upload a file, but then the HTTP_POST_FILES hash doesn't get properly populated and no file is stored in the upload directory. Basically: HTTP_POST_FILES["userfile"] Array ( [name] =1323.txt [type] =text/plain [tmp_name] =none [size] = 0 ) I've set my php.ini with: upload_tmp_dir = /tmp and nothing gets put in there (I've verified that the dir has world r/w w/ suid). Any ideas of how to debug this futher? - -- Aaron Turner [EMAIL PROTECTED]|synfin.net|linuxkb.org URI:www.synfin.net They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin pub 1024D/F86EDAE6 Sig: 3167 CCD6 6081 0FFC B749 9A8F 8707 9817 F86E DAE6 All emails by me are PGP signed; a lack of a signature indicates a forgery. I have retired my PGP 2.6.2 key: FBE1 CEED 57E4 AB80 596E 60BF 451B 20E8 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc iEYEARECAAYFAjqJwWEACgkQhweYF/hu2uYnjgCfbXQVLYBwVnmAE5RHRxeTtdFI YgAAoIf9w7fNcbFmxyT/LlRUHa3lHfqB =Jqdm -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] file upload temp file is and isn't there
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 13 Feb 2001, Michael McGlothlin wrote: A lil clip from Devedge.. you need a VALUE="" field along w/ a NAME="" maybe? A VALUE= isn't required for TYPE=file (and adding it didn't solve my problem). This places an element on an HTML form that lets the user supply a file as input. When the form is submitted, the content of the specified file is sent to the server as the value portion of the name/value pair for this input element. Netscape Navigator displays a "Browse" button next to the file input element that lets users select a file from their system to use as the value of the file input element. *Navigator 2.0* Yep, and if you look at the HTTP_POST_FILES hash you'll see that the browser/form properly sent the filename. The problem is with the temporary file that isn't created/stored. More specifically, HTTP_POST_FILES[userfile][tmp_name] is set to 'none' when it should be something like /tmp/abc123 and the size is 0. - -- Aaron Turner [EMAIL PROTECTED]|synfin.net|linuxkb.org URI:www.synfin.net They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin pub 1024D/F86EDAE6 Sig: 3167 CCD6 6081 0FFC B749 9A8F 8707 9817 F86E DAE6 All emails by me are PGP signed; a lack of a signature indicates a forgery. I have retired my PGP 2.6.2 key: FBE1 CEED 57E4 AB80 596E 60BF 451B 20E8 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc iEYEARECAAYFAjqJyJEACgkQhweYF/hu2ua1gwCfU6P+ScZCxAKlOFqlAzcZLkX7 KoEAoJDPG7AvelXPlLusT3BME1EZQQX/ =is6w -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] file upload temp file is and isn't there
Aaron, Are you processing the file on the page you're "posting" to? Could you send your processing code so we can have a look? If you're still having problems, I can send you an example. Jason --- "Aaron D. Turner" [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Solaris 7 Apache 1.3.14 PHP 4.0.4p1 For the life of me I can't figure out what's going on. I have: form enctype='multipart/form-data' action='/admin/upload.php' method='post' input type=hidden name=MAX_FILE_SIZE value=5000 input type=hidden name=uploadingfile value=true Choose File: input name=userfile size=69 type=fileP input type=submit value='Send File'/form and I can try to upload a file, but then the HTTP_POST_FILES hash doesn't get properly populated and no file is stored in the upload directory. Basically: HTTP_POST_FILES["userfile"] Array ( [name] =1323.txt [type] =text/plain [tmp_name] =none [size] = 0 ) I've set my php.ini with: upload_tmp_dir = /tmp and nothing gets put in there (I've verified that the dir has world r/w w/ suid). Any ideas of how to debug this futher? - -- Aaron Turner [EMAIL PROTECTED]|synfin.net|linuxkb.org URI:www.synfin.net They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin pub 1024D/F86EDAE6 Sig: 3167 CCD6 6081 0FFC B749 9A8F 8707 9817 F86E DAE6 All emails by me are PGP signed; a lack of a signature indicates a forgery. I have retired my PGP 2.6.2 key: FBE1 CEED 57E4 AB80 596E 60BF 451B 20E8 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc iEYEARECAAYFAjqJwWEACgkQhweYF/hu2uYnjgCfbXQVLYBwVnmAE5RHRxeTtdFI YgAAoIf9w7fNcbFmxyT/LlRUHa3lHfqB =Jqdm -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] file upload temp file is and isn't there
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 13 Feb 2001, jason cox wrote: Aaron, Are you processing the file on the page you're "posting" to? Yep. A little more info this time. Ok this makes no freaking sense to me: I can upload my /etc/passwd file - -rw-r--r--1 root root 998 Dec 9 01:44 /etc/passwd I can't upload other random files in my home directory which I own/have read access to. - -rw-rw-r--1 aturner aturner 84558 Jan 9 17:01 /home/aturner/1323.txt Could you send your processing code so we can have a look? If you're still having problems, I can send you an example. Sure: ?PHP require "security.inc"; # checks user cookie to see if they have access include "connect.inc"; # connects to database function is_an_uploaded_file($filename) { if (! $tmp_file = get_cfg_var('upload_tmp_dir')) { $tmp_file = dirname(tempname('', '')); } $tmp_file .= '/' . basename($filename); # User might have trailing / in php.ini return (ereg_replace('/+', '/', $tmp_file) == $filename); } function abortupload($message) { echo "H1 align=center$message/H1"; unlink ($HTTP_POST_FILES[userfile][tmp_name]); phpinfo(); echo "/BODY/HTML"; exit; } ? HTML HEAD TITLESunnyvale Staging Server/TITLE /HEAD !-- Background white, links blue (unvisited), navy (visited), red (active) -- BODY BGCOLOR="#FF" TEXT="#00" LINK="#FF" VLINK="#80" ALINK="#FF" font size=-1[ a href="/"Main Index/a ]/font ?PHP if ($uploadingfile == "") { $line = "form enctype='multipart/form-data' action='/admin/upload.php' method='post' input type=hidden name=MAX_FILE_SIZE value=5000 input type=hidden name=uploadingfile value=true Choose upload location: select name=directory option name=FilesFiles/option option name=DocsDocumentation/option /select\nP"; echo $line; echo "Link Description: input type=text name=description size=80 value=''P\n"; echo "Detailed Description:brtextarea wrap=soft name=info rows=5 cols=80/textareaP\n"; echo "input type=hidden name=urltype value=file"; echo "Active: select name=activeoption value=yYes/optionoption value=nNo/optionoption value=sSubmitted/option/selectP\n"; $result = mysql_query("SELECT * FROM groups"); $line = "select name=urlgroup"; while ($row = mysql_fetch_array($result)) { $line .= "option value=$row[groupID]$row[groupname] ($row[page])/option"; } $line .= "/selectP\n"; # echo "Group: $line"; echo "input type=hidden name=urlgroup value=1"; echo "Choose File: input name=userfile size=69 type=file value=''P\n"; echo "input type=submit value='Send File'/form"; } else { $location = ""; if ($HTTP_POST_VARS[directory] = "Files") { $location = "/usr/local/apache1.3.14/htdocs/Files"; } elseif ($HTTP_POST_VARS[directory] = "Docs") { $location = "/usr/local/apache1.3.14/htdocs/Docs"; } else { abortupload ("Error! Invalid Directory value: $HTTP_POST_VARS[directory]"); } if ($description == "") { abortupload("Error! Please provide a description for this document"); } elseif ($info == "") { abortupload("Error! Please provide information for this document"); } if ($uploadfile = is_an_uploaded_file($userfile)) { $uploadfile = $location . "/" . $HTTP_POST_FILES[userfile][name]; copy ($userfile, $uploadfile); $result = mysql_query("SELECT * FROM users WHERE LoginName = '$loginname' LIMIT 1"); $userrow = mysql_fetch_array($result); $url = "/" . $HTTP_POST_VARS[directory] . "/" . $HTTP_POST_FILES[userfile][name]; $mirror = 0; $result = mysql_query("SELECT * FROM urls WHERE url = '$url'"); if ($existing = mysql_fetch_array($result)) { if ($existing[owner] != $userrow[UserID]) { abortupload("Error: Your user ID doesn't have permission to modify this file."); } } else { $result = mysql_query("INSERT INTO urls (owner, urlgroup, url, urldesc, info, active, mirror, urltype) VALUES ('$userrow[UserID]', '$HTTP_POST_VARS[urlgroup]', '$url', '$HTTP_POST_VARS[description]', '$HTTP_POST_VARS[info]', '$HTTP_POST_VARS[active]', '$mirror', '$HTTP_POST_VARS[urltype]')"); echo "H1 align=centerFile upload complete!/H1"; } } else { abortupload("Possible file upload attack: filename: " . $HTTP_POST_FILES["userfile"]["name"] . "."); } } ? /body /html -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc iEYEARECAAYFAjqJ08sACgkQhweYF/hu2ubukACbBij1wtVYr1gTngdHsXgrKmOr ai8AnicSOVkP6OS1qiwfSQBBPqmL566k =kNOr -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] file upload temp file is and isn't there
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ah, figured out the problem. MAX_FILE_SIZE is in BYTES not Kilobytes. Any file 5K was killed. - -- Aaron Turner [EMAIL PROTECTED]|synfin.net|linuxkb.org URI:www.synfin.net They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin pub 1024D/F86EDAE6 Sig: 3167 CCD6 6081 0FFC B749 9A8F 8707 9817 F86E DAE6 All emails by me are PGP signed; a lack of a signature indicates a forgery. I have retired my PGP 2.6.2 key: FBE1 CEED 57E4 AB80 596E 60BF 451B 20E8 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc iEYEARECAAYFAjqJ/gsACgkQhweYF/hu2ubzAACfRt9l+TvifIobJyOqs5UlvAA1 uS0AniXKKTuvazWZHCZeW5QZyXpHztnZ =Zpnk -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]