Jump to content

PHP File Upload Issue - Not Parsing <Input 'file' Variable


BDCool1983

Recommended Posts

I just moved a bunch of our websites to a new server with I beleive is PHP 5.4 without going to check it.

 

Problem i'm facing is I cannot upload files via a script.  It's so strange.  I have tried defining the variables using the $_POST/GET Methods, I have tried emulating Register Globals.

 

Essentially the issue is that it's not carrying the <input type='file'> variable across to the next page is what it seems..........  

 

so eg next page the variable output I get:

Array(    [message] =>     [msgurl] =>     [filter] => ALL    [sortorder] => A)

Arraypost_max_size = 64M

 

If I change the input type to 'text' say'.......... then I get 

Array(    [message] =>         [userfile] = >             [msgurl] =>
      [filter] =>ALL[sortorder] => A

)

Arraypost_max_size = 64M

 

 

////  I have checked the php.ini files for upload sizes, the tmp folder, the httpd.conf files etc........  I'm stumpted:  Can someone check out the file attached and give me some idea's here?  The form is at the bottom, the main file upload php gear is around line 124

articles.php

Edited by BDCool1983
Link to comment
Share on other sites

the code is way out of date (about 13 years out of date) and is dependent on register_globals being on. rather than to patch it up by emulating register_globals, which introduces a huge security hole, by allowing any session variable to be set from any $_POST/$_GET data a hacker feeds your script, you should access the correct $_POST, $_GET and $_FILES data that is being submitted to the code.

 

while you are updating things, the mysql_ and ereg_ functions are obsolete and will be removed from php in the future and should be upgraded to equivalent PDO/mysqli and preg_ functions. i also see a bunch of stripslashes() statements, indicating that php's magic quotes settings were messing up your data. the magic_quotes and register_globals both have been removed as of php 5.4.

 

you will also want to properly escape (using the database library's escape string function) string data (addslashes(), which is what the magic quotes used internally, is not sufficient) being put into sql queries or use prepared queries to prevent sql injection and errors when string data contains sql special characters.

 

edit: another thing the code is using that will cause you problems moving between server configurations is the short opening php <? tag. you should always use a full opening php <?php tag so that your php code will always be seen as being php code, regardless of the php configuration.

 

and in general, to clean up the code, you should have the php 'business logic' that controls what happens on the page, processes form data, and retrieves data displayed on the page, grouped together near the start of the file and the 'presentation logic' that is producing the html/css/javascript on the page near the end of the file. the only php code in the presentation logic should be simple loops/echo statements that makes use of the data from the business logic.

 

and even more, the htmlentities() and nl2br() functions are OUTPUT functions, used when displaying information on a web page. they should not be used when inputting data into a database table.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.