Jump to content

Dynamic creation of folders on server?

RottenBananas

By RottenBananas
in PHP Coding Help

Recommended Posts

RottenBananas Member

RottenBananas

Posted
Posted

Hello,

I have file uploads on my site, each user can upload files. I want a way to organize the files by user. When I do move_uploaded_file it wants the target folder i want the file to go in. Is there any way I can have the folder created when the user uploads a file?

 

Example:

username: john

-John uploads a file called pic.jpg

-my php checks to see if a folder named john exists, if not it creates it and sticks pic.jpg into it.

-if it exists it just moves pic.jpg into it

 

Can this be done? Or should I just have all the files in one folder?

 

Thanks

 

 

Link to comment
https://forums.phpfreaks.com/topic/116629-dynamic-creation-of-folders-on-server/
Share on other sites
fanfavorite Member

fanfavorite

Posted
Posted

oh wait sorry...

 

$target_path = $_SERVER[document_root]."/".$_SESSION[uid]

@mkdir($target_path);

$target_path .= "/".basename( $_FILES['uploadedfile']['name']);

 

move_uploaded_file($_FILES['YOUR FIELD NAME']['tmp_name'], $target_path)

 

mbeals Member

mbeals

Posted
Posted

word of caution...

 

Instead of checking on the fly to see if the folder exists, I would create the folder when the user first signs up.  I would also pull the path to the folder from the db or sanitize and check it really well.

 

Session variables can be changed and if you just check and create a new folder based on a session variable, you are asking for problems.

 

mbeals Member

mbeals

Posted
Posted

Using firefox, the web developer extension and my server I was able to verify this is a BAD idea.

 

 

anyone can set their session variable to a relative path (../../../) and attempt to make a dir and upload a file anywhere on the file system.  Hopefully you have your www-data user well restricted.

 

What are the permissions on your website files as well?  Think about what would happen with the previously posted code if www-data had write privileges and someone set their session variable to "." and uploaded 'index.html'.

discomatt Member

discomatt

Posted
Posted

Using firefox, the web developer extension and my server I was able to verify this is a BAD idea.

 

 

anyone can set their session variable to a relative path (../../../) and attempt to make a dir and upload a file anywhere on the file system.  Hopefully you have your www-data user well restricted.

 

What are the permissions on your website files as well?  Think about what would happen with the previously posted code if www-data had write privileges and someone set their session variable to "." and uploaded 'index.html'.

 

I would really like to see your method of changing session data... From what I know, all data is stored on the server, and only a session ID is stored on the client side.

 

try:

$target_path = $_SERVER[document_root]."/".$_POST[username]."/".basename( $_FILES['uploadedfile']['name']);

 

Never use non-sanitized user data in ways like this. See above quote for the reason.

 

Instead of checking on the fly to see if the folder exists, I would create the folder when the user first signs up.  I would also pull the path to the folder from the db or sanitize and check it really well.

 

I disagree. It's good practice to make sure the path exists before attempting to move files to it. This will allow proper error reporting when something bad happens...

RottenBananas Member

RottenBananas

Posted
  • Author
Posted

haha funny thing, i was just driving home and told myself to make sure I post a question about permissions on this thread. The site isnt live yet im making it on my localhost, im new to all this what should my permissions be?

 

What would be an alternative? Should i just stick all the files in one folder and worry about organization through my database?

RottenBananas Member

RottenBananas

Posted
  • Author
Posted

What do you guys mean by sanitize?

I have a function I call on anything posted from the user

function protect($string)
{
$string = mysql_real_escape_string($string);
$string = strip_tags($string);
$string = addslashes($string);

return $string;
}

 

Would that suffice?

discomatt Member

discomatt

Posted
Posted

Really depends on the data you expect, and what you're going to do with it. If it was being outputted to the browser, then no.

 

The more strict you are in validating ( sanitizing ) user data, the less it becomes a security hole.

RottenBananas Member

RottenBananas

Posted
  • Author
Posted

Im still getting the failed to open stream error

 

Heres what i have

if($_SESSION['uid'])
{
$sql = "SELECT * FROM `users` WHERE `user_id`='".$_SESSION['uid']."'"; # when they login the SESSION['uid'] is set to their userid
$res = mysql_query($sql) or die(mysql_error());

$row = mysql_fetch_assoc($res);

$title = protect($_POST['title']);
$target = $_SERVER[document_root]."/".$row['username'];
@mkdir($target);
$target = $target."/".basename($_FILES['song']['name']) ;
$size = $_FILES['song']['size'];
$song = $_FILES['song']['name'] ;

if(move_uploaded_file($_FILES['song']['tmp_name'], $target))
{
	echo "<script language=\"Javascript\" type=\"text/javascript\">
	alert(\"Your song has been uploaded\")
	document.location.href='profilecp.php'</script>";
}
else
{
	echo "<script language=\"Javascript\" type=\"text/javascript\">
	alert(\"There was an error, try again\")
	document.location.href='profilecp.php'</script>";
}
}

discomatt Member

discomatt

Posted
Posted

Echo $target, make sure it's what you expect.

 

Also, remove the @ from mkdir, unless you're going to have some sort of manual error checking. Supressing errors in a script that doesn't work -> not a great way to debug.

 

 

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.