Dynamic creation of folders on server?

RottenBananas · July 25, 2008

Hello,

I have file uploads on my site, each user can upload files. I want a way to organize the files by user. When I do move_uploaded_file it wants the target folder i want the file to go in. Is there any way I can have the folder created when the user uploads a file?

Example:

username: john

-John uploads a file called pic.jpg

-my php checks to see if a folder named john exists, if not it creates it and sticks pic.jpg into it.

-if it exists it just moves pic.jpg into it

Can this be done? Or should I just have all the files in one folder?

Thanks

craygo · July 25, 2008

As long as php has permisission to create a new folder it should be no problem.

How are you getting the users name?

Are they already logged in??

is the name in a session variable??

fanfavorite · July 25, 2008

$target_path = $_POST[username]."/".basename( $_FILES['uploadedfile']['name']);

move_uploaded_file($_FILES['YOUR FIELD NAME']['tmp_name'], $target_path)

fanfavorite · July 25, 2008

Or if username is a session, change to $_SESSION[username].

RottenBananas · July 25, 2008

Yeah they are logged by $_SESSION['uid'] , i tried that method first and it complains about failing to open a stream: No such file or directory, it fails to move tmp/randomletters to username/file.jpg

fanfavorite · July 25, 2008

try:

$target_path = $_SERVER[document_root]."/".$_POST[username]."/".basename( $_FILES['uploadedfile']['name']);

fanfavorite · July 25, 2008

oh wait sorry...

$target_path = $_SERVER[document_root]."/".$_SESSION[uid]

@mkdir($target_path);

$target_path .= "/".basename( $_FILES['uploadedfile']['name']);

move_uploaded_file($_FILES['YOUR FIELD NAME']['tmp_name'], $target_path)

mbeals · July 25, 2008

word of caution...

Instead of checking on the fly to see if the folder exists, I would create the folder when the user first signs up. I would also pull the path to the folder from the db or sanitize and check it really well.

Session variables can be changed and if you just check and create a new folder based on a session variable, you are asking for problems.

mbeals · July 25, 2008

Using firefox, the web developer extension and my server I was able to verify this is a BAD idea.

anyone can set their session variable to a relative path (../../../) and attempt to make a dir and upload a file anywhere on the file system. Hopefully you have your www-data user well restricted.

What are the permissions on your website files as well? Think about what would happen with the previously posted code if www-data had write privileges and someone set their session variable to "." and uploaded 'index.html'.

discomatt · July 25, 2008

Using firefox, the web developer extension and my server I was able to verify this is a BAD idea.

anyone can set their session variable to a relative path (../../../) and attempt to make a dir and upload a file anywhere on the file system. Hopefully you have your www-data user well restricted.

What are the permissions on your website files as well? Think about what would happen with the previously posted code if www-data had write privileges and someone set their session variable to "." and uploaded 'index.html'.

I would really like to see your method of changing session data... From what I know, all data is stored on the server, and only a session ID is stored on the client side.

try:

$target_path = $_SERVER[document_root]."/".$_POST[username]."/".basename( $_FILES['uploadedfile']['name']);

Never use non-sanitized user data in ways like this. See above quote for the reason.

Instead of checking on the fly to see if the folder exists, I would create the folder when the user first signs up. I would also pull the path to the folder from the db or sanitize and check it really well.

I disagree. It's good practice to make sure the path exists before attempting to move files to it. This will allow proper error reporting when something bad happens...

RottenBananas · July 25, 2008

haha funny thing, i was just driving home and told myself to make sure I post a question about permissions on this thread. The site isnt live yet im making it on my localhost, im new to all this what should my permissions be?

What would be an alternative? Should i just stick all the files in one folder and worry about organization through my database?

discomatt · July 25, 2008

Make sure whatever user is running php/apache has permissions to write to your webroot ( and below, if need be ).

The exact permissions require depend on your operating system.

RottenBananas · July 25, 2008

What do you guys mean by sanitize?

I have a function I call on anything posted from the user

function protect($string)
{
$string = mysql_real_escape_string($string);
$string = strip_tags($string);
$string = addslashes($string);

return $string;
}

Would that suffice?

discomatt · July 25, 2008

Really depends on the data you expect, and what you're going to do with it. If it was being outputted to the browser, then no.

The more strict you are in validating ( sanitizing ) user data, the less it becomes a security hole.

RottenBananas · July 25, 2008

Im still getting the failed to open stream error

Heres what i have

if($_SESSION['uid'])
{
$sql = "SELECT * FROM `users` WHERE `user_id`='".$_SESSION['uid']."'"; # when they login the SESSION['uid'] is set to their userid
$res = mysql_query($sql) or die(mysql_error());

$row = mysql_fetch_assoc($res);

$title = protect($_POST['title']);
$target = $_SERVER[document_root]."/".$row['username'];
@mkdir($target);
$target = $target."/".basename($_FILES['song']['name']) ;
$size = $_FILES['song']['size'];
$song = $_FILES['song']['name'] ;

if(move_uploaded_file($_FILES['song']['tmp_name'], $target))
{
	echo "<script language=\"Javascript\" type=\"text/javascript\">
	alert(\"Your song has been uploaded\")
	document.location.href='profilecp.php'</script>";
}
else
{
	echo "<script language=\"Javascript\" type=\"text/javascript\">
	alert(\"There was an error, try again\")
	document.location.href='profilecp.php'</script>";
}
}

discomatt · July 25, 2008

Echo $target, make sure it's what you expect.

Also, remove the @ from mkdir, unless you're going to have some sort of manual error checking. Supressing errors in a script that doesn't work -> not a great way to debug.

RottenBananas · July 25, 2008

When I removed the @ from mkdir its sayin permission denied...so i chmod 777 to the entire folder and used -R so that absolutely everything was 777 just to see if it worked but it still says permission denied...?

RottenBananas · July 25, 2008

I fixed it, the SERVER[document_root] was takin it too far back on xampp.

Anyway is this a good idea? Or should i just stick everything into one folder?

Sign In

Dynamic creation of folders on server?

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information