PHP file upload - directory question

[A JM]

"Hello" - this is my first post! 

 

I'm very new to php and am trying to implement a file upload utility and am wanting to ask a few questions with regard to file directory's, storage, etc.

 

Initially when setting up the script I'm to set up a directory - from what I read this directory is a temp directory, correct? does it matter where this directory is located or what it's called, what's the norm?

 

Secondly I want to avoid users from "backing up the tree" to view files in other directory's . I understand that I'm supposed to "move away from the web root" could someone elaborate a little on that subject? My server currently is setup like /home/usersdomain so if I were to "move away from webroot" I would be in /home if I interpret that correctly..

 

When checking for files and finding a duplicate how does php handle replacing them? will it simply overwrite a file that is uploaded with the same name? Does someone have a routine to stop this before it happens by checking and renaming the file being uploaded?

 

Thanks for any ideas or suggestions that you might have.

 

A JM,

 

[A JM]

I'm surprised that no one has any answers to setting up the php.ini file and how the directory's work..

 

When setting the 'upload_tmp_dir' in the php.ini file - after it is set do I need to tell my script what that temp folder is?

 

How do I tell the function 'move_uploaded_file()' where to move my files given I have virtual servers running?

 

Thanks,

[premiso]

When setting the 'upload_tmp_dir' in the php.ini file - after it is set do I need to tell my script what that temp folder is?

 

How do I tell the function 'move_uploaded_file()' where to move my files given I have virtual servers running?

 

Nope, your script will know where the temp folder is.

 

To use the move_uploaded_file function you need the temp filename, which on your processing part should be something like $_FILE['tmpname'][0] or something similar, this can be looked more in depth at PHP.NET File Upload for the proper calling/usage. I am sure the user contributions will answer most of your questions. Your best bet to get answer to your questions is setup your script and try it. I honestly do not know what happens on a duplicate, cause I rename any files uploaded to a hash and store that hash in the DB with it's name to avoid issues like this.

[Zhadus]

Addressing a few of your questions almost at random.

$_FILES['uploadedfile']['name'] will contain the name of the uploaded file, and $_FILES['uploadedfile']['tmpname'] is the temporary name of the file that's actually uploaded in the temporary directory. You'll use move_uploaded_file("file", "destination") to make a permanent copy of the file in the area you want it to be uploaded to.

 

This WILL overwrite a file with the same name. You can prevent this by doing a file_exists() function, which will return true or false. If true, modify the destination of the move_uploaded_file() function to a different name, maybe add a number to it and run a file_exists() function again.

[A JM]

Thanks for the posts guys - very helpful.

 

Zhadus - I'm glad you mentioned checking for the existence of the file a second time as I guess it's always possible for a file to have to be renamed again.

 

Since php.ini will know the temp directory - I'll just need to assign the actual "move to directory" in the script, gotcha. What permissions do I need to assign to the directory and what user? How is the path structured in the script ("/home/user/etc..") or something different?

 

Since I need the file names to be something meaningful for the end user. Maybe I should rethink how to handle the uploading of files. Here's my concept, I would like to allow my end user to upload as many files as they want or need with some way for them to download them at a later time by using a drop down list or links, etc. Since I will have multiple files for one record in my DB I thought the best way to do this was to create a directory for each new record with a recordID as the directory name and then to drop all my files into the new directory, what do you guys think?

 

A JM,

[Zhadus]

Not sure on permissions, just owner read/write privileges I believe, not positive though.

 

The destination is from the directory that the script is being run from. If the page is in "user" for your example, you'd just need "/etc/record" for instance.

 

As far as being meaningful, definitely multiple ways to handle that, I've never found it real important. If you want to be nice to your users, have them define a file name when they upload in a separate text box. Make sure you check file type on the name though so they aren't adding extensions to it etc. Then if it comes back that it's taken, send them to a new page to enter a new name.

 

Depending on the amount of users, a new directory will probably be best, particularly if you let the users name their own files. If you want to automate a hash for the file names, then a single directory is fine, and just connect the filenames with the user's account/db entry.

[abi007]

Hey guys,

 

I am new to PHP with no exp in other server side scripts

The processFiles.php file needs to be modded.

 

I get the following error on upload-

 

Warning: copy(index.html) [function.copy]: failed to open stream: Permission denied in /home/abi007/public_html/processFiles.php on line 17

index.html | could not be uploaded!

 

Please explain what mods are required.

P.S.-I do know HTML and basic stuff.

 

[attachment deleted by admin]

[A JM]

ahhh... the same directory as the script, that worked thanks.

 

Last question on the subject - since my script is on an individual page and the code is executed from another pages form it outputs a "Success" or "Failure" but leaves no links to my previous page, just leaves the user hanging.

 

Do I have this setup incorrectly since I want the users redirected back to my original page? All the file load script examples that I've seen are run from a second page, one page is the form the other the script. This redirects the user away from the main page I want them to stay on the main page.

 

Is there a problem running the script on the same page as the form and can I use a message box to let the user know of any messages with regard to the file upload? is this a security risk?

 

Thanks,

[premiso]

Hey guys,

I got this PHP File Upload Form from

 

http://www.devarticles.com/c/a/PHP/Creating-a-MultiFile-Upload-Script-in-PHP/

 

I am new to PHP with no exp in other server side scripts

The processFiles.php file needs to be modded.

 

I get the following error on upload-

 

Warning: copy(index.html) [function.copy]: failed to open stream: Permission denied in /home/abi007/public_html/processFiles.php on line 17

index.html | could not be uploaded!

 

Please explain what mods are required.

P.S.-I do know HTML and basic stuff.

 

Don't hijack, create your own thread.

[Zhadus]

ahhh... the same directory as the script, that worked thanks.

 

Last question on the subject - since my script is on an individual page and the code is executed from another pages form it outputs a "Success" or "Failure" but leaves no links to my previous page, just leaves the user hanging.

 

Do I have this setup incorrectly since I want the users redirected back to my original page? All the file load script examples that I've seen are run from a second page, one page is the form the other the script. This redirects the user away from the main page I want them to stay on the main page.

 

Is there a problem running the script on the same page as the form and can I use a message box to let the user know of any messages with regard to the file upload? is this a security risk?

 

Thanks,

 

I'd recommend doing a redirect instead of just "Success" and "Failure". On failure though perhaps include some sort of error code for why it failed. Improper extension, size problem, or if it just didn't upload right. Running it from the same page as the form isn't bad, just get's a bit cluttered, I'd recommend a separate file, or perhaps building a class on it incase you want to use it for something else too.

 

Also there are no additional security risks than what you already get with file uploads.

[A JM]

The last part of my original question.. sorry.

 

Secondly I want to avoid users from "backing up the tree" to view files in other directory's . I understand that I'm supposed to "move away from the web root" could someone elaborate a little on that subject? My server currently is setup like /home/usersdomain so if I were to "move away from webroot" I would be in /home if I interpret that correctly..

 

How do avoid the end user from viewing files in the directory? When I uploaded the file a moment ago it works fine but I can also see the contents of the directory by simply pointing my browser to www.myweb.com/files/ is there a way to avoid this so that the user cannot see the files?

 

Thanks.

 

A JM,

[Zhadus]

I believe what you're referring to is called directory listing. You can prevent it by adding some code to your .htaccess file. It's not really PHP related, just general server configuration.

[premiso]

Options -Indexes

 

Add that to a .htaccess file in the directory you do not want to be listed.

[abi007]

If my temp folder is tmp should the script be-

 

$copy = copy($_FILES['uploadFile'. $x]['tmp'],$file_name);

 

Does the following line mean that the filename in tmp is 'file'

 

$file_name = $_FILES['uploadFile'. $x]['file'];

 

How do I move the file to permanent directory named Data

 

[attachment deleted by admin]

[A JM]

Options -Indexes

 

Add that to a .htaccess file in the directory you do not want to be listed.

 

Thanks for your help! I think I'm rolling now...

 

A JM,