CageyJ0nnY Posted May 18, 2010 Share Posted May 18, 2010 I have a site linked to a database. When uploading an image i get my own error message in return. Because of this i know the script works but that there is an error in there somewhere. Here is the HTML page: <form enctype="multipart/form-data" action="http://jjennings3.bimserver2.com/upload2.php" method="POST"> <p><input type="hidden" name="MAX_FILE_SIZE" value="50000"> Send this file: <input name="filename" type="file"></p> <p>Name for uploaded file: <input name="filename" type="text" id="filename" value="picture.jpg"></p> <p><input type="submit" value="Send File"></p> </form> <p><a href = "http://jjennings3.bimserver2.com/home-page.php"></p> <li>Back</li> </a> </body> </html> and here is the PHP it links to: <?php $filename = $_POST[filename]; $uploaddir = '/home/jjennings3/jjennings3.bimserver2.com/'; $uploadfile = $uploaddir . $filename; if (move_uploaded_file($_FILES['bookimage']['tmp_name'], $uploadfile)) { echo "File is valid, and was successfully uploaded.<br>"; echo "Its name is <a href=$filename>$filename</a>"; } else { echo "There was an error."; } ?> any help would be greatly appreiciated Jonny Quote Link to comment Share on other sites More sharing options...
scampbell Posted May 18, 2010 Share Posted May 18, 2010 Try making you upload dir relative to the script location like ../../images Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted May 18, 2010 Share Posted May 18, 2010 The name="..." attribute of your file upload field is not the same name you are using in the php code and in fact you are using the same name="..." attribute value for both of the fields in the form. Are you developing and debugging php code on a system with error_reporting set to E_ALL and display_errors set to ON in your master php.ini so that php will help you? You will save a TON of time. You would be getting undefined error messages concerning the non-existent $_FILES variable due to the name mismatch. Also, by specifying the destination filename using a form field, and not validating that piece of information, you are allowing a hacker to upload his file anywhere within your document root folder (by using folder transversal ..\..\..\) and with any file name (i.e. he can replace your index.html or index.php file if he wants.) Quote Link to comment Share on other sites More sharing options...
CageyJ0nnY Posted May 18, 2010 Author Share Posted May 18, 2010 Im relativley new to PHP so all this is a little confusing 8-S, i problably need what you just said to be translated into lemans terms.... thanks for the help Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.