BDCool1983 Posted March 4, 2015 Share Posted March 4, 2015 (edited) I just moved a bunch of our websites to a new server with I beleive is PHP 5.4 without going to check it. Problem i'm facing is I cannot upload files via a script. It's so strange. I have tried defining the variables using the $_POST/GET Methods, I have tried emulating Register Globals. Essentially the issue is that it's not carrying the <input type='file'> variable across to the next page is what it seems.......... so eg next page the variable output I get: Array( [message] => [msgurl] => [filter] => ALL [sortorder] => A) Arraypost_max_size = 64M If I change the input type to 'text' say'.......... then I get Array( [message] => [userfile] = > [msgurl] => [filter] =>ALL[sortorder] => A ) Arraypost_max_size = 64M //// I have checked the php.ini files for upload sizes, the tmp folder, the httpd.conf files etc........ I'm stumpted: Can someone check out the file attached and give me some idea's here? The form is at the bottom, the main file upload php gear is around line 124 articles.php Edited March 4, 2015 by BDCool1983 Quote Link to comment Share on other sites More sharing options...
BDCool1983 Posted March 4, 2015 Author Share Posted March 4, 2015 My issue may also be to do with: $newfile = "uploads/" . uniqid(""); mkdir($newfile, 0755); $newfile = $newfile . "/" . $userfile_name; copy ($userfile, $newfile); Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted March 4, 2015 Share Posted March 4, 2015 the code is way out of date (about 13 years out of date) and is dependent on register_globals being on. rather than to patch it up by emulating register_globals, which introduces a huge security hole, by allowing any session variable to be set from any $_POST/$_GET data a hacker feeds your script, you should access the correct $_POST, $_GET and $_FILES data that is being submitted to the code. while you are updating things, the mysql_ and ereg_ functions are obsolete and will be removed from php in the future and should be upgraded to equivalent PDO/mysqli and preg_ functions. i also see a bunch of stripslashes() statements, indicating that php's magic quotes settings were messing up your data. the magic_quotes and register_globals both have been removed as of php 5.4. you will also want to properly escape (using the database library's escape string function) string data (addslashes(), which is what the magic quotes used internally, is not sufficient) being put into sql queries or use prepared queries to prevent sql injection and errors when string data contains sql special characters. edit: another thing the code is using that will cause you problems moving between server configurations is the short opening php <? tag. you should always use a full opening php <?php tag so that your php code will always be seen as being php code, regardless of the php configuration. and in general, to clean up the code, you should have the php 'business logic' that controls what happens on the page, processes form data, and retrieves data displayed on the page, grouped together near the start of the file and the 'presentation logic' that is producing the html/css/javascript on the page near the end of the file. the only php code in the presentation logic should be simple loops/echo statements that makes use of the data from the business logic. and even more, the htmlentities() and nl2br() functions are OUTPUT functions, used when displaying information on a web page. they should not be used when inputting data into a database table. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.