move_uploaded_file not giving error but not moving file

[davidannis]

I have a script that uploads files fine on my local server running MAMP but when I upload it I get no file upload. I have tried to simplify as much as possible to troubleshoot and came up with the following script:

<?php 
ini_set('display_errors', 1);
error_reporting(E_ALL);
        define('BASE_DIR', '/home/lineligh/public_html/Art3/');
        define('IMG_UPLOAD_DIR',BASE_DIR.'artwork/');
        $id='4';
        print_r($_FILES);
if (isset($_FILES['picture']['name'])) {
                //check size
                if ($_FILES['picture']['size'] > 900000) {
                    $uploaderr = true;
                    $uploaderrmsg.='File must be less than 900,000 bytes<br />';
                }
                //check type
                if ($_FILES['picture']['type'] != "image/jpeg" && $_FILES['picture']['type'] != "image/png") {
                    $uploaderr = true;
                    $uploaderrmsg.='File must be a jpeg or png<br />';
                }
                $uploaddir = IMG_UPLOAD_DIR;
                $uploadfile = $uploaddir . $id . '.' . end((explode(".", $_FILES["picture"]["name"])));


            $result = move_uploaded_file($_FILES['picture']['tmp_name'], $uploadfile);
            echo '<br>'.$_FILES['picture']['tmp_name']."</br>";
            echo $uploadfile;
            echo '<br>$result: '.$result;
}
?>

Which produces the following output:

Array ( [picture] => Array ( [name] => Olivia-IMG_8678.jpg [type] => image/jpeg [tmp_name] => /tmp/phpe5Vpyq [error] => 0 [size] => 192649 ) )
/tmp/phpe5Vpyq
/home/lineligh/public_html/Art3/artwork/4.jpg
$result: 1 

So, the file gets to the server, the move_uploaded_file function claims that it successfully renames the file and puts it in /home/lineligh/public_html/Art3/artwork/ but if I look for the file it is not there. I'm stumped as to what else to check. Webhosting company swears that my permissions are correct.

[Jacques1]

Can you create a simple file within the target directory when there's no uploading involved? I mean something like file_put_contents().

 

Besides that, your code is extremely insecure and buggy. You let anybody upload malicious scripts to your server as long as they claim that the file is an image (the type in $_FILES can be set to anything by the client). I strongly recommend that you you learn the basics of secure file uploads before you even think about placing files on your server.

[davidannis]

Thank you for the response.

 

When I try a simple script using file put contents:

<?php
$file2='/home/lineligh/public_html/Art3/artwork'.'/test1.txt';
$current = "Test\n";
file_put_contents($file2, $current);
?>

I get a 5 byte file in the artwork directory as expected.
 

Besides that, your code is extremely insecure and buggy. You let anybody upload malicious scripts to your server as long as they claim that the file is an image (the type in $_FILES can be set to anything by the client). I strongly recommend that you you learn the basics of secure file uploads before you even think about placing files on your server.

 

 

The script I posted is a sample extracted from the whole in which I pulled the most bare bones pieces out to illustrate the problem and make sure that the problem wasn't occurring in some prior step. In the full script I validate the file and resize it using the gd imagescale, I move the file after the resize into a directory that has script execution disabled in htaccess but I'll also look at the link you provided to see if I can tighten it further. The actual script is also password protected (with a salted and hashed password) and only available to a limited number of users for whom I have real world identities. Each upload is logged with the user ID.

 

Thanks,

David

[mac_gyver]

it's likely that your actual complete code is deleting the file after you have moved it to the folder. i'm betting if you put a die; statement after the echo '<br>$result: '.$result; line, that the file will be present in the folder.

 

edit: btw - how do you know the file isn't in the folder? what method are you using to get a listing of the files, since the fault may be in the method being used?

Edited January 29, 2016 by mac_gyver

[davidannis]

I have moved the upload directory out of public_html and I'm using fileinfo to revalidate mime type in addition to the gd getsimagesizes and the resize. I believe I can strip the EXIF data when I resize but I'll need to put some of it back because I don't want to remove copyright.

[davidannis]

it's likely that your actual complete code is deleting the file after you have moved it to the folder. i'm betting if you put a die; statement after the echo '<br>$result: '.$result; line, that the file will be present in the folder.

 

edit: btw - how do you know the file isn't in the folder? what method are you using to get a listing of the files, since the fault may be in the method being used?

The simple test script that I posted in its entirety does not work so there is nothing past the echo '<br>$result: '.$result; line.

 

I have used sftp to look for the file. Can't display it. In the full script the resize throws an error because it is not there. I am pretty sure that It is not there.

[mac_gyver]

are you sure about the spelling and capitalization of the path in all cases, in all the code and when looking for the file? could you also have a /home/lineligh/public_html/art3/artwork/ folder or a folder with a space in a part of the path?

 

how are you submitting the data to the form processing code and viewing the result from your debugging statements? you could have a case where the data is being submitted twice, the second time without any successfully uploaded file, and the file is being deleted. the only requirement in your logic to run the move_uploaded_file() statement is that $_FILES['picture']['name'] is set. this however doesn't guarantee that there is a successfully uploaded file.

 

lastly, does your server have the stupid Suhosin hardened kluge present? it has a habit of making perfectly good code, not work?

[davidannis]

it's likely that your actual complete code is deleting the file after you have moved it to the folder. i'm betting if you put a die; statement after the echo '<br>$result: '.$result; line, that the file will be present in the folder.

 

edit: btw - how do you know the file isn't in the folder? what method are you using to get a listing of the files, since the fault may be in the method being used?

You were right. I was not refreshing the sftp client, assuming incorrectly that it refreshed on a change in directories. In the script itself I was trapping the error on the resize incorrectly. I think I may have it now. You caught two errors. Now to fix the resize error. I'm feeling really stupid. Thanks for the help.