Jump to content

Recommended Posts

I am trying to have an uploader so visitors can upload files to some directories that I don't want people to have direct access to.

 

I am using .htaccess to redirect people to the homepage if they type in the directory name, but apparently this is stopping my uploader working because it redirects the uploader before it has a chance to upload the file.

 

The following is the uploader code:

 

<?php
// Where the file is going to be placed 
$var1 = $_GET["leadon"];
$var2 = $_GET["user"];

//$path = mysql_real_escape_string('leadon');
$target_path = $var1;

/* Add the original filename to our target path.  
Result is "uploads/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "The file " .  basename( $_FILES['uploadedfile']['name']) . 
    " has been uploaded";
$to = "email@address";
$subject = "A File has been uploaded by " . $var2;
$body = "";
$headers = 'From: email@address';
mail($to, $subject, $body, $headers);
}else{
echo $target_path;
    echo "There was an error uploading the file, please try again!";
}
?>

 

My .htaccess file has the following code in it:

redirect /user/username http://www.website.com
redirect /user/username/ http://www.website.com
RedirectMatch (.*)\index.php http://www.website.com
<Files ~ "\.(inc|sql|pdf)$">
  order allow,deny
  deny from all
</Files>

Link to comment
https://forums.phpfreaks.com/topic/82573-uploading-to-redirected-directories/
Share on other sites

Where is your upload script located?  The upload script needs to be located in an area accessible to the user.  Use the script to move the file from tmp to the restricted area.  Also if you're on Unix/Linux the folders that PHP is moving the file to either need to belong to the same user/group as PHP or chmoded to 777.

	<div id="upload">
	<div id="uploadtitle"><strong>File Upload</strong> (Max Filesize: <?=$phpmaxsize;?>KB)</div>
	<div id="uploadcontent">
		<?
		if($phpallowuploads) {
		$action = "../uploader.php?leadon=" . $leadon . "&client=" . $client;
		?>
		<form method="post" action="<?=$action; ?>" enctype="multipart/form-data">
            <input type="file" name="file" /> <input type="submit" value="Upload" />
		</form>
		<?
		}
		else {
		?>
		File uploads are disabled in your php.ini file. Please enable them.
		<?
		}
		?>
	</div>

</div>
<?
}
?>
  </div>

 

It is code that came with a directory listing script that i found online. The file I use to test the upload isn't already in the directory.

 

At the moment in the uploader script i have got it so when there is an error it prints the directory on screen and it is always correct.

 

When i was grabbed the form code for you, I was thinking the page that has that on it is located in the restricted directory and calls the uploader from the root directory, do you think this would have any impact?

Ok I found the problem...  It's not wonder we missed it.

 

 

if you upload file "myfile.gif" and then echo $target_path you'll notice it spits out the following (assuming of course that $leadon = 'uploads')

uploadsmyfile.gif

 

It's missing the directory separator...

 

Try changing this line...

 

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 

 

To this

 

$target_path = $target_path .'/'. basename( $_FILES['uploadedfile']['name']); 

 

Also I noticed the form posts to the uploader one directory up.  if $target_path = 'uploads' then the folder uploads needs to be in the same folder as the uploader.php.

Unfortunately that isn't the problem the leadon that i pass to it already has the slash on the end of it.

I pass the leadon as /users/username/ uploader being in the base folder wanting it to upload the file to subdirectories of the directory the uploader is in.

Ok..  Well I know this is a dumb question... But is "/users/username/" located in the root?  Sorry but I can only go off what you posted.

 

You might also try adding this to your script to bug test. (using the vars in your example)

 

if (!is_dir($var1)){
echo "Directory ".$var1." does not exist!";
exit;
}
if (!is_writable($var1)){
echo "Unable to write to directory ".$var1."!";
exit;
}
if (is_file($target_path . basename( $_FILES['uploadedfile']['name']))){
echo "File Already Exists.  Unable to move uploaded file to .".$target_path . basename( $_FILES['uploadedfile']['name']);
exit;
}

 

Edit: Added missing brace

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.