Image Uploading Successful but permissions incorrect

[earunder]

Hi All,

 

I have set my perms for images folder to 777.

 

The script runs ok without error.  It uploads the image and adds the necessary filename to the database.

When I go to the website to view the image, it comes back as unviewable/broken link.  The image is there as I've checked and downloaded it from the images folder.

 

When I check the permissions for the new file, they are only:

 

Owner

Group

Others

X

-

-

X

-

-

-

-

-

I'm scratching my head as this has been annoying me for some time now!  ???

Here is the code:

//print_r($_POST);

if($_POST["action"] == "Upload Image")
{
unset($imagename);

if(!isset($_FILES) && isset($HTTP_POST_FILES))
$_FILES = $HTTP_POST_FILES;

if(!isset($_FILES['image_file']))
$error["image_file"] = "An image was not found.";


$imagename = basename($_FILES['image_file']['name']);
//echo $imagename;

if(empty($imagename))
$error["imagename"] = "The name of the image was not found.";

if(empty($error))
{
$newimage = "../../images/" . $imagename;
//echo $newimage;
$result = @move_uploaded_file($_FILES['image_file']['tmp_name'], $newimage);
$partid = $_POST['partid'];
mysql_select_db($database_vwpconn00, $vwpconn00);
$dbfilename = $imagename;
$sq0 = mysql_query("UPDATE parts SET imageurl = '$dbfilename' WHERE partid = '$partid'") or die (mysql_error()); 
if(empty($result))
$error["result"] = "There was an error moving the uploaded file.";
}

}

?>


<form method="POST" enctype="multipart/form-data" name="image_upload_form" action="<?$_SERVER["PHP_SELF"];?>">
<p><input type="file" name="image_file" size="20"></p>
<p><input type="submit" value="Upload Image" name="action">
  <input name="partid" type="hidden" id="partid" value="<?php echo $_GET['partid'];?>">
</p>
</form>

<?
if(is_array($error))
{
while(list($key, $val) = each($error))
{
echo $val;
echo "<br>\n";
}
}

 

Any help will be greatly appreciated 

[aschk]

Is the image actually in the directory on your server?

Is the image folder a "web viewable" directory?

i.e. htdocs/images

 

What happens if you write a page which has

<img src="http://yoursite.com/images/somefilename.jpg"></img>

 

(substitute yoursite and somefilename for the real values stored on your server).

[earunder]

Hi,

 

Direct image linky: http://www.vauxhallworldparts.com/images/fs9128e.JPG

 

All other images within the folder are viewable, although they were not uploaded via this script.  ???

[uniflare]

have you tried chmodding your uploaded image?

[aschk]

Had a deeper look at the code and found your problem. It's not putting the information in the DB properly:

 

UPDATE parts SET imageurl = '$dbfilename' WHERE partid = '$partid'

 

You're trying to update. This will ONLY work if a record exists already (where partid = '$partid'). It won't insert a record if 1 doesn't exist.

So assuming that the link you have provided actually shows an image it means the uploaded file is being moved correctly, and i suspect the information it not being submitted to your database.

[aschk]

Mmm, indeed as uniflare suggests. Check the permissions on the image itself. You need x and r permissions (i.e. execute and read). Try chmod'ing the file to 644 after you have moved it.

[earunder]

Hi,

 

Well I can manually change the permissions of the uploaded file to allow it to be read by Group Other but I shouldnt have to do this everytime I upload a file should I?

 

 

[aschk]

I imagine you probably will have to yes.

The owner of the file is not the same as the folder owner (i.e. apache owns image, joe_bloggs owns folder).

So depending on your setup this might affect read permissions for a web user. Also when writing files they get a default permissions set (obviously not user read/execute).

[uniflare]

u can chmod files using php, you should always do this when uploading files anyway to set the correct permission for specific filetypes.

 

see http://uk3.php.net/manual/en/function.chmod.php

 

hope this helps,

[earunder]

Thanks for your help guys.

 

Yes a record does exist in the database.  This upload is an editable option for parts without a photo at current.

 

We can chmod them manually but isn't there a way to ensure they are uploaded with the correct permissions?  This is because there are 100's of thousands of parts = 100's of thousand of images, so chmod'ing them manually would be far to time consuming

 

[earunder]

Just re-checked the ownerships and the owner of the file is the same as the owner of the folder and directory etc.

 

I'm really puzzled as there are lots of Photo upload scripts where people have downloaded and all are running fine, but for some reason ours are uploading with incorrect permissions :S

[earunder]

Still no luck. I've re-written the code, deleted and re-created the folder, checked, rechecked and triple checked permissions, but everytime the script uploads the new image it uploads it correctly but with no viewable permissions to the Groups or Others.  The image isn't corrupt either as I can download the image and view it.

 

??? ???

[aschk]

Again, what are the permissions that are being given to it when it's uploaded to your system. You should be able to view them (in ftp client or linux cmd shell).

 

Also, CHMOD'ing lots of files is easy (at cmd line):

#> chmod -R 777 *

 

That'll do everything in the current directory and lower.

 

Or alternatively get your PHP script to use the chmod() function to apply the correct settings after you've uploaded/moved the file.

[earunder]

The permissions for the uploaded image are:

 

Owner

Group

Others

X

-

-

X - -

- - -

 

They should (well i want them to be)

 

The permissions for the uploaded image are:

 

Owner

Group

Others

X

X

X

X - -

- - -

 

Or alternatively get your PHP script to use the chmod() function to apply the correct settings after you've uploaded/moved the file.

I was thinking of doing this but wouldn't this pose a security issue? I've not got great knowledge in using a function to chmod the image after it has been uploaded so...

The only people I want to be able to do this are members of our Staff, to where they login to an admin panel.

 

[aschk]

You wouldn't be allowing the user to specify the chmod value. It'd be hard coded into your application... so not really a security threat.

[earunder]

Ok, i'll do some reading 

 

Thanks for your help, much appreciated 

[earunder]

Oh deary!!!

 

I'm still puzzled as the chmod isn't working! I think my head is going to explode! It's probably something really simple but I'm just struggling now and getting stressed :'(

 

if($_POST["action"] == "Upload Image")
{
unset($imagename);

if(!isset($_FILES) && isset($HTTP_POST_FILES))
$_FILES = $HTTP_POST_FILES;

if(!isset($_FILES['image_file']))
$error["image_file"] = "An image was not found.";


$imagename = basename($_FILES['image_file']['name']);
//echo $imagename;

if(empty($imagename))
$error["imagename"] = "The name of the image was not found.";

if(empty($error))
{
$newimage = "../../images/" . $imagename;
$partid = $_POST['partid'];
mysql_select_db($database_vwpconn00, $vwpconn00);
$dbfilename = $imagename;
$sq0 = mysql_query("UPDATE parts SET imageurl = '$dbfilename' WHERE partid = '$partid'") or die (mysql_error()); 
chmod($newimage, `0777`);///new line to chmod the new file. I tried 755 too with no avail
//echo $newimage;
$result = @move_uploaded_file($_FILES['image_file']['tmp_name'], $newimage);
if(empty($result))
$error["result"] = "There was an error moving the uploaded file.";
}

}

?>


<form method="POST" enctype="multipart/form-data" name="image_upload_form" action="<?$_SERVER["PHP_SELF"];?>">
<p><input type="file" name="image_file" size="20"></p>
<p><input type="submit" value="Upload Image" name="action">
 <input name="partid" type="hidden" id="partid" value="<?php echo $_GET['partid'];?>">
</p>
</form>

<?
if(is_array($error))
{
while(list($key, $val) = each($error))
{
echo $val;
echo "<br>\n";
}
}
?>

 

Any ideas or help will be greatly appreciated