question about file uploader script

[Vernier]

Hey,

I need a file upload script, but I need it so that you can choose the directory location as to where it uploads to

For example, a form like this:

<form enctype="multipart/form-data" action="uploader.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
Choose the files upload location: <input type="text" />
Choose a file to upload: <input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
</form>

Cheers

[fastsol1]

Here is a tutorial on secure file upload - http://www.youtube.com/watch?v=RiuLBrEFhfk&feature=plcp
I don't think it has a select file location feature but that should be super easy to add in to the script once you get the rest done.

[djr33]

You can add any text input (or select dropdown, etc.) to the file path. That's not complicated (just very basic string concatenation). But the trouble is that you must make it secure. Create a "white list" (approved list) of directories you want to allow, then only allow the upload if the path matches that. Also be VERY careful to strip out any special characters like "up one directory ../" and so forth. This could be a huge security threat.

Of course be sure to allow only certain types of files (eg, never allow .php), probably also with a white list (jpg, gif, pdf, and whatever else you need).

It's probably best to not allow the overwriting of an existing file. This could be dangerous if there's any chance that an important file is somewhere, like index.html or php.ini. You can also only allow certain filetypes, but then any file of that type (like "homepage.jpg") is vulnerable. Of course that's not a problem if the ONLY files in the directory you're using are uploaded with this form (that's a standard practice) or the filename is automatically determined by the script (also standard for large-scale uploader projects).

That's some general advice. Ask about any details if you'd like

[Vernier]

Cheers - i've got this working.

Just one question:

Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="refresh" content="5;url=http://habfab.com/upload">
<title>HabFab Uploader</title>
<link type="text/css" rel="stylesheet" href="style.css" />
</head>

<body bgcolor="#60bfe7">
	<div id="container">

		<div id="top"></div>
		<div id="mid">
		<br>
		<br>
		<br>
		<br>
<?php 
 $target = "david/"; 
 $target = $target . basename( $_FILES['uploaded']['name']) ; 
 $ok=1; 
 if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target)) 
 {
 echo "<strong>The file " . $_FILES["file"]["name"] .  "has been uploaded! <br><br>It can be located at habfab.com/david/FILENAME <br><br> You will now be taken back to the upload page.</strong>";
 } 
 else {
 echo "<strong>There was a problem uploading your file! Make sure you specified a file to upload. You will now be redirected back to the upload page.</strong>";
 }
 ?> 
        <br>
		<br>
		<br>
		<br>
		<div id="bot"></div>

	</div>
</body>
</html>

The file " . $_FILES["file"]["name"] . "has been uploaded! should echo: "The file FILNAME has been uploaded!" But it just echoes "The file has been uploaded"

Why isn't it showing the $_FILES["file"]["name"]?

Thanks again

~ David

[djr33]

The relevant info is here:
http://www.php.net/manual/en/feature...ost-method.php

It looks like it should be showing the filename. Try using print_r($_FILES) to look through exactly what information was sent. Are you sure that "file" isn't the name being sent by the browser?

[fastsol1]

Based off the rest of your current code, this

PHP Code:

$_FILES["file"]["name"] 


Should be this

PHP Code:

$_FILES['uploaded']['name'] 


Also I assume there is more to the script than what you are showing, correct? Cause if not I would SERIOUSLY watch the tutorial I linked to about file upload security, otherwise anyone could upload ANY thing they wanted to the server.

[Vernier]

Wow - that worked! Thanks so much!!

As far as security; I have several forms in the page to upload to different directorys, such as ./forum etc, what i've done is used .htaccess and .htpasswd for the directory "upload" where users visit to upload files. The action is for davidupload.php etc for each user in public_html that's target is david/ etc. If you visit davidupload.php it'll just say there's a problem with the upload, you will now be redirected back to the upload page. When it redirects, they are faced with the .htaccess.

Think this will suffice?

Thanks again!

~ David

[djr33]

No, not at all. You need some way to verify that the file being uploaded is not a dangerous one. Look up how to use a "white list" for file types. For example, just imagine all the harm that could be done by uploading a .php file.

[Vernier]

I searched: how to use a "white list" for file types and couldn't find it :S

Thanks

~ David

[djr33]

Try "list of approved file types".

There are a lot of ways to do it (basically just check if the file's format is equivalent to any of your acceptable file types, either with in_array() or just ==).

This tutorial seems like it should give you the basic idea:
http://w3schools.com/php/php_file_upload.asp

Some sort of type (and size) verification should be in most tutorials, including the one fastsol1 mentioned above.