5 Replies Latest reply: Jul 9, 2012 12:18 PM by nstratton RSS

    uploading file

    future-architect Community Member

      I am creating an upload form.  One of the fields is a file.  It does not seem to be working though.  The file is not being uploaded.  here is my code:

       

      form:

      <input type="file" name="upload" id="upload" size="48" value="<?php if($flag) { echo $_FILES['file']['name']; } ?>" />

       

      php:

      move_uploaded_file($_FILES["upload"]["tmp_name"], "http:/mysite.com/uploads/");

       

      anything that I'm missing?

        • 1. Re: uploading file
          David_Powers ACP

          You're missing giving the file a name.

           

          move_uploaded_file($_FILES["upload"]["tmp_name"], "http:/mysite.com/uploads/" . $_FILES['upload']['name']);

           

          Also, I'm puzzled by this:

           

          value="<?php if($flag) { echo $_FILES['file']['name']; } ?>"

           

          Why are you trying to insert a value? And shouldn't it be $_FILES['upload']['name'] instead of $_FILES['file']['name']?

          • 2. Re: uploading file
            future-architect Community Member

            ok - thanks.  still not working,  but my host says that .txt files are disabled for security reasons.  still don't understand.  i can understand .exe's....

            have to find out what "disabled" means still....

            • 3. Re: uploading file
              David_Powers ACP

              What the host means is that you can't upload text files. I suspect the reason for that is to prevent scripting attacks.

               

              If you allow people to upload files for immediate display, a text file could contain malicious JavaScript that would be executed as soon as the page is displayed.

               

              Try this:

               

              <?php include('script.txt'); ?>

               

              The content of script.txt should look like this:

               

              <script>

              alert('Boo!');

              </script>

               

              When you load the PHP page into a browser, it executes the script, and displays an alert box with "Boo!".

              • 4. Re: uploading file
                future-architect Community Member

                what i would like to do is for users to upload text files, and then it is stored on the server, and ready to be shared/edited.  that doesn't sound like it is possible though.

                • 5. Re: uploading file
                  nstratton Community Member

                  Instead of uploading the file to a folder for later download, you can insert the text file into the database as blob.  Then you can also spit out the text file using php to reconstruct it all.  Here is my code for doing that.  Please note the following:

                   

                  1.)  You need to add additional fields to the table for size, type, and name of file.  Finally, you need to create a blob field to hold the actual text file.

                  2.)  The upload code does NOT properly sanitize against SQL injection.  This is on a private network and therefore acceptable.  You will need to make sure you santize the input so you are not subject to a SQL injection attack.  The purpose of this is to show you how it all works.

                   

                  First here is the form section:

                   

                   

                  <form action="upload.php" method="post" enctype="multipart/form-data" id="form1">

                                <p>

                                  <label for="fileField"></label>

                                  File Name: <span id="sprytextfield1">

                                    <label for="friendly_name"></label>

                                    <input type="text" name="friendly_name" id="friendly_name" />

                                    <span class="textfieldRequiredMsg">A value is required.</span></span></p>

                                <p>

                                  <input type="file" name="fileUpload" id="fileField" />

                                </p>

                                <p>

                                  <input type="submit" name="button" id="button" value="Submit" />

                                </p>

                              </form>

                   

                  Here is the upload.php section:

                   

                  <?php
                  $friendly_name=$_POST['friendly_name'];
                  $name = $_FILES['fileUpload']['name'];
                  $tmpName = $_FILES['fileUpload']['tmp_name'];
                  $size = $_FILES['fileUpload']['size'];
                  $type = $_FILES['fileUpload']['type'];

                  $fp = fopen($tmpName, 'r');
                  $data = fread($fp, filesize($tmpName));
                  $data = addslashes($data);
                  fclose($fp);

                  if(!get_magic_quotes_gpc())
                  {
                  $name = addslashes($name);
                  }


                  ?>

                  <?php

                    $SQL="INSERT INTO files set message_id='".$messageid."', friendly_name='".$friendly_name."', category='".$category."', name='".$name."', size='".$size."', type='".$type."', data='".$data."'";
                                       

                    mysql_select_db($database_board, $board);
                    mysql_query($SQL, $board) or die(mysql_error());
                    header ('Location:new_post2.php');

                  ?>

                   

                  Finally,

                  Here is the snippet from the page that puts the file back together again so the user can download:

                   

                  $colname_Recordset1 = "-1";

                  if (isset($_POST['id'])) {

                    $colname_Recordset1 = $_POST['id'];

                  }

                  mysql_select_db($database_board, $board);

                  $query_Recordset1 = sprintf("SELECT * FROM files WHERE id = %s", GetSQLValueString($colname_Recordset1, "int"));

                  $Recordset1 = mysql_query($query_Recordset1, $board) or die(mysql_error());

                  $row_Recordset1 = mysql_fetch_assoc($Recordset1);

                  $totalRows_Recordset1 = mysql_num_rows($Recordset1);

                  ?>

                  <?php header("Content-length: $row_Recordset1[size]");

                  header("Content-type: $row_Recordset1[type]");

                  header("Content-Disposition: attachment; filename=$row_Recordset1[name]");

                  echo $row_Recordset1['data']; ?>