1

This is my php file uploading script. It does not work at all. Nothing happens. I have probably missed something.

<?php
if ((($_FILES["thumbfile"]["type"] == "image/gif")
|| ($_FILES["thumbfile"]["type"] == "image/jpeg")
|| ($_FILES["thumbfile"]["type"] == "image/pjpeg"))
&& ($_FILES["thumbfile"]["size"] < 20000))
  {
  if ($_FILES["thumbfile"]["error"] > 0)
    {
      move_uploaded_file($_FILES["thumbfile"]["tmp_name"],
     "http://www.divethegap.com/update/z-images/admin/upload/" . $_FILES["thumbfile"]["name"]);
      $filelocation = "http://www.divethegap.com/update/z-images/admin/upload/" . $_FILES["thumbfile"]["name"];

      echo '<script type="text/javascript">
parent.document.getElementById("thumbprogress").innerHTML = "Archiving"</script>Archiving';

    }
  }
else
  {
  echo '<script type="text/javascript">
parent.document.getElementById("thumbprogress").innerHTML = "Invalid File Format"</script>Invalid File Format';
  }
?>

Can anyone see problem?

Marvellous

Improve this question
2
  • is your code looping into the two for loops? Commented Mar 14, 2011 at 16:39
  • Just a note, you might want to check more than just the MIME type of the file that's being uploaded (specifically, make sure the file extension is non-executable). It's possible to embed PHP code into a GIF image. The script will detect it as a .gif with proper MIME type, but if the image (for example) has a .php extension, accessing the image will execute the code it contains. Source Commented Mar 14, 2011 at 16:53

1 Answer 1

Reset to default
3

move_uploaded_file() is not intended to to have a URL as a destination. You're in essence trying to take an uploaded file, and upload it yet again. What you want to use is a LOCAL file path, without a URL in it.

On top of that, you're using the provided 'type' and 'size' data from $_FILES array for your validation. Those fields are user-provided and can be subverted. Nothing says a malicious user can't upload "hackme.exe" or "subvert_my_server.php" and tag it as an image/jpeg type upload, and your script would happily try to store on the server.

For proper handling, something like this is better:

if ($_FILES['thumbfile']['error'] === UPLOAD_ERR_OK) {
    $info = getimagesize($_FILES['thumbfile']['tmp_name']);
    if (($info[2] !== IMG_GIF) && ($info[2] !== IMG_JPEG)) { // whoops. had || initially.
       die("not a gif/jpg");
    }
    if (filesize($_FILES['thumbfile']['tmp_name']) > 20000) {
       die("larger than 20000");
    }
    move_uploaded_file($_FILES['thumbfile']['tmp_name'], '/some/directory/on/your/server/filename.jpg');
}
Improve this answer
6
  • Seams good but keeps dying from the beginning with 'not a gif/jpeg' I have tried multiple gifs and jpegs nothing is working Commented Mar 14, 2011 at 16:51
  • What's the error code you get? Try doing a print_r($_FILES); and see what's coming through. Commented Mar 14, 2011 at 16:55
  • As follow ::: Array ( [thumbfile] => Array ( [name] => Picture43a.gif [type] => image/gif [tmp_name] => /tmp/phpsk5Dqg [error] => 0 [size] => 11966 ) ) not a gif/jpg Commented Mar 14, 2011 at 17:07
  • Whoops. My bad. Change the || in the image check section to &&. I'll update the answer. Commented Mar 14, 2011 at 17:09
  • That did it but now it is stuck on the move function "Unable to move '/tmp/phpB0Y3x8' to example.com/upload/test.jpg" The directory is correct, not the example one I put there. Commented Mar 14, 2011 at 17:24

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.