uploading file

Report · Jul 03, 2012

I am creating an upload form. One of the fields is a file. It does not seem to be working though. The file is not being uploaded. here is my code:

form:

php:

move_uploaded_file($_FILES["upload"]["tmp_name"], "http:/mysite.com/uploads/");

anything that I'm missing?

Report · Jul 04, 2012

You're missing giving the file a name.

move_uploaded_file($_FILES["upload"]["tmp_name"], "http:/mysite.com/uploads/" . $_FILES['upload']['name']);

Also, I'm puzzled by this:

value="<?php if($flag) { echo $_FILES['file']['name']; } ?>"

Why are you trying to insert a value? And shouldn't it be $_FILES['upload']['name'] instead of $_FILES['file']['name']?

Report · Jul 04, 2012

ok - thanks. still not working, but my host says that .txt files are disabled for security reasons. still don't understand. i can understand .exe's....

have to find out what "disabled" means still....

Report · Jul 05, 2012

What the host means is that you can't upload text files. I suspect the reason for that is to prevent scripting attacks.

If you allow people to upload files for immediate display, a text file could contain malicious JavaScript that would be executed as soon as the page is displayed.

Try this:

<?php include('script.txt'); ?>

The content of script.txt should look like this:

alert('Boo!');

</script>

When you load the PHP page into a browser, it executes the script, and displays an alert box with "Boo!".

Report · Jul 05, 2012

what i would like to do is for users to upload text files, and then it is stored on the server, and ready to be shared/edited. that doesn't sound like it is possible though.

Report · Jul 09, 2012

Instead of uploading the file to a folder for later download, you can insert the text file into the database as blob. Then you can also spit out the text file using php to reconstruct it all. Here is my code for doing that. Please note the following:

1.) You need to add additional fields to the table for size, type, and name of file. Finally, you need to create a blob field to hold the actual text file.

2.) The upload code does NOT properly sanitize against SQL injection. This is on a private network and therefore acceptable. You will need to make sure you santize the input so you are not subject to a SQL injection attack. The purpose of this is to show you how it all works.

First here is the form section:

<p>

File Name: <span id="sprytextfield1">

<span class="textfieldRequiredMsg">A value is required.</span></span></p>

<p>

</p>

<p>

</p>

</form>

Here is the upload.php section:

<?php
$friendly_name=$_POST['friendly_name'];
$name = $_FILES['fileUpload']['name'];
$tmpName = $_FILES['fileUpload']['tmp_name'];
$size = $_FILES['fileUpload']['size'];
$type = $_FILES['fileUpload']['type'];

$fp = fopen($tmpName, 'r');
$data = fread($fp, filesize($tmpName));
$data = addslashes($data);
fclose($fp);

if(!get_magic_quotes_gpc())
{
$name = addslashes($name);
}

?>

<?php

$SQL="INSERT INTO files set message_id='".$messageid."', friendly_name='".$friendly_name."', category='".$category."', name='".$name."', size='".$size."', type='".$type."', data='".$data."'";

mysql_select_db($database_board, $board);
mysql_query($SQL, $board) or die(mysql_error());
header ('Location:new_post2.php');

?>

Finally,

Here is the snippet from the page that puts the file back together again so the user can download:

$colname_Recordset1 = "-1";

if (isset($_POST['id'])) {

$colname_Recordset1 = $_POST['id'];

}

mysql_select_db($database_board, $board);

$query_Recordset1 = sprintf("SELECT * FROM files WHERE id = %s", GetSQLValueString($colname_Recordset1, "int"));

$Recordset1 = mysql_query($query_Recordset1, $board) or die(mysql_error());

$row_Recordset1 = mysql_fetch_assoc($Recordset1);

$totalRows_Recordset1 = mysql_num_rows($Recordset1);

?>

<?php header("Content-length: $row_Recordset1[size]");

header("Content-type: $row_Recordset1[type]");

header("Content-Disposition: attachment; filename=$row_Recordset1[name]");

echo $row_Recordset1['data']; ?>