PHP file upload

[arpinity3024]

I'm pretty new to PHP, so there could be something I'm missing, but I'm trying to set up a basic php upload script using POST method.

The site/murmur server is used for coordinating tabletop games online. We use a p2p connected program to view maps, character tokens, roll dice, etc. and this program allows hosting the common resources (maps, interactable items, enemy tokens, etc.) in a resource file that can be hosted on a server elsewhere, to conserve bandwidth for the hosting player.

We don't want to pass around our ftp/ssh login to anybody who wants to host a game using our resources, so a web-based uploader is ideal for these campaign resource files. As I develop this page/script, I will create a method for examining the contents of an uploaded .zip file and determining if it's a real resource file or not before actually extracting the file anywhere, but for now, just having the upload succeed is my goal.

I've secured the upload page with htaccess/htpasswd, which allows me to create logins for individuals hosting games, so the uploader script itself really just needs to be super basic. I've based my script on the POST method tutorial on php.net, and double checked to make sure there weren't any variables that were mismatched between the html form and the php script, but uploading of any files fails. They provide a debug output in the script, which prints the contents of $_FILES, which isn't really anything.

Has anybody tried this sort of thing before on NFO? Any official input from NFO folks?

I assume it can be done, phpbb and wordpress accept file uploads just fine, but they might be using a different method (PUT, maybe?)

[Edge100x]

I haven't heard of problems with uploads before, so this is likely a bug in your script.

What is the error that you see? Have you tried with the script at its most basic, without any sort of access restrictions?

Have you tried any 3rd party upload scripts?

[arpinity3024]

I have tried it without access restrictions, I put the access restrictions on after seeing in another upload script tutorial (while trying to figure out why this doesn't work,) that more security needs to be put in place, you shouldn't just have a free spot to dump any kind of file freely and anonymously, which makes sense.

I have not tried any third party scripts, the only ones I'm able to find are made in a tutorial fashion such as this one, but I don't really even know where to look for this kind of thing.

error on upload attempt: (this isn't an apache or php error, it's an error written into the script.)

Code: Select all

Possible file upload attack!
Here is some more debugging info:Array
(
)

upload.html: (This is right off of php.net, all of the changes I made should be non-funcitonal changes and simply visual. I added an input box, but it has a seperate id.)

Code: Select all

<!-- The data encoding type, enctype, MUST be specified as below -->
<form enctype="multipart/form-data" action="upload.php" method="POST">
    <!-- MAX_FILE_SIZE must precede the file input field -->
    <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
    <!-- Name of input element determines name in $_FILES array -->
    Campaign Name: <br/><input id="userdir" type="text"/><br/><br/>
    Select campaign repo zip file: <br/><input id="userfile" type="file"/><br/><br/>
    <input type="submit" value="Upload" />
</form>

upload.php: (This is also right off of php.net, I only changed $uploaddir to equal where I want the file to go.)

Code: Select all

<?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.

$uploaddir = './';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
    echo "File is valid, and was successfully uploaded.\n";
} else {
    echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";

?>

[Edge100x]

I haven't played with this feature of PHP before and that will limit my ability to debug your script/write a fix for you, but, Googling that error, it sounds like the problem may be the path. Try specifying an absolute path that's within your hosting directory (/usr/www/youridentifier/somevalidfolder/).

[Vanderburg]

I'm going to play with this a bit later today. My website uses PHP's file upload and I don't have any problems, so when I get an opportunity, I'll compare.

[Vanderburg]

I figured this out and it's a simple mistake. You have the input box set id="userfile" but you don't have any name="userfile" which is what you'd need instead. The error given is "undefined index", which means it doesn't know what "userfile" is, because of that missing name tag.

[arpinity3024]

I figured this out and it's a simple mistake. You have the input box set id="userfile" but you don't have any name="userfile" which is what you'd need instead. The error given is "undefined index", which means it doesn't know what "userfile" is, because of that missing name tag.

You're right! I was using id= instead of name= for no real good reason, and when I switched back to name=, it seemed to upload my file, but then it spat this out:

Code: Select all

Possible file upload attack!
Here is some more debugging info:Array
(
    [userfile] => Array
        (
            [name] => brammmmm.jpg
            [type] => 
            [tmp_name] => 
            [error] => 2
            [size] => 0
        )

)

The picture is just the file I'm using to test it.

[arpinity3024]

error 2: file exceeded MAX_FILE_SIZE. I used the script right off php.net, and I think their form allows for 30KB. stupid me.

[Vanderburg]

Yes, in your form, you have max file size set to 30000 bytes in a hidden field.