uploading files via the web

[Paxthegreat]

how do i upload files to my webserver, via a web page?

i learn from example, is their somewhere, i can find example pages and code?

thx

[Kagey]

go to www.php.net. near the top there is a search bar. type in "file uploads" in the "online documentation". then, click the arrow symbolizing "search". I'm fairly positive that the result you receive will be helpful to solve this problem.

HAPPY CANADIAN THANKSGIVING !! WOOO HOOOO

[Paxthegreat]

hmm, i've found a lil manual, which kinda explains stuff, but, theirs no examples of the pages itself :-/.

<--- needs something to disect and look at

[Rick Bull]

This is from a book called PHP for the Word Wide Web by Larry Ullman. It says you do it like this:

HTML:

Code:

<form method="post" enctype="multipart/form-data" action="whatever.php">
  <input type="file" name="File" />
  <input type="submit" value="Upload" />
</form>

PHP:

Code:

if ($File) {
  print ("File name: $File_name<br />\n");
  print ("File size: $File_size<br />\n");
  if (copy($File, "users/$File_name")) {
    print "Your file was successfully uploaded";
  } else {
    print "Your file was not successfully uploaded";
  }
  unlink($File);
}

[Paxthegreat]

hmm, riiight, now coz i'm still learning PHP, i dont know everything, so bare with me on this 1

if ($File) {
print ("File name: $File_name<br />\n");
print ("File size: $File_size<br />\n");
if (copy($File, "users/$File_name")) {
print "Your file was successfully uploaded";
} else {
print "Your file was not successfully uploaded";
}
unlink($File);
}

i think i understand this, and i understand what the html code does, but how do incorporate this into my page? (n00bish question i know)

[Rick Bull]

You just have to put that code into the "whatever.php" file (the one in the form's action) and it should copy the file to the users directory.

[phpman]

it realy all depends on what version of php you are using. if anyhting over 4.1 and register_globols are off then you have to use $_FILES[uploaded_file][tmp_name]

and then it would be something like this

PHP Code:

if ($_POST['submit']){
if(!copy($_FILES['uploadedfile']['tmp_name'],"files/".$_FILES['uploadedfile']['name']."")) {
    print("<div><b>Sorry, Your File failed to upload.<br>");
    print("Please use your back button and try again.</b></div>");
    
    exit;
}else {                                          
    // everything looks ok and it was uploaded and saved.
    print("<div><b>Thanks, your file has been uploaded.</div><br>");
        
} 


that is very basic and you would want to add some other checks in there to see if the file isn't empty or the wrong extension and stuff like that.

there are a lot of tutorials on the net that explain how to do this.

[Paxthegreat]

hmm, i know "very" little about PHP, so

if anyhting over 4.1 and register_globols are off then you have to use $_FILES[uploaded_file][tmp_name]

would explain y this didnt work


-- <html>
-- <?
-- if(!empty($userfile)) {
-- copy($userfile, "/home/duke/webroot/files/");
-- unlink($userfile);
-- echo("file uploaded");
-- }
-- ?>
-- </html>


and came up with this error?!?


-- Warning: Unable to create '/home/duke/webroot/files/': Is a
-- directory in /home/duke/webroot/myupload.php on line 7
-- file uploaded

[Paxthegreat]

blah, i just read my last post, and it doesnt even make sense to me.

Erm short version

i tried this code

<html>
<?

if(!empty($userfile)) {

//copy the file
copy($userfile, "/home/duke/webroot/files/");

//destroy the uploaded file
unlink($userfile);

//display message
echo("file uploaded");

}
?>
</html>

and got this error

Warning: Unable to create '/home/duke/webroot/files/': Is a directory in /home/duke/webroot/myupload.php on line 7
file uploaded

i have the latest version of PHP so, is this the problem?

if anyhting over 4.1 and register_globols are off then you have to use $_FILES[uploaded_file][tmp_name]

[phpman]

where is $userfile being created? for one it is empty because if globals are off then you have to use the superglobal. check that first.

second you have to include the file name. $userfile is nothing to copy()

you need to use $HTTP_POST_FILES OR $_FILES[]

either one will be like this

[userfile][tmp_name] and [userfile][name]

look at my example and substitute eithe one into it. either $HTTP_POST_FILES OR $_FILES

[Rick Bull]

Maybe you need the directory to be chmoded to writeable?

[Paxthegreat]

Originally posted by Rick Bull
Maybe you need the directory to be chmoded to writeable?

i've chmodded the dir to 777

[Rick Bull]

On my server I sometimes have trouble if I'm using absolute paths like, e.g. try changing copy($userfile, "/home/duke/webroot/files/"); for something like copy($userfile, "files/"); probably won't help though.

[Paxthegreat]

Originally posted by Rick Bull
On my server I sometimes have trouble if I'm using absolute paths like, e.g. try changing copy($userfile, "/home/duke/webroot/files/"); for something like copy($userfile, "files/"); probably won't help though.

i thought about that this morning, and changed it so simply files/ same problem

[CornedBee]

You need to specify a filename to copy to. You can't just copy to the directory.

The error it gives makes sense if you know what it means. It can't create the file "whatever/somesubdir/" because somesubdir already exists as a directory.

[Paxthegreat]

Originally posted by CornedBee
You need to specify a filename to copy to. You can't just copy to the directory.

The error it gives makes sense if you know what it means. It can't create the file "whatever/somesubdir/" because somesubdir already exists as a directory.

hmm, i stuck "file.txt" at the end and it worked, but kept the name file.txt, HOWEVER it was still the file iuploaded it as, ie a .jpg

(if that makes any sense) how do i get it to keep the original file name? as when i stuck $userfile on the end it just crapped out and gave another error

Unable to create 'files//tmp/phpXdHdMU': No such file or directory in /home/duke/webroot/myupload.php on line 7

[phpman]

Originally posted by phpman
where is $userfile being created? for one it is empty because if globals are off then you have to use the superglobal. check that first.

second you have to include the file name. $userfile is nothing to copy()

you need to use $HTTP_POST_FILES OR $_FILES[]

either one will be like this

[userfile][tmp_name] and [userfile][name]

look at my example and substitute eithe one into it. either $HTTP_POST_FILES OR $_FILES

ahem.... I already told you once. you have to use the globals, no if ands or buts

[Paxthegreat]

Originally posted by phpman

where is $userfile being created? for one it is empty because if globals are off then you have to use the superglobal. check that first.

second you have to include the file name. $userfile is nothing to copy()

you need to use $HTTP_POST_FILES OR $_FILES[]

either one will be like this

[userfile][tmp_name] and [userfile][name]

look at my example and substitute eithe one into it. either $HTTP_POST_FILES OR $_FILES
ahem.... I already told you once. you have to use the globals, no if ands or buts

sry i thought i was clear at the beggining i am "entirely" a n00b to php coding, so i dont have a single clue what either of those mean, hense the reason i have been looking for a simpler way to do it.

it would help more, if you could give me an example of how to do it, rather than saying use either $http_post_files or $_files as, i dont know how to use this constructively

[CornedBee]

Very simple pax: just extract the filename from the uploaded file's path and name (by searching for the last / and only using the substring that comes after that) and stick that at the end of the path. Or sometimes it makes sense to create a random name. Usually by taking the current system time, adding a random factor and calculation an md5 checksum, then using that as the file name (that's the way my brother does it). Pretty much guarantees unique file name (else they would be overwritten). If you want to preserve the original name you must cross-relate the generated and real names in a database table.

[phpman]

Originally posted by phpman
it realy all depends on what version of php you are using. if anyhting over 4.1 and register_globols are off then you have to use $_FILES[uploaded_file][tmp_name]

and then it would be something like this

PHP Code:

if ($_POST['submit']){
if(!copy($_FILES['uploadedfile']['tmp_name'],"files/".$_FILES['uploadedfile']['name']."")) {
    print("<div><b>Sorry, Your File failed to upload.<br>");
    print("Please use your back button and try again.</b></div>");
    
    exit;
}else {                                          
    // everything looks ok and it was uploaded and saved.
    print("<div><b>Thanks, your file has been uploaded.</div><br>");
        
} 


that is very basic and you would want to add some other checks in there to see if the file isn't empty or the wrong extension and stuff like that.

there are a lot of tutorials on the net that explain how to do this.

do you not read, I already gave it to you in my first post.

[phpman]

Originally posted by CornedBee
Very simple pax: just extract the filename from the uploaded file's path and name (by searching for the last / and only using the substring that comes after that) and stick that at the end of the path. Or sometimes it makes sense to create a random name. Usually by taking the current system time, adding a random factor and calculation an md5 checksum, then using that as the file name (that's the way my brother does it). Pretty much guarantees unique file name (else they would be overwritten). If you want to preserve the original name you must cross-relate the generated and real names in a database table.

ugg he is a noob and you told him to use md5() and you don't need a Database to get the file name.

my example does it jsut fine and preserves the file name

[CornedBee]

Hey, hey. I told him a simple way to get it right. Then I gave him another (advanced) option to remember for the future. What's wrong with that?

Is this better?

Very simple pax: just extract the filename from the uploaded file's path and name (by searching for the last / and only using the substring that comes after that) and stick that at the end of the path.


WARNING!
The part of the post that follows proposes an advanced option that is probably not possible for you to write at your current skill level. Proceed at your own risk.


Or sometimes it makes sense to create a random name. Usually by taking the current system time, adding a random factor and calculation an md5 checksum, then using that as the file name (that's the way my brother does it). Pretty much guarantees unique file name (else they would be overwritten). If you want to preserve the original name you must cross-relate the generated and real names in a database table.

And phpman, you need a database to do THAT. Or at least a text file, but a text file is slower to search.

[phpman]

no there is nothing wrong with giving him another option, but why if he can't understand the easy way.

for one you don't need to do any substr() or any other function to do what he wants, to upload a simple file.

everything you need is in $_FILES['uploadedfile']['name'] the superglobal.

even if you do use the md5() you can cross reference it with the superglobal you used to get the file uploaded in the first place. still no DB needed. you don't need a DB for anything that constitutes a file upload, (onle if you save the file name to the DB)

but you can gerenate a unique name and then get the orginal name back without the use of a DB, as long as you don't save it anywhere first and the $_FILES[] global is not empty.

[CornedBee]

Didn't know about the 'name' entry. You're right there.

But how do I get the real name back in a later session if the file was saved under a random name without a DB or something comparable?

The problem this is trying to solve is this: You have a system where everyone can upload image files to insert somewhere. Now there is danger that some user accidently overwrites his own or even somebody else's files by uploading a file with the same name. To avoid this you can give random names to the files. But in order to display the user a good name you must store the old name. If you have any idea how to do this without a database I'm sure my brother would appreciate it.

[phpman]

well you hit the point right there. unless you store the name somewhere for future reference then you can't. that is where a DB comes in handy.

unless you make the random name come before the orignal name or vise-versa than you wouldn't need a DB.

so the file name would be kind of long but it would contain the orginal name if you neded to change it back for some reason.

[Paxthegreat]

Originally posted by phpman
no there is nothing wrong with giving him another option, but why if he can't understand the easy way.

for one you don't need to do any substr() or any other function to do what he wants, to upload a simple file.

everything you need is in $_FILES['uploadedfile']['name'] the superglobal.

even if you do use the md5() you can cross reference it with the superglobal you used to get the file uploaded in the first place. still no DB needed. you don't need a DB for anything that constitutes a file upload, (onle if you save the file name to the DB)

but you can gerenate a unique name and then get the orginal name back without the use of a DB, as long as you don't save it anywhere first and the $_FILES[] global is not empty.

ok, my internet was down for most of the night yesterday, so i had a lot of time to read, and flicked thru the upload section of the php manual, and it does say pretty much what ur saying, the example it gave though doesnt work, any ideas?

[phpman]

lets see the code you used for it.

[Paxthegreat]

HTML file

<html>
<title>Upload Demo</title>
<form enctype="multipart/form-data" action="upload.php" method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="10000">
File To Be Uploaded: <input name="userfile" type="file">
<BR><input type="submit" value="Upload">
</form>
</html>

PHP file

<html>
<?php
if (is_uploaded_file($_FILES['userfile']['tmp_name'])) {
copy($_FILES['userfile']['tmp_name'], "/home/duke/webroot/files");
} else {
echo "Possible file upload attack. Filename: " . $_FILES['userfile']['name'];
}
?>

</html>

[phpman]

you forgot the file

<html>
<?php
if (is_uploaded_file($_FILES['userfile']['tmp_name'])) {
copy($_FILES['userfile']['tmp_name'], "/home/duke/webroot/files/" . $_FILES['userfile']['name']."");
} else {
echo "Possible file upload attack. Filename: " . $_FILES['userfile']['name'];
}
?>

</html>

[Paxthegreat]

hmm, well its a change, now im getting a different error atleast, its displaying the

Possible file upload attack. Filename:

msg, any ideas?

[phpman]

ok try this

PHP Code:

<html>
<?php 
$folder = "/home/duke/webroot/files";
if (is_uploaded_file($_FILES['userfile']['tmp_name'])) {
copy($_FILES['userfile']['tmp_name'], "$folder/" . $_FILES['userfile']['name']."");
} else {
echo "Possible file upload attack. Filename: " . $_FILES['userfile']['name'];
}
?>

[Paxthegreat]

nope still brings up the same error

http://duke.pax3k.co.uk/upload.htm

[phpman]

I didn't get an error, I uploaded something, a image. it didn't say anything so look and see if it is in the directory.

[Paxthegreat]

hmm, weird i cant upload anything, but you have and so has a friend, but i asked another person and he got the same msg as me

I Try It: using IE v6 WinXP (doesnt work)
Friend 1: IE v6 winXP (works)
Friend 2: IE v6 Win2k (doesnt work)
You Try it: dunno what (works)

hmm :-/

[Sastraxi]

I got:

Possible file upload attack. Filename: editor.jpg

[Paxthegreat]

Originally posted by Sastraxi
I got:

yeah, its weird some ppl can upload (displays a blank screen) others cant upload and get a msg as above

any suggestions

[phpman]

I am on a win2K and IE6

try it this way

PHP Code:

<html>
<?php 
if (trim($_FILES['userfile']['tmp_name'])!="none" and trim($_FILES['userfile']['tmp_name'])!="" and trim($_FILES['userfile']['name'])!="") {
    if(!copy($_FILES['userfile']['tmp_name'], "/home/duke/webroot/files/" . $_FILES['userfile']['name'].""){
    } else {
        echo "failed to copy!";
        exit;
    }
} else {
echo "Possible file upload attack. Filename: " . $_FILES['userfile']['name'];
}
?>

</html>

now if you get the error "possible file upload attack" it is because the file was empty and it didn't upload.

[Paxthegreat]

Parse error: parse error, unexpected '{' in /home/duke/webroot/upload.php on line 5

:-/

[phpman]

hehe oops sorry

PHP Code:

<html>
<?php 
if (trim($_FILES['userfile']['tmp_name'])!="none" and trim($_FILES['userfile']['tmp_name'])!="" and trim($_FILES['userfile']['name'])!="") {
    if(!copy($_FILES['userfile']['tmp_name'], "/home/duke/webroot/files/" . $_FILES['userfile']['name'].""){
        echo "failed to copy!";
        exit;    
    } 
        
} else {
echo "Possible file upload attack. Filename: " . $_FILES['userfile']['name'];
}
?>

</html>

[Paxthegreat]

Parse error: parse error, unexpected '{' in /home/duke/webroot/upload.php on line 5