Re: Upload not finding directory to write to.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Robert Cummings wrote:
> On Sat, 2006-10-28 at 14:49 +0900, Dave M G wrote:
>> PHP List,
>>
>> I had a file upload script which was working fine. Then, because of 
>> other needs, I changed my local Apache settings so that my local web 
>> site directory structure behaved the same as they do on my web hosting 
>> service.
>>
>> What I mean by that is that before, I would access my local web sites by 
>> going to their directories within the localhost (/var/www) directory:
>>
>> localhost/web_sites/web_site_one/index.php
>>
>> Now I just go to:
>>
>> web_site_one/
>>
>> If i create a link that says <a href="/">link</a>, it goes to the root 
>> of the web site, where the index.php is.
>>
>> Within that root directory, I have a directory called "image", where I'm 
>> trying to put my uploaded image files.
>>
>> The destination file location should then be "/image/", shouldn't it?
>>
>> My code looks like this:
>>
>> $fileLocation = "/image/" . $_POST['name'];
>> if(move_uploaded_file($_FILES['file']['tmp_name'], $fileLocation))
>> {
>> chmod ($fileLocation, 0777);
>> }
>>
>> $_POST['name'] is a name for the file that the user has entered.
>>
>> But this now gives me an error that it can't open a stream to the 
>> destination.
>>
>> I also checked to make sure that the "image" directory has fully open 
>> permissions, and it's currently set to "drwxrwxrwx", or "0777".
>>
>> Am I missing some fundamental issue with directory structures on an 
>> Apache server?
> 
> 
> Shouldn't you have something closer to:
> 
> <?php
> 
>     $fileLocation = '/var/www/web_site_one/image/'.$_POST['name'];
> 
> ?>
> 
> Because your trying to access a filesystem path and not a web path. More
> generically if you want:
> 
> <?php
> 
>     $myPath = ereg_replace( '/.*$', '', __FILE__ );
>     $fileLocation = $myPath.'/image/'.$_POST['name'];

and at the very least lets perform a dirname on the name var...

$yourfile = dirname($_POST['name']);

in order to avoid security issues related to directory traversal.

:-)

> 
> ?>
> 
> That still presumes a script in the site's root directory.
> 
> Cheers,
> Rob.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux