Re: postgresql csv import; temporary directory

ourdiaspora <ourdiaspora@xxxxxxxxxxxxxx> · Thu, 21 Oct 2021 20:52:22 +0000

On Friday, September 24th, 2021 at 9:54 PM, ourdiaspora <ourdiaspora@xxxxxxxxxxxxxx> wrote:

> Just realised that the function 'sys_get_temp_dir' returns:
>
> "
>
> /tmp/...[random string]
>
> "
>
> and not the temporary directory specified in the phpinfo() file.
>

Readers,

Pleased to announce _very_ simple successful ability to upload csv file, _without any security validation_. Posted here just in case someone benefits.

"
...
$uploaddir = '/tmp/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
$dbconnect = pg_connect("dbname=... user=...");
$targetfilepath = $uploaddir . $uploadfile;
$filename=$_FILES["userfile"]["tmp_name"];
$file = fopen($filename, "r");
$getdata = fgetcsv($file, 10000, ",");
$dbdataentry = "INSERT INTO tablename(name, id, emailaddress) VALUES ('".$getdata[0]."','".$getdata[1]."','".$getdata[2]."')";
$result = pg_query($dbconnect, $dbdataentry);
pg_freeresult($result);
pg_close($dbconnect);
...
"