1

For some reason my PDF upload form is failing consistently, I have this code:

<?php
if($_POST["submit"] == "Add PDF to Comm and Special Projects")
{
    $addsubp = $_POST["addsubp"];
    $addsubp_name = $_POST["addsubp_name"];
    $commuploadedfile = $_FILES['uploadedfile']['name'];
    $sqldoc = "INSERT INTO projects_links (pid, display_name, link) VALUES ('".$addsubp."','".$addsubp_name."','".$commuploadedfile."')";
    mysql_query($sqldoc) or die(mysql_error()); 
    echo "<BR>";
    $target_path = "D:\\Hosting\\69903\\html\\pdfs\\comm\\";    
    $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 

    if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
        echo "<br>The file ".  basename( $_FILES['uploadedfile']['name']). 
        " has been uploaded<br>";
    } else{
        echo "<br>There was an error uploading the file, please try again.<br>";
    }
}
?>
<form method="post">
Add PDF to Project for Committees and Special Projects <br>Choose Project<select name="addsubp"><?php

$query = "SELECT
projects.*
FROM
projects";
$showresult = mysql_query($query);
$csp_c = 1;
while($buyarray = mysql_fetch_assoc($showresult))
{
    echo "<option value=".$buyarray['id'].">".$buyarray["pname"]."</option>";
}

?></select><br>
Choose Display Name for PDF <input type="text" name="addsubp_name" /> <Br>
Choose PDF: <input name="uploadedfile" type="file" /> <Br>
<input type="submit" value="Add PDF to Comm and Special Projects" name="submit" />
</form>

I have made sure that the application has write privileges to the "comm" directory. I have godaddy and used the file manager to make sure of that. I have had problems with permissions in this project before, so I know this isn't case. It keeps printing

There was an error uploading the file, please try again.

It doesn't attempt to upload any PDF at all, what am I doing wrong? thanks!

Improve this question
4
  • not sure if this has anything to do with it but are you on a Windows System? might be how Windows handles the $_FILES['uploadedfile']['tmp_name'] Commented Jan 14, 2011 at 3:59
  • It is a windows based server yes Commented Jan 14, 2011 at 4:01
  • aside note.. you probably only should do your INSERT INTO if the file upload is successful.. no? Commented Jan 14, 2011 at 4:03
  • is D:\Hosting\69903\html\pdfs\comm\ writable for the php process? Commented Jan 14, 2011 at 4:04

3 Answers 3

Reset to default
3

You may have permissions issues, but for file uploads your form tag should contain the proper enctype attribute.

<form enctype="multipart/form-data" method="POST">

and defining a file size limit is also a good idea:

<input type="hidden" name="MAX_FILE_SIZE" value="1000000" />

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

<form enctype="multipart/form-data" method="POST"> adding this in fixed the problem thanks alot man! :)
2

try checking the Upload error message: http://php.net/manual/en/features.file-upload.errors.php

Improve this answer

4 Comments

Thanks for your suggestion, I print this in after my error inside my else loop: echo $_FILES['uploadedfile']['error']; it doesn't print anything, forgive me I haven't used this before
+1. should check for errors before calling move_uploaded_file
Look a the comments under the question. It's where you "answer" should be. When you write an answer, it's because you have a solution that can solve the problem. Saying "Look there to see if there's a solution..." is not an answer.
I gave the OP a link to the PHP documentation about using the error message part of File Uploads functionality. Yes I could have written the whole thing out, but then I'd just be duplicating the manual, and I don't remember anything saying stackoverflow answers have to include code.
0

  1. Your code is blindly assuming the file upload succeeded. At bare minimum you should have something like

    if ($_FILES['uploadedfile']['error'] === UPLOAD_ERR_OK) { ... handle the upload }

  2. Your code is vulnerable to SQL injection. You do not escape any of the 3 values you're inserting into the database

  3. You're creating the database record before making sure the file was successfully moved into the target directory. What happens if the file can't be written for any reason (as it is now with your problem)? The database will say it's there, file system will say it isn't

  4. You're not checking for file collisions. If two seperate uploads send "file.txt", the second upload will overwrite the first one.

  5. You're storing the files with the user-supplied name, which is under user control. If this file is web-accessible, anyone with access to your upload form can upload anything they want (e.g. a php file) and the server will happily execute it for them.

Improve this answer

3 Comments

This form is used by my friend as an administration tool, only she has access to the form. If something goes wrong, ie. file upload failed, I can fix it for her its something I threw together quickly. I just needed my question answered not a lecture, thanks for your time
Good security starts at home. If you don't have the time to do two or three extra lines of code, then enjoy the problems you'll cause other people on other projects.
@Pete. Constructive criticism shouldn't be pushed away. I'm gonna +1 this to bring it back to 0

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.