无法使用PHP上传文件？

Question

Can you anyone look at my code? People can click the upload button to upload some file and the code should move it to a new location and save it. I tested it by uploading a image file and I cant find that file in the folder I specified. I am certain the directory is correct because I used directory is folder and it can lead to the folder I want it to be in. Because the dir below has my name, I used "1" instead. Thank you in advance!

I changed the code according to answer but it is still giving me back error: Warning: move_uploaded_file(/Users/angeloliao/Documents/Screen.tiff): failed to open stream: Permission denied in /usr/local/zend/apache2/htdocs/JuvoliciousProductViewer/5.php on line 16

Warning: move_uploaded_file(): Unable to move '/usr/local/zend/tmp/phpdfCRD3' to '/Users/angeloliao/Documents/Screen.tiff' in /usr/local/zend/apache2/htdocs/JuvoliciousProductViewer/5.php on line 16

I tried to change the folder's permission using the following command on terminal: sudo chown -R 0755 /Users/angeloliao/Documents. It ran.

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8">
</head>
<body>
   <form enctype="multipart/form-data" method="POST">
       <input type="file" name="file" />
       <input type="submit" name="submit" value="upload" />
   </form>
   <?php
   if ($_FILES) {
       $name = $_FILES['file']['name'];
       $temp = $_FILES['file']['tmp_name'];
       $dir = "/Users/angeloliao/Documents/";
   if (move_uploaded_file($temp,$dir.$name)) {
       echo "File is valid, and was successfully uploaded.\n";
     }
     } else {
         echo "Possible file upload attack!\n";
   }
   ?>
</html>

Answer 1

<!DOCTYPE html>
<html>
   <head>
    <meta charset="UTF-8">
</head>
<body>
    <form enctype="multipart/form-data" method="POST">
        <input type="file" name="file" />
        <input type="submit" name="submit" value="upload" />
    </form>
    <?php
        $name = $_FILES['file']['name'];
        $temp = $_FILES['file']['tmp_name'];
        $dir = "/Users/1/Documents/";
        move_uploaded_file($temp,$dir.$name);
    ?>
</body>

Should be a _ not + and the directory should be "Documents/" WITH a slash

Answer 2

As per the PHP documentation , the temporary name is found in $_FILES['file']['tmp_name'] not $_FILES['file']['tmp+name'] . Also, do a var_dump() of $dir.$name . If the file you uploaded is "image.jpg" then it would be /Users/1/Documentsimage.jpg . Notice the missing slash.

Changing this will make your code work, but it still doesn't handle all possible errors nor is it secure! Uploads can fail. If they do, you will find an error code ( the docs has a reference that lists them all ) in $_FILES['file']['error'] . You should check that the uploaded succeeded before moving the temporary file (and you should also only execute the move command if the form has been submitted).

In addition, it is not secure to use the name provided by the uploader. Consider if the $_FILE['file']['name'] was ../../../usr/local/bin/php . Then the uploader could replace your PHP interpreter with a malicious executable. This is dangerous! Never trust user input! In this case, the best practice is to randomly generate a filename which is not dependent on the original filename (ie. don't just hash the provided filename, because what if two people upload a file with a same name?).

if($_POST['submit'] === 'upload') {  // only process form if it has been submitted

    if($_FILES['file']['error'] !== UPLOAD_ERR_OK) {

        exit('There was an error uploading your file');
    }

    $uploads_dir = '/Users/1/Documents/';
    $upload_name = sha1(mt_rand().microtime(true)); // you should actually pick
                                                    // something more unique
                                                    // (collisions are possible)

    move_uploaded_file($FILES['file']['tmp_name'], $uploads_dir . $upload_name);
}