php file upload problem

Question

This code works properly in my localhost. I am using xampp 1.7.3. but when I put it in the live server it shows Possible file upload attack! . 'upload/' is the folder under 'public_html' folder on the server. I can upload files via other script in that directory.

<?php

$uploaddir = '/upload/';//I used C:/xampp/htdocs/upload/ in localhost. is it correct here?
$uploadfile = $uploaddir . basename($_FILES['file_0']['name']);

echo '<pre>';
if (move_uploaded_file($_FILES['file_0']['tmp_name'], $uploadfile)) {
    echo "File is valid, and was successfully uploaded.\\n";
} else {
    echo "Possible file upload attack!\\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";

?>

Answer 1

You probably can't move your file to /upload/ which is an "upload" folder at the root of the server file system, hence move_uploaded_file() reporting FALSE and your message. Plus, this /upload/ folder probably doesn't even exist nor is it writeable.

You probably want to move it to $_SERVER['DOCUMENT_ROOT'].'/upload/' which will point to your virtual host root (something like www or wherever you're uploading your application files). Don't forget to create this folder and to change its permissions accordingly (CHMOD 777 is a good idea).

Answer 2

The problem is the leading slash in your file name. While it might resolve correctly on your XAMPP machine when it's on your server box the leading slash will try to put it in the filesystem root.

It's guessing that it's an attack because people can sometimes fudge incoming parameters to drop harmful files where they can execute them!

Answer 3

Most likely the $uploaddir is wrong. Use

echo dirname(__FILE__);

to get the real full path to your root folder on the web server and then put something like

/web/real/path/to/root/upload

as the path.

Answer 4

Try this code

 $fltype=$_FILES['userfile']['type']; 
    echo $fltype."<br>";
    /*if($_FILES['userfile']['type'] != "image/gif") {
    echo "Sorry, we only allow uploading GIF images";
    exit;
    }*/

$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
$imgname=basename($_FILES['userfile']['name']);
$desc=$_POST["desc"];
echo "<br>".$imgname."<br>";
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
    echo "File is valid, and was successfully uploaded.\n";
} else {
    echo "File uploading failed.\n";
}
$con=mysql_connect("localhost","root","");
$select=mysql_select_db("n1",$con);
$sql="insert into tblimage (imagename,description) values('$imgname','$desc')";
echo "<br>".$sql;
$rs=mysql_query($sql);
if($rs)
{
    echo "<br>Record inserted in table.<br>";
}
else
{
echo "<br>Error in table insersion.<br>";
}
echo "<br><br>uploaded image is::::<br><br>";
echo "<img src='$uploadfile' />";
?> 

Answer 5

I had the same problem, uploading script worked on localhost but got Possible File Attack Error! on host server.

I fixed it by giving 777 permission to upload folder. Goto ftp and right click on folder and choose properties. Tick all boxes (read/write/execute) and grant 777 permission.

Also edit php.ini file usually in etc/ folder on linux. Change the following settings to

upload_max_filesize : 1024M post_max_size : 1024M max_execution_time : 6000 max_input_time : 6000 memory_limit : 128M

You can download putty to access linux server using SSH terminal.

GOOD LUCK

Answer 6

Why not just do this:

$uploaddir = './upload';

it will be relative to where your script is, it that is the intent? Otherwise you need the full dir (from system root)