serious error with php move_uploaded_file not working - file-upload

i have a serious problem with php file upload.
the problem is that the file is not moving from the tmp to the destination directory
this is my html page
<form name="f1" method="post" action="handleUpload.php" enctype="multipart/form-data">
<input type="file" name="htmlfile">
<input type="submit">
</form>
and here is my PHP page handleUpload.php,
if(isset($_POST) and $_SERVER['REQUEST_METHOD'] == "POST")
{
$arrayKeys=array_keys($_FILES['htmlfile']);
foreach($arrayKeys as $s)
echo $s ." : ".$_FILES['htmlfile'][$s]." <br>";
$name = $_FILES['htmlfile']['name'];
$size = $_FILES['htmlfile']['size'];
$tempName= $_FILES['htmlfile']['tmp_name'];
list($filePureName, $ext) = explode(".", $name);
$valid_formats = array("jpg","png", "gif", "bmp","rar","zip");
$fileObject=fopen($tempName,"r") ;
echo "test Text" . fgets($fileObject) ."</br>";
fclose($dstFile) ;
if($_FILES["htmlfile"]["error"] != 0 ) {
echo "file error with code " .$_FILES["htmlfile"]["error"];
}
if( is_uploaded_file($tempName)){
echo "<br> upladed to the tmp directory ";
move_uploaded_file($_FILES["htmlfile"]["tmp_name"],"./".$_FILES["htmlfile"]["name"]) ;
//move_uploaded_file($_FILES["htmlfile"]["tmp_name"],"upload/".$_FILES["htmlfile"]["name"])
}
}
else{
echo "you must visit the HTML upload page first";
}
the output i get is
name : numerical_hw1.rar
type : application/octet-stream
tmp_name : /tmp/phpK7Gmmf
error : 0
size : 34642
test TextRar!Ïs WÅt K„Á &–Gá#3& numerical_hw1\hw1_q1\numerical_hw1.cpp°¸ EÌÌý•½¦~g†¡¹[•Í…Àk#€Qu{Q|0a®'#ÆàM¹%_ûánšF“Q‘Á®ÞÛÅ€ÁEq'‰\—ç9yq%Páðà;áy¹‰ùLx_,Xrh»qüÙ‰ÐO‰ †3JI²†Žc÷“4ˆ ‰‡oɲE³*[⦆sÓè¤Í~·Ö”?ø‘ŒK6"Á¦æF,¼JÇ1rê¼´…BžT5$_sôJäļ†Å$ý˦A:`ë5kέ'3_„}ªœRijÅ3ÎÜøsÛV:÷5ËΰãÚÓžõÌÚK¦œñÕ÷ÚßýT­vÙäÓ
upladed to the tmp directory
the problem is that the file is not moved to the current directory nor to the "upload" directory -of course when it was alone and not commented- !!
as you can see the file is uploaded successfully to the tmp directory and i have open it, and read a line from it. and also i have checked it with the is_uploaded_file function and it pass that check.
i have carefully read php file upload topics from many sites, and found nothing is missing in both php and html !!
the folder permission is 755.
i should mention here that file uploading was working before recently, and i am sure that no body has changed or modified the php.ini file.
Any Help Please?? what should i do?
after exploring the server carefully i found that my website has been hacked, and the hacker upload a hack file !
but really i don't know what to do now and also i cant estimate the damage size caused by that hacker so Any Suggestion ?!!!!

Try that:
$pathDestino=$_SERVER['DOCUMENT_ROOT'] . "\\xxx\\upload\\" . $_FILES["htmlfile"]["tmp_name"];
$tmp_name=$_FILES["htmlfile"]["tmp_name"];
move_uploaded_file($tmp_name, $pathDestino);

Related

Can't access uploaded files via Podio API

We actually want to upload a file and attach it to an item but we're having problems just uploading it.
We are having a problem uploading an image into an item. We cant seem to access the image we uploaded to Podio via the API. We get a - "Sorry, you don't have access to this file. You might want to ask your admin to provide you the access to this file."
Which is so weird because everyone in our team cant access it, and we're admins on our workspaces. I also setup the api/secret keys and i'm and admin on that workspace. Whats wrong with this?
This is the code:
Podio::setup($client_id, $client_secret);
try {
Podio::authenticate_with_app($app_id, $app_token);
$upload = PodioFile::upload('PATH_TO_FILE', 'test_image.jpg');
if( $upload != ""){
echo "<br><br>Image uploaded to podio!<br><br>";
echo "<pre>".$upload."</pre>";
echo "<br><br>".$upload->file_id."<br>";
echo $upload->link."<br>";
}
if( PodioFile::attach( $upload->file_id, array('ref_type' => 'item', 'ref_id' => 43 )) != ""){
echo "<br><br>Image attached to item!<br>";
}
}catch (PodioError $e) {
echo $e->body['error_description'];
}
Podio::set_debug(true);
You can't access file itself until it's linked to something because files don't have own access-control system. Once file is attached to item or task or workspace or whatever else, then you might be able to access it if you have enough rights :).
There is at least one error item_id=43 is for sure not your item, so you can't attach file to it.

PHPBB adding custom page in a new directory

My version of PHPBB is installed /board of my site
I am trying to make a custom page inside a new directory called store the file is called decals.php
decals.php
<?php
define('IN_PHPBB', true);
$phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.' . $phpEx);
// Start session management
$user->session_begin();
$auth->acl($user->data);
$user->setup();
page_header('Store - Decals');
$template->set_filenames(array(
'body' => 'store_decals_body.html',
));
make_jumpbox(append_sid("{$phpbb_root_path}viewforum.$phpEx"));
page_footer();
?>
the store_decals_body.html is uploaded to my styles directory and i cant seem to get mysite.com/board/store/decals.php to work. It always put me to mysite.com/board
Have I overlooked something here?
If you have the PHP file in a subdirectory, change the root path accordingly:
$phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : '../';

Web-hosted file authorization

Im using a PHP based login authentication mechanism to allow/restrict access to some parts of my website (folder module1, module2, etc), but i have a problem with restricting access to files.
I used the documents folder (check below) to host some downloadable files. The links to those files appear in index.php (hosted in the root directory). However if for some reason a non-authorized user get the URL of the files hosed in documents he will be able to download it.
/
/documents/
/module1/
/module2/
PS: as this is an intranet website I restricted the access to documents by IPs, but there is still a small chances that someone use a PC with allowed IP address and he have the URL of the document.
Use some sort of a proxy PHP script that will serve the file for the user without giving the real source location.
The user would then see http://yourdomain.com/download.php?file=mydoc.docx
The real path is still /documents/userid/2342/mydoc.docx or what ever your structure looks like.
Then let your download.php file serve the file by:
<?php
// Validate the user here
// Set document root
$root = 'documents/userid/'.$userID.'/';
// Requested file
$file = $_GET['file'];
// Validate
if (file_exists($root . $file))
{
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private", false);
header("Content-Type: application/force-download");
header("Content-Disposition: attachment; filename=\"".basename($file)."\";");
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".filesize($root . $file));
ob_clean();
flush();
readfile($root . $file);
}
else { echo "File not found"; }
?>
See more here

Symfony and uploadify

I want to use uploadify with Symfony 1.4, but so far I couldn't.
Uploadify loads correctly, I choose my files, it says that the files were successfully uploaded, but the are nowhere.
(I'm doing this on localhost)
Is there anybody who met this problem before?
Thanks, Tom
$file = $request->getParameter('file');
$filename = sha1($file->getOriginalName()).$file->getExtension($file->getOriginalExtension());
$file->save(sfConfig::get('sf_upload_dir').'/'.$filename);
in my project session stored in cookies so I found solution by create extra session storage class
class MySessionStorage extends sfSessionStorage
{
public function initialize($options = null)
{
$request = sfContext::getInstance()->getRequest();
// work-around for uploadify
if ($request->getParameter('uploadify') == "onUpload")
{
$sessionName = $options["session_name"];
if($value = $request->getParameter($sessionName))
{
session_name($sessionName);
session_id($value);
}
}
parent::initialize($options);
}
}
then changed factories.yml to
all:
storage:
class: MySessionStorage
and then "uploader" param will like this
uploader : '<?php echo url_for("attachments/upload?uploadify=onUpload&" . session_name() . "=" . session_id(), true)?>',
I can only guess that it's because you're trying to upload while logged into a system, but flash does not inherit session data from the browser, this means you will always be denied permission to whatever function you are trying to access since symfony thinks you're not logged in.
So you need to manually set variables in order for flash to use the same login session as the browser:
jQuery Code (needs to be in a php file, will not work in a js file):
$('#file_upload').uploadify({
.... config here
'scriptData': { '<?php echo session_name() ?>': '<?php echo session_id() ?>' }
});

Joomla User login check

First I am not a joomla developer. My friend has a web site created with joomla 1.5. In webroot there are some joomla files. I created a directory in webroot "mydirectory" and i have an index file in this directory. I try to access joomla's user info in this page i grab the user object but it doesn't work.
//i included joomla core files
$user =& JFactory::getUser();
if ($user->get('guest')) {
echo 'guest';
} else {
echo 'not guest';
}
when I log in to my account, it says 'guest' again.
Also, I can't find anything in Joomla's session class.
$session =& JFactory::getSession();
Thanks
You should do this:
$user =& JFactory::getUser();
if (!$user->guest) {
echo 'You are logged in as:<br />';
echo 'User name: ' . $user->username . '<br />';
echo 'Real name: ' . $user->name . '<br />';
echo 'User ID : ' . $user->id . '<br />';
}
This is from here: http://docs.joomla.org/JFactory/getUser
Try print_r($user) to see what items you are getting back.
Try to check for $user->id
See if you are missing including any file e.g. framework.php