Problem uploading files to the server

Question

Problem uploading files to the server

Navigation

#1 by (1 votes)
#2 by (0 votes)

0

Create a folder named files www.MiServidor.com/Archivos to which you modify the permissions to be able to read, write and modify. I have a form in index.php in which a name of an image and a file are inserted. When sending the form, execute a file PHP which receives two POST and performs an insert to a table here I pass the code.

include("../Conexion.php");
$Conexion = new Conexion(SERVIDOR,USUARIO,PASS,DB); //inicializo la base de datos
session_start(); 
$Nombre = $_POST["Nombre"]; //recibo el nombre de la imagen
$imagen = $_FILES["Imagen" ]; //recibo la imagen

$archi = "INSERT INTO Archivos VALUES (null,".$url.",'".$Nombre."')"; //Inserto un registro con el nombre y la url
$Conexion -> set_charset('utf8');
$Conexion->query($archi);

So far everything works fine, then I try to store the received file in the Archivos folder that I created on the server with the following line

move_uploaded_file($_FILES[ $name ][ 'tmp_name' ], 
$_SERVER['DOCUMENT_ROOT']."/Archivos/".$nombre);

but it does not store anything, however in my local server localhost if you allow it, but in my rented server (Neubox.com) it does not allow me

NOTE: I only upload images png

then I share the code

include("../Conexion.php"); //incluyo la conexion

$Conexion = new Conexion(SERVIDOR,USUARIO,PASS,DB); //inicializo la base de datos
session_start(); 
$Nombre = $_POST["Nombre"]; //recibo el nombre de la imagen
$imagen = $_FILES["Imagen" ]; //recibo la imagen

$archi = "INSERT INTO Archivos VALUES (null,".$url.",'".$Nombre."')"; //Inserto un registro con el nombre y la url
$Conexion -> set_charset('utf8');
$Conexion->query($archi);

move_uploaded_file($_FILES[ $name ][ 'tmp_name' ], 
$_SERVER['DOCUMENT_ROOT']."/Archivos/".$nombre.".png");

However, it does not mark any type of error, it just does not store anything.

javascript php ajax fileupload upload

asked by Luis Meneses 31.10.2017 в 05:37

source

2 answers

Problem with return back () - withInput (); Laravel 5.2 Query to add does not give me the result

score 1 · Answer 1

Prelude: your code has a giant security hole that I explain below.

First, your variable $url is not defined. Then if the name you chose is "puppy":

$archi = "INSERT INTO Archivos VALUES (null,".$url.",'".$Nombre."')";

It translates to

$archi = "INSERT INTO Archivos VALUES (null,,'perrito')";

The double comma makes it an invalid statement and nothing is inserted. Let's say then that $url would be:

$url = '/Archivos/'.$Nombre.'.png';

Suppose your front says something like

<form enctype="multipart/form-data" action="subir.php" method="POST">
    Elija un nombre para el archivo: 
    <input type="text" name="nombre" value=""  />
    Elija un archivo desde su computadora:
    <input type="file" name="imagen"  />
    <input type="submit" value="Enviar archivo" />
</form>

The content of subir.php would be (be aware that I am defining $url that you do not have defined);

include("../Conexion.php"); //incluyo la conexion
$Conexion = new Conexion(SERVIDOR,USUARIO,PASS,DB);
session_start(); 
$Nombre = $_POST["nombre"]; //recibo el nombre de la imagen
$imagen = $_FILES["imagen" ]; //recibo la imagen

$url = '/Archivos/'.$Nombre.'.png';

$archi = "INSERT INTO Archivos VALUES (null,'$url','$Nombre')"; 

$Conexion->set_charset('utf8');
$Conexion->query($archi);

move_uploaded_file($imagen[ 'tmp_name' ], $_SERVER['DOCUMENT_ROOT']."/Archivos/$Nombre.png");

And this "would work".

Now imagine that I choose my file ($ Name) to be called

"perrito'); DROP TABLE Archivos;--";

Your query '$ archi' would become

INSERT INTO Archivo VALUES (null, '/Archivos/perrito.png','perrito'); DROP TABLE Archivos;--

Do you realize that by directly interpolating the value of the $ Name field you are calling a catastrophe?

The correct way would be something like:

$archi = "INSERT INTO Archivos VALUES (null,:url,:nombre)"; 
$stmt = $Conexion->prepare($archi);
$stmt->bindParam(':url', $url, \PDO::PARAM_STR);
$stmt->bindParam(':nombre', $Nombre, \PDO::PARAM_STR);
$stmt->execute();

Comic Tax:

score 0 · Answer 2

Do not upload anything because you're not telling what file to upload.

It seems that the problem is: $ _FILES [ $ name ] ['tmp_name'] the variable $ name I do not see where it is defined in your php script, either I see where the variable $ name is defined.

$ name and $ Name are not the same.

Put something like this:

$archivo = $_FILES['archivo']['temp_name'];
$nombrearchivo = $_FILES['archivo']['name'];

move_uploaded_file($archivo, $_SERVER['DOCUMENT_ROOT'].'Archivos/'.$nombrearchivo);

You must make sure that the address where you are uploading the file on your server is correct and that the names of the fields on your form match those of your php script.

You can also see the documentation on the php site.

link

Greetings.