0

I am trying to do a php upload that will upload into a specific folder. One would choose the file they wish to upload next to a dropdown box which is a folder list. This is because it organises files. 

<?php 
session_start();
if(!isset($_SESSION["USER"]["Admin"])){
    header("Location: index.html?unath");
}

$folder = mysql_real_escape_string($_POST['loc']);

$target_path = "../../shared/docs/$folder";




$upload2 = $target_path  .  basename( $_FILES['uploadedfile']['name']); 

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $upload2)) {
    echo "The file ".  basename( $_FILES['uploadedfile']['name']). 
    " has been uploaded";
} else{
    echo "There was an error uploading the file, please try again!";
}

?>

Currently the code uploads the file into the "docs" folder and not docs/folder. Instead it puts the folder name in front of the file. For example- if the folder is called "abc" and my file is called robs.docx it will upload it to the main Docs folder and call it abcrobs.docx

Improve this question

5 Answers 5

Reset to default
2

You have a missing slash

Replace this line:

$upload2 = $target_path  .  basename( $_FILES['uploadedfile']['name']);

with:

$upload2 = $target_path  ."/".  basename( $_FILES['uploadedfile']['name']);

OR:

Replace this line:

$target_path = "../../shared/docs/$folder";

with:

$target_path = "../../shared/docs/".$folder."/";
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I see where I went wrong now.. noob error :) Thanks for that :D
I will be but I have to wait until stackoverflow lets me
1
  1. You do not need mysql_real_escape_string because there's no SQL involved here.
  2. If no database connection is established, mysql_real_escape_string returns null. So you're probably throwing away the $_POST['loc'] value.
  3. You should never ever use user supplied values for manipulating anything on the filesystem without really, really thorough inspection of what you're going to manipulate. See Security threats with uploads.
  4. Use var_dump liberally to see what your values look like at various stages and do some debugging.
Improve this answer

2 Comments

I just copied something from an old script for the $folder = mysql_real_escape_string($_POST['loc']); At the minute i'm building a rough script which I will develop; for security and duplicate file names. Thanks for the feedback and link
This upload area is also on a restricted area- only admin users (whom I've authorised) can access- they upload the files to an area where all users on the portal can access (via a webpage)
0

You are missing a slash after $target_path

Improve this answer

2 Comments

This is really a comment, not an answer.
./. In a way it does answer my question as in I have to look at my code and see where I missed the '/'
0

Add a / on the end of your $target_path:

$target_path = "../../shared/docs/$folder/";
Improve this answer

Comments

0

You should properly escape your variables:

$target_path = "../../shared/docs/". $folder ."/";
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.