3

So i want the user to only be able to upload docs or docx's. So first here's my html:

<form action="upload_file.php" method="post" enctype="multipart/form-data">
    Select a file: <input type="file" name="img">
    <input type="submit">
</form>

And here's my php:

$allowedExts = array("doc", "docx");
    $extension = end(explode(".", $_FILES["file"]["name"]));

    if ($extension!=".doc" || $extension!=".doc"
    && ($_FILES["file"]["size"] < 200000)
    && in_array($extension, $allowedExts)) {
        if ($_FILES["file"]["error"] > 0)
        {
            echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
        }
        else
        {
            echo "Upload: " . $_FILES["file"]["name"] . "<br />";
            echo "Type: " . $_FILES["file"]["type"] . "<br />";
            echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
            echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";

            if (file_exists("Proposals/" . $_FILES["file"]["name"]))
            {
                echo $_FILES["file"]["name"] . " already exists. ";
            }
            else
            {
                move_uploaded_file($_FILES["file"]["tmp_name"],
                "Proposals/" . $_FILES["file"]["name"]);
                echo "Stored in: " . "Proposals/" . $_FILES["file"]["name"];
            }
        }
    } else {
        echo "Invalid file";
    }

Everytime I try to upload a file, whether it's a doc or a png it outputs this:

Upload: 
Type: 
Size: 0 Kb
Temp file: 
already exists.

And nothing ends up getting uploaded to the Proposals folder. So I have 2 questions:
1) what is the problem with my code?
2) it redirects to upload_file.php and displays a message. Is there a way to actually go back the main page and display text that it was successful?

Improve this question
2
  • Read over the example again, you are using name="img" instead of name="file" w3schools.com/php/php_file_upload.asp Commented Oct 2, 2012 at 14:19
  • Don't trust the ['type'] data from the user, it can be forged. use server-side mime-type determination, but also note that .docx files are really just a .zip file that contains a pile of other files (mostly xml). Plus you're using ['name'] directly to save your file, allowing a malicious user to potentially write a file ANYWHERE on your server. In short, your script is an open invitation to pwn your server. Commented Oct 2, 2012 at 14:23

5 Answers 5

Reset to default
5

The first question has already been answered so I won't answer it again.

2) it redirects to upload_file.php and displays a message. Is there a way to actually go back the main page and display text that it was successful?

It is normally better to show the success message on the redirected page but you can solve this two ways:

  • Store the previous URL (or know it) and redirect to it with header("Location: old_page.php");
  • Make the target of the form an iframe. This means the main page itself will not redirect and you can just bubble a response from upload_file.php (which will load in the iframe) making seamless uploading for your app.

Also this is not the best way to get a file extension:

$extension = end(explode(".", $_FILES["file"]["name"]));

Try using pathinfo instead: http://php.net/manual/en/function.pathinfo.php

$extension = pathinfo( $_FILES["file"]["name"], PATHINFO_EXTENSION);

And your if statement:

if ($extension!=".doc" || $extension!=".doc"
    && ($_FILES["file"]["size"] < 200000)
    && in_array($extension, $allowedExts)) {

Even though this is a tiny usage of in_array I still would recommend taking that out and using a more practical method of searching arrays: http://php.net/manual/en/function.array-search.php

So your if would become something like:

if (($_FILES["file"]["size"] < 200000) && array_search($extension, $allowedExts)!==false) {
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

@AnthonyHatzopoulos Cos he didn't put my answer as his answer? My answer is quite different to his
4

Your file field name is img and you have used $_FILES["file"], but it should be $_FILES["img"].

Also you need to change your if condition

if (($_FILES["file"]["size"] < 200000)
    && in_array($extension, $allowedExts)) {

There is no need of

$extension!=".doc" || $extension!=".doc" &&

Improve this answer

Comments

2

You'll have to use $_FILES["img"]instead of $_FILES["file"] or rename your input name to "file".

Improve this answer

Comments

2

  1. Try to use $_FILES["img"] array to access uploaded file properties (your "Select a file" input called "img").

  2. You may use "Location" http header to redirect back to source page.

Improve this answer

Comments

2

change

$extension!=".doc" || $extension!=".doc"

to 

$extension!=".doc" || $extension!=".docx"

and use $_FILES['img'] instead of $_FILES['file'] because your file type is having img name property.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.