php file upload problem

Question

This code works properly in my localhost. I am using xampp 1.7.3. but when I put it in the live server it shows Possible file upload attack!. \'upload/\' is the fol

Answer 1

Most likely the $uploaddir is wrong. Use

echo dirname(__FILE__);

to get the real full path to your root folder on the web server and then put something like

/web/real/path/to/root/upload

as the path.

Answer 2

The problem is the leading slash in your file name. While it might resolve correctly on your XAMPP machine when it's on your server box the leading slash will try to put it in the filesystem root.

It's guessing that it's an attack because people can sometimes fudge incoming parameters to drop harmful files where they can execute them!

Answer 3

Why not just do this:

$uploaddir = './upload';

it will be relative to where your script is, it that is the intent? Otherwise you need the full dir (from system root)

Answer 4

Try this code

 $fltype=$_FILES['userfile']['type']; 
    echo $fltype."<br>";
    /*if($_FILES['userfile']['type'] != "image/gif") {
    echo "Sorry, we only allow uploading GIF images";
    exit;
    }*/

$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
$imgname=basename($_FILES['userfile']['name']);
$desc=$_POST["desc"];
echo "<br>".$imgname."<br>";
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
    echo "File is valid, and was successfully uploaded.\n";
} else {
    echo "File uploading failed.\n";
}
$con=mysql_connect("localhost","root","");
$select=mysql_select_db("n1",$con);
$sql="insert into tblimage (imagename,description) values('$imgname','$desc')";
echo "<br>".$sql;
$rs=mysql_query($sql);
if($rs)
{
    echo "<br>Record inserted in table.<br>";
}
else
{
echo "<br>Error in table insersion.<br>";
}
echo "<br><br>uploaded image is::::<br><br>";
echo "<img src='$uploadfile' />";
?> 

Answer 5

I had the same problem, uploading script worked on localhost but got Possible File Attack Error! on host server.

I fixed it by giving 777 permission to upload folder. Goto ftp and right click on folder and choose properties. Tick all boxes (read/write/execute) and grant 777 permission.

Also edit php.ini file usually in etc/ folder on linux. Change the following settings to

upload_max_filesize : 1024M post_max_size : 1024M max_execution_time : 6000 max_input_time : 6000 memory_limit : 128M

You can download putty to access linux server using SSH terminal.

GOOD LUCK

Answer 6

You probably can't move your file to /upload/ which is an "upload" folder at the root of the server file system, hence move_uploaded_file() reporting FALSE and your message. Plus, this /upload/ folder probably doesn't even exist nor is it writeable.

You probably want to move it to $_SERVER['DOCUMENT_ROOT'].'/upload/' which will point to your virtual host root (something like www or wherever you're uploading your application files). Don't forget to create this folder and to change its permissions accordingly (CHMOD 777 is a good idea).