Problems with uploading file

Posted on 2005-04-26
Last Modified: 2006-11-18
I have the page where the user can enter information into text fields as well as upload a file all on the same form.  I have it setup in the following way:

First, I validate the file with a function, which checks to see if it is the right size, and the right type.

      function validate_file($files_array){
            $errors = array();
            $userfile_error = $files_array['userfile']['error'];
            $userfile_type = $files_array['userfile']['type'];
            if($userfile_error > 0){
                        case 1: $errors[] = 'File exceeded upload_max_filesize'; break;
                        case 2: $errors[] = 'File exceeded max_file_size'; break;
                        case 3: $errors[] = 'File only partially uploaded'; break;
                        case 4: $errors[] = 'No file uploaded'; break;
            if($userfile_type != 'application/x-zip-compressed'){
                  $errors[] = 'File is invalid';

            return $errors;

Next, I validate the text fields.  If there are any errors in either of these functions, I display them in the same script.  Otherwise, I put all values into the session and do a header(location: ) to the preview script which just shows all the info.  Finally, I add all the text fields to the database, and finish the upload with the following functions, whihc gives me the problem:

      function upload_file($new_filename, $userfile){
            $errors = array();
            $filedir = '/home/sites/';
            print $userfile . '<br>';
            $userfile_name = $new_filename;
                        $upfile = $filedir . $userfile_name;
                  if(!move_uploaded_file($userfile, $upfile)){
                        print 'Could not move file to destination directory';
                        //return $errors;
                  print 'Possible file upload attack. Filename: '.$userfile_name;

where userfile is just the value of $_FILES['userfile']['tmp_name'] in a $_SESSION variable.  and new filename is the final name of the file.  This always fails and gives me the error 'Possible file upload attack' as shown above.  Does anybody know what the problem is?  The file doesnt even seem to be uploading to the tmp directory.  Are there any examples out there of a script which uploads a file as well as adds text input fields to a DB?  Thanks.
Question by:abstractionz
    LVL 3

    Expert Comment

    Check the permission on the folder where you are trying to upload. It should have write permision.

    check the following link for more help.

    hope this helps.

    LVL 2

    Expert Comment

    Did you include this in your form tag?


    Without it, files won't upload.
    LVL 20

    Expert Comment

    you should work directly on the supplied system array $_FILES
    there's no value in passing it around like you're showing

    if this script is happening in another file than the script that uploaded, then the temp file may be deleted since it is a temp file.

    Author Comment

    i do have permission to upload to the folder, and i included the enctype.

    it is happening in another file that the script that uploaded.  the only reason i did it this way was so that i could validate both the text fields and the file at the same time.
    LVL 2

    Expert Comment

    The file is deleted when you move to a new page before handling it.
    LVL 1

    Accepted Solution

    instead of leaving the file in the global /tmp folder before moving it to its permanent location, move it from /tmp to your own tmp folder like /hold.  that way you can validate the file while its moved to /hold.  then once the file is valid, move it from /hold to its permanent location.  that way the file won't be deleted.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    As this topic comes over and over again in different forms, I've finally decided to write a short (yea, right...) article / tutorial about pagination with PHP with MySQL database. There are dozens of these kind of tutorials, I know - I wanted to mak…
    This is a general how to create your own custom plugin system for your PHP application that you designed (or wish to extend a third party program to have plugin functionality that doesn't have it yet).  This is not how to make plugins for existing s…
    Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
    The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now