PHP upload to specific folder

Question

I am trying to do a php upload that will upload into a specific folder. One would choose the file they wish to upload next to a dropdown box which is a folder list. This is because it organises files.

<?php 
session_start();
if(!isset($_SESSION["USER"]["Admin"])){
    header("Location: index.html?unath");
}

$folder = mysql_real_escape_string($_POST['loc']);

$target_path = "../../shared/docs/$folder";




$upload2 = $target_path  .  basename( $_FILES['uploadedfile']['name']); 

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $upload2)) {
    echo "The file ".  basename( $_FILES['uploadedfile']['name']). 
    " has been uploaded";
} else{
    echo "There was an error uploading the file, please try again!";
}

?>

Currently the code uploads the file into the "docs" folder and not docs/folder. Instead it puts the folder name in front of the file. For example- if the folder is called "abc" and my file is called robs.docx it will upload it to the main Docs folder and call it abcrobs.docx

score 2 · Accepted Answer · answered Aug 26 '12 at 11:12

2

You have a missing slash

Replace this line:

$upload2 = $target_path  .  basename( $_FILES['uploadedfile']['name']);

with:

$upload2 = $target_path  ."/".  basename( $_FILES['uploadedfile']['name']);

OR:

Replace this line:

$target_path = "../../shared/docs/$folder";

with:

$target_path = "../../shared/docs/".$folder."/";

answered Aug 26 '12 at 11:12

Ofir Baruch

10,323
2
26
39

I see where I went wrong now.. noob error :) Thanks for that :D – Rsmithy Aug 26 '12 at 11:14
I will be but I have to wait until stackoverflow lets me – Rsmithy Aug 26 '12 at 11:21

score 1 · Answer 2 · edited May 23 '17 at 10:27

1

You do not need mysql_real_escape_string because there's no SQL involved here.
If no database connection is established, mysql_real_escape_string returns null. So you're probably throwing away the $_POST['loc'] value.
You should never ever use user supplied values for manipulating anything on the filesystem without really, really thorough inspection of what you're going to manipulate. See Security threats with uploads.
Use var_dump liberally to see what your values look like at various stages and do some debugging.

edited May 23 '17 at 10:27

Community

1
1

answered Aug 26 '12 at 11:14

deceze

510,633
85
743
889

I just copied something from an old script for the `$folder = mysql_real_escape_string($_POST['loc']);` At the minute i'm building a rough script which I will develop; for security and duplicate file names. Thanks for the feedback and link – Rsmithy Aug 26 '12 at 11:19
This upload area is also on a restricted area- only admin users (whom I've authorised) can access- they upload the files to an area where all users on the portal can access (via a webpage) – Rsmithy Aug 26 '12 at 11:25

score 0 · Answer 3 · answered Aug 26 '12 at 11:12

0

You are missing a slash after $target_path

answered Aug 26 '12 at 11:12

tomsv

7,207
6
55
88

This is really a comment, not an answer. – Lix Aug 26 '12 at 11:13
`./.` In a way it does answer my question as in I have to look at my code and see where I missed the '/' – Rsmithy Aug 26 '12 at 11:20

score 0 · Answer 4 · answered Aug 26 '12 at 11:13

0

Add a / on the end of your $target_path:

$target_path = "../../shared/docs/$folder/";

answered Aug 26 '12 at 11:13

Josh

2,835
1
21
33

score 0 · Answer 5 · answered Aug 26 '12 at 11:15

0

You should properly escape your variables:

$target_path = "../../shared/docs/". $folder ."/";

answered Aug 26 '12 at 11:15

mewm

1,227
10
13

PHP upload to specific folder

5 Answers5