1

I'm using a file upload on my website and I don't understand why some uploads aren't accessible through web browser, I can only see them through FTP client.

My php function looks like this:

move_uploaded_file($fileTmpLoc, 'uploads/'.date('ymdGis').'-'.substr(str_shuffle(md5(time())),0,4).'-'.str_replace(' ', '-', $fileName))

When uploading a file like

Screen Shot 2013-10-22 at 7.14.00 AM.png

the result link is

/uploads/131022172126-08cd-Screen-Shot-2013-10-22-at-7.13.18-AM.png

Is it the length of the file or something else that causes some files not to be accessible through a web browser.

Matthew Abrman
  • 711
  • 10
  • 18
  • 1
    What do you mean by "aren't accessible", what error do you get when trying to access them? – Pekka Oct 22 '13 at 15:38
  • You might find something useful here: http://stackoverflow.com/questions/2668854/sanitizing-strings-to-make-them-url-and-filename-safe – r3mainer Oct 22 '13 at 15:39
  • It could be the periods ... other stuff I've encountered in the past have been capital letters. There are plenty of no-go characters to avoid ... question marks / slashes etc. It does seem to vary between server types though. – Darren Crabb Oct 22 '13 at 15:39
  • Several issues here. First, `str_shuffle` on MD5 as some kind of "more random" mechanism is ridiculous, please don't do that. Secondly, what if the file name I provide is `../../evil.php`? I get remote PHP code execution on your box. Whoops! – Polynomial Oct 22 '13 at 15:46

3 Answers3

2

As defined in RFC3986, the following characters are valid in a URL:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 - _ . ~

The following characters have special meaning, and are therefore allowed but must be escaped in certain places.

! * ' ( ) ; : @ & = + $ , / ? % # [ ]

As for the maximum length, this has been answered very well in another question: What is the maximum length of a URL in different browsers?

Community
  • 1
  • 1
Polynomial
  • 27,674
  • 12
  • 80
  • 107
  • This doesn't really solve the issue. All the characters he is using are completely valid. Now it does answer the length, however. – Kirk Backus Oct 22 '13 at 15:41
  • Given the information he provided, it's enough to tell him that no, it isn't the characters or length that are breaking it. It's clearly something else. – Polynomial Oct 22 '13 at 15:44
  • Whilst RFC3986 is the standard for URLs it doesn't necessarily mean the server is 100% compatible with that. I've defintely had issues in the past with the server not responding correctly to capital letters. It would upload the file but if it had capital letters it wouldn't allow access to it from the HTTP side of things. That was a old shared UNIX solution I used to use long ago. I haven't had such issues recently though - things seem to have improved in recent years. – Darren Crabb Oct 22 '13 at 15:57
0

There are no max length for the filename but you are a limit upload_max_filesize.

http://www.php.net/manual/en/ini.core.php#ini.upload-max-filesize

Maybe the limit was reach ?

Kevin Marie - Eode9
  • 11
  • 3
0

I feel stupid for asking now

substr(str_shuffle(md5(time())),0,4)

I was echoing the same thing but didn't realise that the random characters will be regenerated again and therefore echoing a broken link. Terribly sorry for taking your time.

Thanks for the help.

Matthew Abrman
  • 711
  • 10
  • 18