PHP file upload issue. file is not getting uploaded at all

Question

I am trying to debug the code since 2 hours, but cannot find the issue here. This code is not uploading any files! also it doesnt show any error. seems like the server is not receiving the file at all!

here is the html part

<form action="?" method="post" enctype="multipart/form-data" name="form1" id="form1">
  <label>Select file: (Max size: 2mb)</label>
  <input type="file" name="xls_file" id="xls_file" /> <input type='hidden' value='55' name='yo' />
  <input type="submit" name="submit" id="submit" value="Submit" />
</form>

here is the PHP part

    if(isset($_FILES['xls_file'])) {
    if ($_FILES['xls_file']['error'] !== UPLOAD_ERR_OK) {
   die("Upload failed with error code " . $_FILES['xls_file']['error']);
    }}

if(isset($_FILES['xls_file'])){
$file_name = $_FILES['xls_file']['name'];
$allowed =  array('xls','xlsx','csv');
$ext = pathinfo($file_name, PATHINFO_EXTENSION);

$file_size =$_FILES['xls_file']['size'];
$file_tmp =$_FILES['xls_file']['tmp_name'];
$file_type=$_FILES['xls_file']['type'];

//check for valid file
if(!in_array($ext,$allowed)) {
    echo "Invalid file type.";
    exit;
    }

//check for file size
if(($file_size/1000) > 2100){
    echo "File size greater than allowed limit. Kindly choose a small file. ";
    exit;
    }

move_uploaded_file($file_tmp,"./".str_replace(array('"',"'","\\","=","<",">","`",";"), '', $file_name));
$uploaded = true;
}

here is the complete code

    <?php
$G_POST = str_replace(array('"',"'","\\","=","<",">","`",";"), '', $_POST);
$G_GET = str_replace(array('"',"'","\\","=","<",">","`",";"), '', $_GET);


if($G_POST[filename])
        $uploaded = true;

    if(isset($_FILES['xls_file'])) {
    if ($_FILES['xls_file']['error'] !== UPLOAD_ERR_OK) {
   die("Upload failed with error code " . $_FILES['xls_file']['error']);
    }}

    if(isset($_FILES['xls_file'])){
    $file_name = $_FILES['xls_file']['name'];
    $allowed =  array('xls','xlsx','csv');
    $ext = pathinfo($file_name, PATHINFO_EXTENSION);

    $file_size =$_FILES['xls_file']['size'];
    $file_tmp =$_FILES['xls_file']['tmp_name'];
    $file_type=$_FILES['xls_file']['type'];

    //check for valid file
    if(!in_array($ext,$allowed)) {
        echo "Invalid file type.";
        exit;
        }

    //check for file size
    if(($file_size/1000) > 2100){
        echo "File size greater than allowed limit. Kindly choose a small file. ";
        exit;
        }

    move_uploaded_file($file_tmp,"./".str_replace(array('"',"'","\\","=","<",">","`",";"), '', $file_name));
    $uploaded = true;
    } 

?>
<!DOCTYPE html>
<html>
<head>
<title>Excel (xls,xlsx,csv) to VCF (vCard) Online Converter - The Web Vendor</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="http://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.min.css">
<script src="http://code.jquery.com/jquery-1.11.3.min.js"></script>
<script src="http://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.min.js"></script>
</head>
<body>

<div data-role="page">
  <div data-role="main" class="ui-content">

  <?php 
  //STEP 1, ON LOAD
  if(!$uploaded) {
  ?>
  <h2>Excel to VCF Converter</h2>
<p>This is a simple, 3-step tool to convert your contact details in excel / spreadsheet to vCard (3.0) format. Supported formats are: xls, xlsx and csv.</p>
<p>Must Watch video tutorial here: <a href="https://www.youtube.com/watch?v=sn7ROzt9YRA" target="_blank">https://www.youtube.com/watch?v=sn7ROzt9YRA</a></p>
<hr/>
<h3>Step 1:</h3>
    <form action="?" method="post" enctype="multipart/form-data" name="form1" id="form1">
      <label>Select file: (Max size: 2mb)</label>
      <input type="file" name="xls_file" id="xls_file" /> <input type='hidden' value='55' name='yo' />
      <input type="submit" name="submit" id="submit" value="Submit" />
    </form>
  <?php } 
  //STEP 2, AFTER FILE UPLOAD
    else if(!$G_POST[filename]) {
        ?>
        <form action="?" method="post" name="step2">
        <h3>Step 2:</h3>
            <label>Uploaded file:</label>
            <input type="text" name="filename" id="filename" readonly="readonly" value="<?php echo str_replace(array('"',"'","\\","=","<",">","`",";"), '', $file_name) ?>" />
            <label>Sheet no: </label>
            <input name="sheet" type="number" required="required" id="sheet" max="9999" min="1" value="1" />
            <label>First Column:</label>
            <select name="first_column" id="first_column" required >
        <option value="A">A</option>
        <option value="B">B</option>
        <option value="C">C</option>
        <option value="D">D</option>
        <option value="E">E</option>
        <option value="F">F</option>
        <option value="G">G</option>
        <option value="H">H</option>
        <option value="I">I</option>
        <option value="J">J</option>
        <option value="K">K</option>
        <option value="L">L</option>
        <option value="M">M</option>

      </select>
            <label>Last Column:</label>
            <select name="last_column" id="last_column" required >
        <option value="A">A</option>
        <option value="B">B</option>
        <option value="C">C</option>
        <option value="D">D</option>
        <option value="E">E</option>
        <option value="F">F</option>
        <option value="G">G</option>
        <option value="H">H</option>
        <option value="I">I</option>
        <option value="J">J</option>
        <option value="K">K</option>
        <option value="L">L</option>
        <option value="M">M</option>
        <option value="N">N</option>
      </select>
            <label>First Row:</label>
            <input type="number" name="first_row" id="first_row" min="1" max="9999" required="required" />
            <label>Last Row:</label>
            <input type="number" name="last_row" id="last_row" min="1" max="9999" required="required" />
            <input type="submit" value="Submit">

            </form>
            <?php
    }

  ?>

  </div>
</div>

</body>
</html>

I am experienced. but never experienced any such issue.

Once PHP delivers you the $_POST and $_GET arrays they are all yours. There is no point in creating another copy. Sanitize each input **of course** but another copy is not needed — RiggsFolly, Jul 27 '16 at 12:58
A bit of sensible code indentation would also help us read the code but more importantly **help you debug it** — RiggsFolly, Jul 27 '16 at 12:59
When submitting the form ajax is fired. And this is because the jquery.mobile-1.4.5.min.js. So you should have to upload the file by ajax call and change the code accordingly. — Rahul Patel, Jul 27 '16 at 13:26
@RahulPatel yes you are right! I tried removing jquery.mobile and it works great! will try using ajax. thanks a ton. — Shrey Gokani, Jul 27 '16 at 15:05
@RiggsFolly this is the way I code every app. I filter out external data to prevent any injections. problem is with jquery.mobile as pointed by Rahul — Shrey Gokani, Jul 27 '16 at 15:08
Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared statement and parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — RiggsFolly, Jul 27 '16 at 15:15
@RiggsFolly thanks for pointing it out. but I am removing all characters used in injection. is it still vulnerable? — Shrey Gokani, Aug 22 '16 at 13:36

score 0 · Answer 1 · answered Jul 27 '16 at 15:18

As pointed by @RahulPatel ,the thing is jquery.mobile uses ajax while handling form data. file cant be submitted with ajax. so we need to tell j.mobile to turn off ajax for this form. And so, we need to add following to the form definition

data-ajax="false"

and so code will be

<form action="" method="post" enctype="multipart/form-data" name="form1" id="form1" data-ajax="false">

thanks to https://forum.jquery.com/topic/file-upload-in-jquery-mobile

PHP file upload issue. file is not getting uploaded at all

1 Answers1