Error when trying to upload PDF with PHP

jhez · #1 (**permalink**) 11-03-11, 12:30 PM

Hi, I've tried a bunch of slightly different ways to upload a pdf, but nothing seems to work. In the same directory as this file I have the uploads folder. Does anyone see what is wrong?

Thanks
-Jon

PHP Code:


			
<?php

                
                $submitted = $_POST["submit"];

                if ($submitted) {

                    $studentname = $_POST["studentname"];
                    $email = $_POST["email"];    
                    $filename = $_POST["filename"];
                    $year = $_POST["year"];
                    $abstract = $_POST["abstract"];
                    $uploadedfile=($_FILES['uploadedfile']['name']); 
                    
                    $dbhost = 'localhost';
                    $dbuser = '*****';
                    $dbpass = '*****';
                    
                    $conn = mysql_connect($dbhost, $dbuser, $dbpass) or die('Error connecting to mysql');
                    
                    $dbname = 'jhezghia';           
                    mysql_select_db($dbname);
                    
                    /*** ENTER USER INFORMATION INTO DATABASE ***/

                    $sql = "INSERT INTO submission (studentname, email, filename , year, abstract, uploadedfile) VALUES ('$studentname' ,'$email', '$filename', '$year', '$abstract', '$uploadedfile')";
                    //echo $sql;
                    $result = mysql_query($sql);
                    if (!$result) {
                        die('SQL Error Entering User Information: ' . mysql_error());    
                    }
                    
                    if (is_uploaded_file($_FILES['uploadedfile']['tmp_name'])) {
                    if ($_FILES['uploadedfile']['type'] != "application/pdf") {
                        echo "<p>Paper must be uploaded in PDF format.</p>";
                    }
                    else {
                    //$target_path = "uploads/";
                    //$name = $_POST['name'];
                    //$target_path = $target_path."$name.pdf"; 
                    //$name = $_FILES["uploadedfile"]["name"];
                    //$target = $target . basename( $_FILES['photo']['name']); 
                    
                    $target_path = "uploads/";
                    $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 
                    
                    if (move_uploaded_file($_FILES["uploadedfile"]["tmp_name"], $target_path)) {
                      //    echo "File stored in: " . $target_path . "<br />";
                   }
                   else {
                           echo "<br />an error moving the file: " . $target_path . "<br />";
                     }
                    }
                }
                }
                
                else { ?>

HTML Code:

<form enctype="multipart/form-data" action="submit.php" method="POST" >
	<p>
							<label for="name">Name:</label>
							<input type="text" class="text" name="studentname" id="name" />
							</p>
							<p>
							<label for="email">E-mail Address:</label>
							<input type="text" class="text" name="email" id="email" />
							</p>
							<p>
							<label for="email">Title of paper:</label>	
					   <input type="text" class="text" name="filename" id="filename" />
							</p>
							<p>
							<label for="year">Year:</label>
							<select name="year" >
								<option value="2012">2012</option>
								<option value="2013">2013</option>
								<option value="2014">2014</option>
								<option value="2015">2015</option>
							</select>
							</p>
							<p>
							<p>
							<br>
								<label for="text">Abstract (300 word max):</label>
								<textarea class="text" name="abstract" id="text"></textarea>
							</p>
							<input type=hidden name=MAX_FILE_SIZE value=10000000>
							<input type=hidden name=completed value=1>
							<p>
							<br>
	<label for="uploadedfile">Please choose a .pdf to upload: </label><input type="file" name="uploadedfile"><br>
							<p>
							<br>
							
							<p>
		<input type="submit" class="submit" value="Send" name="submit" />
							</p>
						
						</form>

AliceWonder32 · #2 (**permalink**) 11-04-11, 08:38 AM

I would need to look at your code more thoroughly to see what is going on, but your SQL code is insecure,

You really need to sanitize inputs and should use prepared statements.

Personally I would suggest taking all the SQL stuff out and get a simple working upload script that gets the PDF on the server.

One common problem with upload is the permissions on the upload dir. The web server needs to have write permission to the directory. There should be an error message in your apache logs (I'm assuming apache ??) that should help figure out what is going on.

UnrealEd · #3 (**permalink**) 11-05-11, 06:48 AM

Do you see an error message, or is the file not uploaded?

Besides the SQL issues, there are also security issues with your upload script. For instance, just checking the file-type header of the $_FILES array to see if the file is a pdf, is very unsafe. Reason: I can set such a header to anything, which would allow me to upload batch scripts through your form while your script thinks it's a pdf.