1

This code works properly in my localhost. I am using xampp 1.7.3. but when I put it in the live server it shows Possible file upload attack!. 'upload/' is the folder under 'public_html' folder on the server. I can upload files via other script in that directory.

<?php

$uploaddir = '/upload/';//I used C:/xampp/htdocs/upload/ in localhost. is it correct here?
$uploadfile = $uploaddir . basename($_FILES['file_0']['name']);

echo '<pre>';
if (move_uploaded_file($_FILES['file_0']['tmp_name'], $uploadfile)) {
    echo "File is valid, and was successfully uploaded.\\n";
} else {
    echo "Possible file upload attack!\\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";

?>
Improve this question
2
  • Check folder permissions for /upload/ Commented Feb 28, 2011 at 21:02
  • And first, you should check if $_FILES['file_0'] exists, because it will report "Possible file upload attack" if no file at all is uploaded, which is funny. Commented Feb 28, 2011 at 21:11

6 Answers 6

Reset to default
4

You probably can't move your file to /upload/ which is an "upload" folder at the root of the server file system, hence move_uploaded_file() reporting FALSE and your message. Plus, this /upload/ folder probably doesn't even exist nor is it writeable.

You probably want to move it to $_SERVER['DOCUMENT_ROOT'].'/upload/' which will point to your virtual host root (something like www or wherever you're uploading your application files). Don't forget to create this folder and to change its permissions accordingly (CHMOD 777 is a good idea).

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I just noticed this and after that saw all these answers. Thanks!
2

The problem is the leading slash in your file name. While it might resolve correctly on your XAMPP machine when it's on your server box the leading slash will try to put it in the filesystem root.

It's guessing that it's an attack because people can sometimes fudge incoming parameters to drop harmful files where they can execute them!

Improve this answer

Comments

1

Most likely the $uploaddir is wrong. Use

echo dirname(__FILE__);

to get the real full path to your root folder on the web server and then put something like

/web/real/path/to/root/upload

as the path.

Improve this answer

1 Comment

or just __DIR__ if using PHP 5.3 ;-)
0

Why not just do this:

$uploaddir = './upload';

it will be relative to where your script is, it that is the intent? Otherwise you need the full dir (from system root)

Improve this answer

Comments

0

Try this code 

 $fltype=$_FILES['userfile']['type']; 
    echo $fltype."<br>";
    /*if($_FILES['userfile']['type'] != "image/gif") {
    echo "Sorry, we only allow uploading GIF images";
    exit;
    }*/

$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
$imgname=basename($_FILES['userfile']['name']);
$desc=$_POST["desc"];
echo "<br>".$imgname."<br>";
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
    echo "File is valid, and was successfully uploaded.\n";
} else {
    echo "File uploading failed.\n";
}
$con=mysql_connect("localhost","root","");
$select=mysql_select_db("n1",$con);
$sql="insert into tblimage (imagename,description) values('$imgname','$desc')";
echo "<br>".$sql;
$rs=mysql_query($sql);
if($rs)
{
    echo "<br>Record inserted in table.<br>";
}
else
{
echo "<br>Error in table insersion.<br>";
}
echo "<br><br>uploaded image is::::<br><br>";
echo "<img src='$uploadfile' />";
?>
Improve this answer

Comments

0

I had the same problem, uploading script worked on localhost but got Possible File Attack Error! on host server.

I fixed it by giving 777 permission to upload folder. Goto ftp and right click on folder and choose properties. Tick all boxes (read/write/execute) and grant 777 permission.

Also edit php.ini file usually in etc/ folder on linux. Change the following settings to

upload_max_filesize : 1024M post_max_size : 1024M max_execution_time : 6000 max_input_time : 6000 memory_limit : 128M

You can download putty to access linux server using SSH terminal.

GOOD LUCK

Improve this answer

1 Comment

777 has some security flaws, try using 767 first -- it's a bit more secure.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.