PHP function move_uploaded_file no longer works?

#1

Hello All -

I wrote a file upload script that uses the move_uploaded_file() function. It was working fine until a user reported that they were getting file upload errors. The code had not been touched during the time when the problem began to happen (sometime between 5/28 and 6/12).

I saw an old thread (sometime in '04) that said that PHP had to run as a CGI in order to use this function. But that doesn’t make sense to me since I did not alter the server configuration between the dates above. (My domain is not running as a CGI. It is not running as a CGI because I learned that I couldn’t use .htaccess directives in CGI mode.)

I also wondered if mod_security is causing a problem, but I suspect not due to other CMSes that are working fine with “Extra Web Security” (mod_security) turned on.

I have checked to be sure that the uploaded file in the server’s temp directory is there and is_file returns true.

I have also verified that my destination directory has 777 permissions.

Any ideas?

#2

Just a thought, but is the script using a full URL when moving the uploaded file? DreamHost recently disabled allow_url_fopen for security reasons, and that might be affecting the script. See this wiki entry for more details.

Simon Jessey
Keystone Websites | si-blog

#3

I found something interesting, move_uploaded_file() doesn’t work across separate partitions.
You should change it and see if you can get it to work by combining is_uploaded_file() and copy().

Something like:
if (is_uploaded_file($_FILES[‘data’][‘tmp_name’]))
{
if(copy($_FILES[‘data’][‘tmp_name’], $uploaddatafile))
{
echo “Data file is valid, and was successfully uploaded.\n”;
}
else
{
echo “Data file is valid, but could not be copied.\n”;
}
}
else
{
echo “Possible file upload attack!\n”;
}

#4

That is interesting, but unfortunately didn’t fix my issue. I have added some more forking to my code to see if I couldn’t isolate my problam, alas, it goes to the “uncaught exception” else:

// Move uploaded file
if (!move_uploaded_file($_FILES[‘data’][‘tmp_name’], $_SERVER[‘DOCUMENT_ROOT’] . ‘/destination/file.gif’))
{
// Move failed, try copy
if (!copy($_FILES[‘data’][‘tmp_name’], $_SERVER[‘DOCUMENT_ROOT’] . ‘/destination/file.gif’))
{
// Copy failed, see if the file is indeed uploaded
if (!is_uploaded_file($_FILES[‘data’][‘tmp_name’]))
{
die(“Error writing the image to the bank. Temp file '” . $_FILES[‘data’][‘tmp_name’] . “’ is not a file.”);
}

// Copy failed, see if the destination directory is writable
else if (!is_writable($_SERVER[‘DOCUMENT_ROOT’] . ‘/destination/))
{
die(“Error writing the image to the bank. The directory '” . $_SERVER[‘DOCUMENT_ROOT’] . "/destination/’ is not writable.");
}

// Copy failed, uncaught exception
else
{
die(“Error writing the image to the bank.”);
}
}
}

#5

I removed “Extra Web Security?” from my host configuration, but that didn’t make any difference.