Newgrounds.com — Everything, By Everyone.

I have this script on my site for uploading files, and I cant seem to get renaming it right. This is the code I have, can someone tell me what im doing wrong?

<?php
if (!empty($_FILES)) {
	$random_digit = rand(000000000,999999999);
	
	$tempFile = $random_digit . $_FILES['Filedata']['tmp_name'];
	$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_GET['folder'] . '/';
	
	//change the file name now.
	
	$targetFile =  str_replace('//','/',$targetPath) . $_FILES['Filedata']['name'];
	
	// Uncomment the following line if you want to make the directory if it doesn't exist
	// mkdir(str_replace('//','/',$targetPath), 0755, true);
	
	$ourfile = $_GET['folder'] . '/' . $_FILES['Filedata']['name'];
	
	move_uploaded_file($tempFile,$targetFile);
	include('../includes/dbconfig.php');
	$username = $_GET['uname'];
	
	$use = mysql_query("SELECT * FROM login WHERE username = '$username' LIMIT 1")or die("Tpc:  ".mysql_error());
    $them = mysql_fetch_array($use);
	
	$uid = $them['uid'];
	
	mysql_query("INSERT INTO photos (url, uid, edit) VALUES ('$ourfile','$uid', 'no')") or die(mysql_error());
}
echo "1";
?>

Let's see, homemade magic quotes fix, sql injection vulnerabilities, no limits on where or what to upload, and I don't recall seeing any limit on the file size either. And this is not even what you asked for help on.

Your fail is that you are not passing the tmp_name element intact to move_uploaded_file. You are not allowed to modify it, treat it like an opaque token that you use to differentiate from different uploaded files.

first off all the file security measures are taken care of by javascript before the info is sent to this script, the querries are secured by a function held in my database config file, all i need is a way to fix this.

At 6/13/09 05:20 PM, Fallin-Again wrote: first off all the file security measures are taken care of by javascript

Right... that has a strong reputation of being secure.

before the info is sent to this script, the querries are secured by a function held in my database config file

No, they are plain not. that's an outright lie.

all i need is a way to fix this.

I told you the issue in the first post, stop messing around with the temporary file name, it has to be left intact.

At 6/13/09 05:20 PM, Fallin-Again wrote: first off all the file security measures are taken care of by javascript before the info is sent to this script

I literally laughed out loud at this.

At 6/13/09 07:15 PM, Wonderful wrote:

At 6/13/09 05:20 PM, Fallin-Again wrote: first off all the file security measures are taken care of by javascript before the info is sent to this script

I literally laughed out loud at this.

Same here. I usually chuckle inwardly, but this one made me laugh out loud. Bookmarked, screenshotted.

At 6/13/09 07:15 PM, Wonderful wrote:

At 6/13/09 05:20 PM, Fallin-Again wrote: first off all the file security measures are taken care of by javascript before the info is sent to this script

I literally laughed out loud at this.

I totally did too; and then I turned my Javascript back on.

At 6/13/09 05:20 PM, Fallin-Again wrote: first off all the file security measures are taken care of by javascript before the info is sent to this script, the querries are secured by a function held in my database config file, all i need is a way to fix this.

NEVER NEVER NEVER NEVER EVER use javascript for security. All security should be done server site. Javascript can be turned off, or the user can write their own page. Never leave something so important to a facet that you don't have full control over. Javascript filters exist to lighten the load on the server and for the user's convenience, not as primary defense.

At 6/13/09 07:15 PM, Wonderful wrote:

At 6/13/09 05:20 PM, Fallin-Again wrote:

I literally laughed out loud at this.

I didn't. Sadly, I've seen 'professionals' do this very thing. I had a real fun time a few months ago finishing a project some bonehead dropped that looked exactly like the mess Fallin-Again has written, right down to the lack of server site filters and all.