Home/ Questions/Q 1082131
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T22:15:28+00:00

I am trying to upload files using php, and it works perfectly up until

  • 0

I am trying to upload files using php, and it works perfectly up until 1Mb, I already checked the forum and saw that the common thing missing was to edit this values on php.ini (I am using WAMP):

post_max_size = 8G upload_max_filesize
= 2G

as you can see I already changed them up to Gigabytes and still it isn’t working, what happens is that I click on upload and it goes to my upload.php file and just hangs in there writing nothing into the DB.

I had this in my HTML but I commented it already:

<!--input type="hidden" name="MAX_FILE_SIZE" value="20000000000" /-->

my upload php is:

<?php
include("mysql.class.php");
$mysql = new MySQL();
$tbl_name="documento";
session_start();

if(isset($_POST['upload']) && $_FILES['userfile']['size'] > 0){
    $fileName = $_FILES['userfile']['name'];
    $tmpName  = $_FILES['userfile']['tmp_name'];
    $fileSize = $_FILES['userfile']['size'];
    $fileType = $_FILES['userfile']['type'];

    $fp      = fopen($tmpName, 'r');
    $content = fread($fp, filesize($tmpName));
    $content = addslashes($content);
    fclose($fp);
    $myusername=$_SESSION['myusername'];
    if(!get_magic_quotes_gpc()){
        $fileName = addslashes($fileName);
    }

    $query = "INSERT INTO $tbl_name (name, size, type, archivo,user_username ) ".
    "VALUES ('$fileName', '$fileSize', '$fileType', '$content','$myusername')";

    mysql_query($query) or die('Error, query failed'); 


    echo "<br>File $fileName uploaded<br>";
    header("location:admin.php");
} 
?>

What am I missing here? Also, when I upload images (since 180kbs) and I download them to check they uploaded correctly I am not able to see the image however documents have no problem.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    $fp = fopen($tmpName, 'r');
$content = fread($fp, filesize($tmpName));
$content = addslashes($content);
fclose($fp);

    You’re escaping the contents of the file. That will mostly be the cause that image doesn’t get displayed. Escaping should take place when you’re about to send data to remote targets (use htmlentities() for sending ‘text’ to the browser, use mysql_real_escape_string for sending data to the MySQL database). You should take a look in the PHP manual, how to correctly implement file uploading.

    When uploading a file to PHP, follow these rules:

    1. Check whether a file is uploaded or not: isset($_FILES['userfile'])
    2. Check whether the file upload was successful ($_FILES['userfile']['error'] === 0). If not, display a corresponding error message. See this page for possible errors.
    3. Check the file size (maximum size): $_FILES['userfile']['size'] < 102400 (limits the file size to 100 kB)
      (optionally check whether the file is empty or not, this depends on your application)
    4. If you’re going to use the file name, sanitize it, by stripping out forbidden characters: $sanitizedFileName = preg_replace('#[^a-z0-9_-]#i', '', $_FILES['userfile']['name']);

    5. Check the extension on the sanitized name, whether it’s allowed or not:

      $allowedExtensions = array('png', 'jpg', 'jpeg', 'txt', 'gif');
$dotPos = strrchr($_FILES['userfile']['name'], '.');
$ext = '';
// Both FALSE and 0 will not match, I consider 'htaccess' in '.htaccess' not as an extension
if($dotPos){
   // we are not interested whether the extension is in uppercase or lowercase
   $ext = strtolower(substr($_FILES['userfile']['name'], $dotPos));
}
if(!in_array($ext, $allowedExtensions)){
   echo 'Extension not allowed';
}
else{
   // continue with uploading
}

    6. Optionally, use image functions to verify an image, and limit the dimension (width x height) with getimagesize().

    7. Use move_uploaded_file($_FILES['userfile'], "$targetDir/$sanitizedFileName") or store the contents (file_get_contents($_FILES['userfile']['tmp_name'])) in the database.
      When storing in the database, do not forget to escape your data.
    • 0