See below... Joshua Eichorn wrote: > The php upload directory is set by the php3.ini file. This file is > located /usr/local/bin/php/ and is setup by the administator of the > webserver. > The upload directory can't be changed in the script because its a > security risk. > > Unless your system is setup wierd nobody should be able to write to > /var/tmp. Do you mean that userid "nobody" should be able to write to /var/tmp, or that no-body can write to it? > http://www.php.net/manual/en/features.file-upload.php > Read through the above url to see howto handle file uploads using forms. > If your still having problems give me an email and i can write you an > example script. > -joshua eichorn I looked at the page. Here's the code I used: ================================================ if ($REQUEST_METHOD == "POST") { $form = $HTTP_POST_VARS; // the following lines, down to the assignment to REQUEST_METHOD, are taken directly from the referenced web page. I changed the variable names where needed. // Userland test for uploaded file. function is_uploaded_file($filename) { if (!$tmp_file = get_cfg_var('upload_tmp_dir')) { $tmp_file = dirname(tempnam('', '')); } $tmp_file .= '/' . basename($filename); /* User might have trailing slash in php.ini... */ return (ereg_replace('/+', '/', $tmp_file) == $filename); } if (is_uploaded_file($reply_file)) { copy($reply_file, "replies"); echo "Got it!"; } else echo "Possible file upload attack: filename '$reply_file'."; . . . $REQUEST_METHOD = "GET"; } if ($REQUEST_METHOD == "POST") { . . . $foot .= "
"; $foot .= "\n"; $foot .= " \n"; $foot .= " \n"; $foot .= " "; . . . lots of stuff skipped, but the table and form logic works fine . . . echo $foot; } ================================================ When the script is run, a file name is selected and entered, and then the SUBMIT button is clicked, what the POST code above displays is: Possible file upload attack: filename '..tempfile.name..'. It's just gone! -David
Include this file: