PHP File Copy() Not working on IIS 6

Question

I have the following code that attempts to take a users form input of a file, and upload it to the webserver.

This code does work on a Apache server, however I'm now trying to get the same code working on my Windows IIS 6 web server, which has PHP (Version 5.2.3) installed and working. I have set the PHP.INI file so that

file_uploads = On

upload_tmp_dir = "C:\Temp"

My form is

<form method="POST" action="do_upload.php" enctype="multipart/form-data">
    <input type="file" name="img1" size="30">
    <input type="submit" name="BtnUpload" value="Click To Upload Now">
</form>

My PHP code to do the upload is

$abpath = "C:\MyWebs\Website1\httdocs\images";

@copy($img1, "$abpath/$img1_name") or $log .= "Couldn't copy image 1 to server";

if (file_exists("$abpath/$img1_name")) 
{
  $log .= "File 1 was uploaded";
}
else 
{
  $log .= "File 1 is not an image";
}

For some reason when I check the value of $img1 e.g echo $img1; it is empty. Therefore I tried to get the file using $_FILES['img1']['name']. This worked fine, but still I couldn't upload any files

Any ideas why this is happening.

Answer 1

Your code should be:

move_uploaded_file($_FILES['img1']['tmp_name'], "$abpath/$img1_name");

Don't copy() uploaded files. There are a few edge cases where an uploaded file can be tampered with, which is why move_uploaded_file() exists - it checks for those particular types of tampering.

As well, be VERY careful with how you create your filenames when processing the upload. If you directly use ANYTHING provided in $_FILES as part of the destination path/name for the file, you are opening bad security holes on your server, and a malicious user can exploit that to scribble a file anywhere they want on your server.