Trouble uploading files in PHP

Question

I am trying to upload files using php, and it works perfectly up until 1Mb, I already checked the forum and saw that the common thing missing was to edit this values on php.ini (I am using WAMP):

post_max_size = 8G upload_max_filesize = 2G

as you can see I already changed them up to Gigabytes and still it isn't working, what happens is that I click on upload and it goes to my upload.php file and just hangs in there writing nothing into the DB.

I had this in my HTML but I commented it already:

<!--input type="hidden" name="MAX_FILE_SIZE" value="20000000000" /-->

my upload php is:

<?php
include("mysql.class.php");
$mysql = new MySQL();
$tbl_name="documento";
session_start();

if(isset($_POST['upload']) && $_FILES['userfile']['size'] > 0){
    $fileName = $_FILES['userfile']['name'];
    $tmpName  = $_FILES['userfile']['tmp_name'];
    $fileSize = $_FILES['userfile']['size'];
    $fileType = $_FILES['userfile']['type'];

    $fp      = fopen($tmpName, 'r');
    $content = fread($fp, filesize($tmpName));
    $content = addslashes($content);
    fclose($fp);
    $myusername=$_SESSION['myusername'];
    if(!get_magic_quotes_gpc()){
        $fileName = addslashes($fileName);
    }

    $query = "INSERT INTO $tbl_name (name, size, type, archivo,user_username ) ".
    "VALUES ('$fileName', '$fileSize', '$fileType', '$content','$myusername')";

    mysql_query($query) or die('Error, query failed'); 


    echo "<br>File $fileName uploaded<br>";
    header("location:admin.php");
} 
?>

What am I missing here? Also, when I upload images (since 180kbs) and I download them to check they uploaded correctly I am not able to see the image however documents have no problem.

Answer 1

$fp = fopen($tmpName, 'r');
$content = fread($fp, filesize($tmpName));
$content = addslashes($content);
fclose($fp);

You're escaping the contents of the file. That will mostly be the cause that image doesn't get displayed. Escaping should take place when you're about to send data to remote targets (use htmlentities() for sending 'text' to the browser, use mysql_real_escape_string for sending data to the MySQL database). You should take a look in the PHP manual, how to correctly implement file uploading.

When uploading a file to PHP, follow these rules:

1. Check whether a file is uploaded or not: isset($_FILES['userfile'])
2. Check whether the file upload was successful ($_FILES['userfile']['error'] === 0). If not, display a corresponding error message. See this page for possible errors.
3. Check the file size (maximum size): $_FILES['userfile']['size'] < 102400 (limits the file size to 100 kB) (optionally check whether the file is empty or not, this depends on your application)
4. If you're going to use the file name, sanitize it, by stripping out forbidden characters: $sanitizedFileName = preg_replace('#[^a-z0-9_-]#i', '', $_FILES['userfile']['name']);

5. Check the extension on the sanitized name, whether it's allowed or not:

   $allowedExtensions = array('png', 'jpg', 'jpeg', 'txt', 'gif');
   $dotPos = strrchr($_FILES['userfile']['name'], '.');
   $ext = '';
   // Both FALSE and 0 will not match, I consider 'htaccess' in '.htaccess' not as an extension
   if($dotPos){
      // we are not interested whether the extension is in uppercase or lowercase
      $ext = strtolower(substr($_FILES['userfile']['name'], $dotPos));
   }
   if(!in_array($ext, $allowedExtensions)){
      echo 'Extension not allowed';
   }
   else{
      // continue with uploading
   }
   

6. Optionally, use image functions to verify an image, and limit the dimension (width x height) with getimagesize().

7. Use move_uploaded_file($_FILES['userfile'], "$targetDir/$sanitizedFileName") or store the contents (file_get_contents($_FILES['userfile']['tmp_name'])) in the database. When storing in the database, do not forget to escape your data.

Answer 2

My guess would be that it has something to do with your addslashes($content) statement. As lekensteyn said, this could cause binary data (such as in an image) to be corrupted. Instead of using addslashes(), take a look at PHP's mysql_real_escape_string() function.

Additionally, I don't think its considered best practice, in most cases, to store data such as file uploads in a database. You should consider saving the file on the disk and just store its filename in the database. Storing files up to 2GB in your database would create a needless burden for your MySQL server.