PHP Error - Uploading a file

Question

I'm trying to write some PHP to upload a file to a folder on my webserver. Here's what I have:

<?php
    if ( !empty($_FILES['file']['tmp_name']) ) {
        move_uploaded_file($_FILES['file']['tmp_name'], './' . $_FILES['file']['name']);
        header('Location: http://www.mywebsite.com/dump/');
        exit;
    }
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
    <head>
        <title>Dump Upload</title>
    </head>
    <body>
        <h1>Upload a File</h1>
        <form action="upload.php" enctype="multipart/form-data" method="post">
            <input type="hidden" name="MAX_FILE_SIZE" value="1000000000" />
            Select the File:<br /><input type="file" name="file" /><br />
            <input type="submit" value="Upload" />
        </form>
    </body>
</html>

I'm getting these errors:

Warning: move_uploaded_file(./test.txt) [function.move-uploaded-file]: failed to open stream: Permission denied in E:\inetpub\vhosts\mywebsite.com\httpdocs\dump\upload.php on line 3

Warning: move_uploaded_file() [function.move-uploaded-file]: Unable to move 'C:\WINDOWS\Temp\phpA30E.tmp' to './test.txt' in E:\inetpub\vhosts\mywebsite.com\httpdocs\dump\upload.php on line 3

Warning: Cannot modify header information - headers already sent by (output started at E:\inetpub\vhosts\mywebsite.com\httpdocs\dump\upload.php:3) in E:\inetpub\vhosts\mywebsite.com\httpdocs\dump\upload.php on line 4

PHP version 4.4.7 Running IIS on a Windows box. This particular file/folder has 777 permissions.

Any ideas?

Answer 1

OMG

move_uploaded_file($_FILES['file']['tmp_name'], './' . $_FILES['file']['name']);

Don't do that. $_FILES['file']['name'] could be ../../../../boot.ini or any number of bad things. You should never trust this name. You should rename the file something else and associate the original name with your random name. At a minimum use basename($_FILES['file']['name']).