http://qs1969.pair.com?node_id=130392


in reply to I need a simple web upload script.

Below is some code I wrote a while back for doing something similar, though not necessarily exactly the same. Below that is the HTML form, so you can see the enctype entry.

There are some issues with this code, such as the chance of files being overwritten, but this should give you a starting point.

This script also lets the uploader send an email. Of course, this could be abused, so some restrictions on this should probably be put in place.

Relevant thread: Security issues when allowing file upload via CGI.

My post-upload.cgi script:

#!/usr/bin/perl -- use CGI qw( :standard escapeHTML ); use strict; my $megabyte = 1024 * 1024; # bytes my $max_mb = 10; # max no. of MB we will allow $CGI::DISABLE_UPLOADS = 0; # CGI module variable for en/disabling uploads (non-zero to disable) $CGI::POST_MAX = $megabyte * $max_mb; # CGI module variable for maximum upload size (bytes) my $base_dir = "/var/www/site1/web/"; my $base_dom = "http://www.website.here/"; my $target_dir = "../uploads"; my $directory = $base_dir . $target_dir; my $sendmail = "/usr/bin/sendmail"; my @sendmail_opts = ( '-oi', '-t' ); $| = 1; my $query = new CGI; my @names = $query->param; my $url = $query->param("URL"); my $fh = $query->upload('upload_file'); my $filename = $query->param('name'); $filename =~ s/[^A-Za-z0-9\.\_]/_/g; open OUTF, "> $directory$filename" or die; binmode OUTF; while ( $bytesread = read $fh, $buffer, 1024 ) { print OUTF $buffer; } close OUTF; if ( !$file && $query->cgi_error ) { print $query->header( -status => $query->cgi_error ); exit 0; } open MAIL, "| $sendmail @sendmail_opts" or die "Can't fork sendmail: $ +!\n"; print MAIL "From: $0\n", "To: ", $query->param("TO"), "\n", "Subject: ", ( $query->param("SUBJECT") || "mailed form submission +" ), "\n\n"; for my $param ( @names ) { printf MAIL "%s: %s\n", $para, $query->param($param); } print MAIL "\n\nThe link to the uploaded file is $base_dom$target_dir$filenam +e . ", "It was renamed by the upload script, so you will need to rename i +t.\n"; close MAIL; print $query->redirect( -URL => $url );

My sample upload form (body only):

<form action="/cgi-bin/post-upload.cgi" method="post" enctype="multipa +rt/form-data"> <!-- hidden inputs --> <input name="TO" type="hidden" value="my.address@my.domain" /> <input name="URL" type="hidden" value="http://www.website.here/submiss +ion.done.htm" /> <input name="SUBJECT" type="hidden" value="From Your Upload Center on +Website" /> <!-- visible inputs --> File to send: <input name="upload_file" type="file" size="30" /><br> Your name: <input name="name" size="42" /><br> E-mail: <input name="Email" size="42" /><br> <input type="submit" value="SEND FILE" /> <input type="reset" value="CLEAR" /> </form>