Stamp_Guy has asked for the wisdom of the Perl Monks concerning the following question:

I have an upload script that is really bugging me. I can upload files up to 52k, but anything higher gives me an error. Any ideas what might be wrong? Here is my code: 

#!C:\perl\bin\perl.exe -w
$| = 1; 

use CGI qw(:standard); 
$cgi = new CGI; 
$path = "c:\\windows\\desktop";

print<<EOT;
<CENTER><TABLE width="766" border="0" cellspacing="0" cellpadding="0">
<TR><TD colspan="4"><b>The following files were uploaded:<BR>&nbsp;</b
+></TD></TR>
<TR bgcolor="black">
<TD>&nbsp;&nbsp;&nbsp;</TD>
<TD><FONT color="white"><B>FILE:</B></FONT></TD>
<TD><FONT color="white"><B>DETAILS:</B></FONT></TD>
<TD><FONT color="white"><B>STATUS:</B></FONT></TD>
</TR>
EOT

# Get the form data 
$file1 = $cgi->param('file1'); 
$file2 = $cgi->param('file2');
$file3 = $cgi->param('file3');
$file4 = $cgi->param('file4');
$file5 = $cgi->param('file5');
$file6 = $cgi->param('file6');
$file7 = $cgi->param('file7');
$file8 = $cgi->param('file8');
$file9 = $cgi->param('file9');
$file10 = $cgi->param('file10');
$file11 = $cgi->param('THUMBNAIL_PHOTO');
$file12 = $cgi->param('LARGE_PHOTO');
$file13 = $cgi->param('FLYER_URL');

#directory you want to upload to 
$dir = "c:/windows/desktop"; 

push @files, ($file1,$file2,$file3,$file4,$file5,$file6,$file7,$file8,
+$file9,$file10,$file11,$file12,$file13);

foreach $file (@files) {
if ($file ne "") {
    $name=$file;
    $name =~ s/.:\\.*\\//;
    if (-e "c:\\windows\\desktop\\$name") {
    $file =~ s/.:\\.*\\//;
    $file = uc($file);
    print<<EOT;
    <TR>
    <TD>&nbsp;</TD>
    <TD valign="top">
    <B><FONT color=#000080>$file</FONT></B> 
    </TD><TD></TD><TD>
    <B><FONT color="red">UPLOAD FAILED!*</FONT></B><P>
    </TD></TR>

EOT
    $failed = "1";
    open (LOGFILE, ">>c:\\windows\\desktop\\logfile.html") || die "Can
+'t open log file";
    $name = uc($name);
    print LOGFILE "<TR><TD colspan=5><CENTER><b>$name <font color=red>
+UPLOAD FAILED</b></font><CENTER></TD></TR>";
    close(LOGFILE);

    }
else {
#file_type not necessary but can be useful info 
#if your wanting to limit uploads to a certain 
#type of file 
$file_type = $cgi->uploadInfo($file)->{'Content-Type'}; 

#directory you want to upload to 
$dir = "c:/windows/desktop"; 

$file=~m/^.*(\\|\/)(.*)/; # strip the remote path and keep the filenam
+e 
$name = $2; 

#My understanding gets real iffy from here on in 
#however it does work in the exact format below 
open(LOCAL, ">$dir/$name") or die $!; #open file 
undef $bytesread; 
undef $buffer; 

# binmode is only necessary on win32 servers but 
#it won't hurt with unix so might as well leave it 
binmode LOCAL; 
while ($bytes = read($file,$buffer,1024)) { 
$bytesread += $bytes; 
print LOCAL $buffer; 
} 
close($file); 
close(LOCAL); 
chmod(0666,"$dir\/$name"); 

#$bytesread holds the value of the size of the 
#file in bytes. Useful if you want to restrict 
#size of uploaded files 
$file =~ s/.:\\.*\\//;
$file = uc($file);
print "<TR><TD>&nbsp;&nbsp;&nbsp;</TD><TD><font color=#000080><b>$file
+</b></font></b></TD><TD><b> ($file_type, $bytesread bytes)</b></TD><T
+D><B>Successfully Uploaded</B></TD></TR>\n"; 

($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time
+);
$min=sprintf("%02d", $min);
$sec=sprintf("%02d", $sec);
}
}
}
if ($failed eq "1") {
print "<TR><TD colspan=5>* A file with the same name already exists.  
+Please rename the file and try again.</TD></TR>";
}
print<<EOT;
</TABLE></CENTER>
EOT
}

[download]

Replies are listed 'Best First'.
(Ovid) Re: 52K maximum file upload?
by Ovid (Cardinal) on Nov 29, 2000 at 05:31 UTC
    chromatic pointed out the max upload situation with CGI.pm, but I wanted to point out something different: you can have multiple values for a name.

    For instance, imaging you have two checkboxes, both named "color". One is for "red" and the other is for "blue" and you have both checked when you submit the form. CGI.pm will correctly read them both. You would use the following to retrieve both values: 

    my @colors = $cgi->param( 'color' ); # Note the array

    [download]
    In your snippet above, name all of the files "file" and you can use this to populate your files array: 
    @files = cgi->param( 'file' );

    [download]
    Since you're already pushing your filehandles into @files, you won't have any changes to your logic, but you'll have reduced 14 lines of code to 1. Much easier to maintain and extend that way.

    And the obligatory: you forgot to use strict or taint checking.

    Cheers,
    Ovid

    Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

[reply]
[d/l]
[select]
      Thanks for that suggestion. I didn't realize that shortcut would work. I added a line that says: $CGI::POST_MAX=1024 * 5000; but it doesn't work. Any ideas?
[reply]
[d/l]
        Looking through your code, I can't see any obvious reason why this would be a problem. Could it be a limitation of your Web server? Another thing to check could be to use Data::Dumper to examine the contents of the CGI object to see if everything is getting through. 
        use Data::Dumper;
print $cgi->pre( Dumper( $cgi ) );

        [download]
        That will get you looking at the inside of the CGI object and it's a pretty hairy thing. Once you've verified that all of your filehandles are in there, you could possibly narrow things down. It's not for the faint of heart, though.

        In the meantime, you might want to look at a rather significant security hole you have in your script: 

        $file=~m/^.*(\\|\/)(.*)/; # strip the remote path and keep the filenam
+e 
$name = $2; 

open(LOCAL, ">$dir/$name") or die $!; #open file

        [download]
        See that little dot star at the end of your regex? I specify the right filename and you're toast. I could use that for reverse directory traversal and append a pipe to the end of the filename to cause it to be executed instead of opened. Got any programs on your system that you don't want a cracker to run?

        Another problem with it is that there is no test for failure. If it does not match, $2 may have a value from a previous match. Since you're iterating over this, it's a BAD THING. Try the following regex. It assumes that only letters, numbers, and underscores are in your filename, plus the possibility of one extension delimited by one period. 

        ( $name ) = ( $file =~ /(\w+(?:\.\w+)?)$/ ); # Note the $ which anchor
+s to the end of string

        [download]

        As a style issue, you may want to rewrite the following: 

        ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time
+);

        [download]
        Since you are only using the minutes and seconds from this, you can rewrite it as: 
        my ( $sec, $min ) = (localtime( time ) )[0,1];

        [download]
        Last note: I was really trying to avoid touting my CGI course again (too much blowing my own horn is not a good thing), but I really thing you could benefit from my lesson on security. It's free and all you can eat.

        Cheers,
        Ovid

        Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

[reply]
[d/l]
[select]
Re: 52K maximum file upload?
by chromatic (Archbishop) on Nov 29, 2000 at 05:21 UTC
    Have a look at the CGI documentation, specifically $CGI::POST_MAX.

    This variable sets a threshold on the maximum size of a POST request. I believe the limit there is for all of the files you send in a single request, not each file.

[reply]
Re: 52K maximum file upload?
by chipmunk (Parson) on Nov 29, 2000 at 07:42 UTC
    Could you tell us what error message you get? That might help us figure out how to fix the problem.
[reply]
      It says that the server can't be found.
[reply]

Back to Seekers of Perl Wisdom