Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By socceronly on
Hi, I am pretty stumped. I am saving a JPG from a flash movie. I am sending it to the following code which is in it's own directory.
<?php
if (isset($GLOBALS["HTTP_RAW_POST_DATA"]))
{
// get bytearray
$jpg = $GLOBALS["HTTP_RAW_POST_DATA"];
$file_name = '/sites/default/files/tmp/' + $_GET['name'];
// hahaha
$handle = fopen($file_name, "wb");
fwrite($handle, $jpg);
fclose($handle);
// add headers for download dialog-box
header('Content-Type: image/jpeg');
header("Content-Disposition: attachment; filename=".$_GET['name']);
echo $jpg;
}
?>
When it kicks the image back to the user for them to save the file name works, but not when I save it on the server. It just shows up as '0', but is a JPG that can be viewed.
The only way I can get it to save is try and write it to the TMP directory, and it shows up in the directory of the script.
Where should I start reading to understand what is happening?
Thanks
JM
Comments
Hmmmm. Well I removed the
Hmmmm.
Well I removed the path part of the file name and just left it as $_GET['name']
And it seems to save them into the directory with the script with the file name provided by flash.
I am guessing this needs some more 'stuff' in it like authenticating users or something.
Otherwise people could fill the hard drive with pictures... I think.
It's almost entirely unclear
It's almost entirely unclear what you are up to (needs more context)
BUT
... lose the first '/'
You are telling PHP to save relative to the root of the filesystem, you really mean relative to the root of Drupal or the webroot..
If you were using Drupal, I'd say to use API like file_create_path() which covers a bunch of exploits/problems you are opening up here... like hoopy filenames submitted by anyone.
.dan. is the New Zealand Drupal Developer working on Government Web Standards
Well I encode a JPG in flash
Well I encode a JPG in flash and send it to this script, this scrip saves the file.
I guess I will dig into Drupal file handling and see if I can make is safer.
The goal is to have the user make a diagram in flash and save it as a JPG on the server.
I was then going to take the file name and create a node and move the jpg to the appropriate directory.
At least that is the plan. Perhaps in PHP/Drupal terms it is insane.....
I will try and remove the first '/' and see if I can put it where I want it.
Thanks!
JM
Sounds cool, and honestly it
Sounds cool, and honestly it would be several times harder to work through the way to do just this in Drupal ;-)
... unless in the context of a full Drupal module with a bit of experience.
It's just I see some easy ways to hack at the code by inspecting what you've done and place any file whatsoever on your server ;-)
Lotsa Gotchas unless you layer in authentication etc.
Still, keep going.
.dan. is the New Zealand Drupal Developer working on Government Web Standards
...
Besides the bugs ".dan." pointed out in that line of code, there's another one: you can't use "+" to concatenate PHP strings. Use "." instead. You have an arithmetic plus there that results in '0' assigned to $file_name.
(BTW, the <canvas> element too can export itself to bitmap.)
Hahah!! I used '+' Learning
Hahah!! I used '+'
Learning too many different languages at once!
I started reading Pro Drupal Dev 2nd edition. I think this is going to be super helpful, but it will take a while before I get up to speed.
I will try making the code more secure by validating it is a JPG ect...and hopefully learning more about how to 'drupalize' it.
I do not need to make nodes yet, because this will just be for people to link to and use in other forums. It will send back the picture they can save themselves and use in their own blog and a link if they just want to link to it.
Thanks for the input. I hope I can learn a bit more post something more coherent later.
JM