Page 1 of 2

Temporary link Download

Posted: Mon Aug 26, 2013 12:21 pm
by Ehrmantraut
Hi Folks,

I am wondering how I would set a default period for a file to expire? At the moment you enter the number of minutes you want the file to be active, and after that set time the file expires. But, I want to add some functionality so that, by default, the file will expire after 10 minutes, say. Any help would be much appreciated. I've got an idea of how to do it. I'm just not sure about the coding of it.



File Name: upload.php
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    <title>Upload a File</title>
    </head>
     
    <body>
     
    <?php
    
    include('core/inc/init.inc.php');
    
    if (isset($_POST['expiry'], $_FILES['file'])){
    
            $file_name = mysql_real_escape_string($_FILES['file']['name']);
            $expiry = time() + ((int)$_POST['expiry']*60);
           
            mysql_query("INSERT INTO files (file_name, file_expiry) VALUES ('{$file_name}', {$expiry})");
            //die(mysql_error());
           
            move_uploaded_file($_FILES['file']['tmp_name'], "core/files/{$_FILES['file']['name']}");
            
            
            echo "<p>". $_FILES['file']['name'] ." has been successfully uploaded.<p>";
    }
    ?>
    <div>
            <form action="" method="post" enctype="multipart/form-data">
                    <p>
                            <input type="text" name="expiry" />
                    </p>
                    
                    <p>
                            <input type="file" name="file" />
                    </p>
                    
                    <p>
                           <input type="submit" value="upload" />
                    </p>
            </form>
    </div>
     
    </body>
    </html>


File Name: file_list.php
<?php

include('core/inc/init.inc.php');

$files = mysql_query("SELECT file_id, file_name, file_expiry FROM files");

?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>File List</title>
</head>
<style type="text/css">
table { border-collapse:collapse; width:600px; }
td, th {border: solid 1px #999; padding: 4px;}
</style>
<body>
<table>
<tr>

<th>File Name</th>
<th>Expiry</th>

</tr>

<?php

while(($row = mysql_fetch_assoc($files))!==false ){
?>
<tr>

<td><a href="download.php?file_id=<?php echo $row['file_id'] ?>"><?php echo $row['file_name']; ?></a></td>
<td><?php  echo date('d/m/Y H:i:s', $row['file_expiry']); ?> </td>

</tr>

<?php
}
?>
</table>
</body>
</html>


File Name: download.php
<?php

include('core/inc/init.inc.php');

if (isset($_GET['file_id'])){
	$file_id = (int)$_GET['file_id'];
	
	
	$files = mysql_query("SELECT file_name, file_expiry FROM files WHERE file_id={$file_id}");
	
	if (mysql_num_rows($files) !=1){
	
		echo "Invalid File ID";
	}else{
	
		$row = mysql_fetch_assoc($files);
		
		if($row['file_expiry'] < time())
		{
			echo "This file has expired";
		}
		else 
		{
			$path = "core/files/{$row['file_name']}";
			header("Content-Type: application/octet-stream");
			header('Content-Description: File Transfer');
			header("Content-Disposition: attachment; filename=\"{$row['file_name']}\"");
			header("Content-Length: ". filesize($path));
			readfile($path);
		}
	}
}
?>

Re: Temporary link Download

Posted: Mon Aug 26, 2013 1:33 pm
by ScTech
You would just check if they left it blank. However, you need more validation for what you're doing because you aren't checking that what they're entering is actually a number. To accomplish what you're trying to do, first make sure that if they enter something that it's a number so it won't cause issues. You can use ctype_digit() to make sure what a user enters is a number (wihout decimals). After you validate that, you can check if the field is empty, at which point you would insert your default time of 10. You can do this like:
<?php
if(empty($_POST['expiry'])) {
  $expiry = time() + (10 * 60);
} else {
  if(!ctype_digit($_POST['expiry'])) {
    // Throw an error
  } else {
    $expiry = time() + ($_POST['expiry'] * 60);
  }
}
?>
EDIT: You have an XSS vulnerability when echoing the file name in file_list.php and upload.php. Put htmlentities around the file name to avoid it.

Re: Temporary link Download

Posted: Mon Aug 26, 2013 2:27 pm
by Ehrmantraut
ScTech wrote:You would just check if they left it blank. However, you need more validation for what you're doing because you aren't checking that what they're entering is actually a number. To accomplish what you're trying to do, first make sure that if they enter something that it's a number so it won't cause issues. You can use ctype_digit() to make sure what a user enters is a number (wihout decimals). After you validate that, you can check if the field is empty, at which point you would insert your default time of 10. You can do this like:
<?php
if(empty($_POST['expiry'])) {
  $expiry = time() + (10 * 60);
} else {
  if(!ctype_digit($_POST['expiry'])) {
    // Throw an error
  } else {
    $expiry = time() + ($_POST['expiry'] * 60);
  }
}
?>
EDIT: You have an XSS vulnerability when echoing the file name in file_list.php and upload.php. Put htmlentities around the file name to avoid it.

Re: Temporary link Download

Posted: Mon Aug 26, 2013 6:29 pm
by Temor
Well, htmlentities is just a function like all the others.
       echo "<p>". $_FILES['file']['name'] ." has been successfully uploaded.<p>";
       echo "<p>". htmlentities($_FILES['file']['name']) ." has been successfully uploaded.<p>";
it turns any and all HTML characters into their entities, so it won't cause any interference with your code.


And the code ScTech posted, you should be able to figure out on your own where to place it if you understand the code.

This
 if (isset($_POST['expiry'], $_FILES['file'])){
   
            $file_name = mysql_real_escape_string($_FILES['file']['name']);
            $expiry = time() + ((int)$_POST['expiry']*60);
           
+ this
<?php
if(empty($_POST['expiry'])) {
  $expiry = time() + (10 * 60);
} else {
  if(!ctype_digit($_POST['expiry'])) {
    // Throw an error
  } else {
    $expiry = time() + ($_POST['expiry'] * 60);
  }
}
?>

= this
 if (isset($_POST['expiry'], $_FILES['file'])){
   
            $file_name = mysql_real_escape_string($_FILES['file']['name']);

         if(empty($_POST['expiry'])) { // Checks to see if $_POST['expiry'] is empty.
				$expiry = time() + (10 * 60); // Is empty. Set expiry time to 10 minutes ( 10 * 60 seconds ).
			} else { // Is not empty.
				if(!ctype_digit($_POST['expiry'])) { // Check if value is actually an Integer.
					// Value is not an integer. Throw an error.
			} else { // Value is an integer.
				$expiry = time() + ($_POST['expiry'] * 60); // User sets the expiry time.
			}
		}
           

/Edit; The spacing went all wacky in the code examples I posted. Put them in Notepad++ or equivalent and it will be easier to read.

Re: Temporary link Download

Posted: Mon Aug 26, 2013 6:40 pm
by ScTech
Beat me to it Temor :) I should also mention that you should look into checking file extensions and only allow a few. Any files that can execute code like .php,.html.py.js etc. you should filter out because they can potentially break into your file system, or worse. To make it more simple because there are a lot of files you shouldn't allow, you should make a whitelist of files extensions that you do allow.

Re: Temporary link Download

Posted: Mon Aug 26, 2013 6:43 pm
by Temor
ScTech wrote:Beat me to it Temor :) I should also mention that you should look into checking file extensions and only allow a few. Any files that can execute code like .php,.html.py.js etc. you should filter out because they can potentially break into your file system, or worse. To make it more simple because there are a lot of files you shouldn't allow, you should make a whitelist of files extensions that you do allow.
:)

A whitelist like this has been used extensively in Jacek's tutorials. Especially in those related to image uploads.

Re: Temporary link Download

Posted: Mon Aug 26, 2013 10:31 pm
by Ehrmantraut
Temor wrote:
ScTech wrote:Beat me to it Temor :) I should also mention that you should look into checking file extensions and only allow a few. Any files that can execute code like .php,.html.py.js etc. you should filter out because they can potentially break into your file system, or worse. To make it more simple because there are a lot of files you shouldn't allow, you should make a whitelist of files extensions that you do allow.
:)

A whitelist like this has been used extensively in Jacek's tutorials. Especially in those related to image uploads.
I understand what the code does, I'm just not 100% sure when it needs to go exactly in the upload.php file. I already have a white list setup so that user can't upload the likes of .php,.html.py.js etc. I know what you're probably think he can setup a white list but he doesn't know where to put this code... I know its weird, I guess I just understand parts of php better than others.

Re: Temporary link Download

Posted: Mon Aug 26, 2013 10:42 pm
by Temor
Don't take me the wrong way here. All you have to do is just follow the steps of the code and find the one where your modification fits.

It's like a puzzle. You have to look at the part you're gonna put in and take note that it is giving $expiry a value, and then match it to where you do that in your original code.

If you keep staring at code for another 2-4000 hours you'll start noticing these things automatically ( probably way sooner than that even ).

Re: Temporary link Download

Posted: Tue Aug 27, 2013 3:14 am
by Ehrmantraut
Temor wrote:Don't take me the wrong way here. All you have to do is just follow the steps of the code and find the one where your modification fits.

It's like a puzzle. You have to look at the part you're gonna put in and take note that it is giving $expiry a value, and then match it to where you do that in your original code.

If you keep staring at code for another 2-4000 hours you'll start noticing these things automatically ( probably way sooner than that even ).
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html>
    <head>
    <title>Upload a File</title>
    <style type="text/css">
table {
border-collapse:collapse;
}

table, td, th {
border:1px solid #999;
height:43px;
}
    </style>
    </head>
    <body>
    <?php
    
    include('assets/inc/init.inc.php');
    
    if (isset($_POST['expiry'], $_FILES['file'])){
    	$errors = array();
	$allowed_ext = array("mp3","doc","txt","jpg","jpeg","gif","png");
	
	$file_name = $_FILES['file']['name'];
	$file_ext  = strtolower(end(explode('.',$file_name)));
	$file_tmp  = $_FILES['file']['tmp_name'];


		 if (in_array($file_ext, $allowed_ext) ===false){
	 $errors[] = 'File extension not allowed';
	 
	
	} 
	 

	 if (empty($errors)) {
	  
	 if (isset($_POST['expiry'], $_FILES['file'])){
   
            $file_name = mysql_real_escape_string($_FILES['file']['name']);
            
         }
 
         if(empty($_POST['expiry'])) { // Checks to see if $_POST['expiry'] is empty.
         
         $expiry = time() + (10 * 60); // Is empty. Set expiry time to 10 minutes ( 10 * 60 seconds ).
       	 } else { 
       	 
       	 // Is not empty.
       	 
        if(!ctype_digit($_POST['expiry'])) { // Check if value is actually an Integer.
                       
        echo("Value is not an integer."); //Value is not an integer. Throw an error.
                                        
     	} else { 
     	
     	// Value is an integer.
                       
      	$expiry = time() + ($_POST['expiry'] * 60); // User sets the expiry time.
      	
      	}
       }    
       
        mysql_query("INSERT INTO files (file_name, file_expiry) VALUES ('{$file_name}', {$expiry})");
      	
      	move_uploaded_file($_FILES['file']['tmp_name'], "assets/files/{$_FILES['file']['name']}");
      	
        echo "<p>". htmlentities($_FILES['file']['name']) ." has been successfully uploaded.<p>";
	 
	             
            	 } else {
	 foreach ($errors as $error){
	 echo $error,'<br /><br />';
	 
   }
	
 }
	
}		 
?>
      <div>
      <form action="" method="post" enctype="multipart/form-data">
      <table>
       
      <tr>
      <td><b>Set Expiry Time:</b> <input type="text" name="expiry" size="6" /> <b>Minutes Only<b></td>
      </tr>
      
      <tr>
      <td><b>Choose a file:</b> <input type="file" name="file" /></td>
      </tr>
      
       <tr>
      <td><input type="submit" value="Upload!" /></td>
      </tr>
      
      <tr>
      <td><p><a href="file_list.php">Click here</a> to download your time sensitive file, or files.</p></td>
      </tr>

    </table>
    </form>
    </div>
    </body>
    </html>
Here's the code layed out but I believe I'm missing an if statement as if I'm reading the code correctly both the integer error and the success message telling me the file has been uploaded are both going to show at the same time. P.S Termor don't worry I haven't been working at since 11:43pm I just don't sleep great so thought I'd pop online a post my progress.

Re: Temporary link Download

Posted: Tue Aug 27, 2013 1:26 pm
by Temor
You shouldn't just paste the code in there. You have doubles now!
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html>
    <head>
    <title>Upload a File</title>
    <style type="text/css">
table {
border-collapse:collapse;
}
 
table, td, th {
border:1px solid #999;
height:43px;
}
    </style>
    </head>
    <body>
    <?php
   
    include('assets/inc/init.inc.php');
   
    if (isset($_POST['expiry'], $_FILES['file'])){
        $errors = array();
        $allowed_ext = array("mp3","doc","txt","jpg","jpeg","gif","png");
       
        $file_name = $_FILES['file']['name'];
        $file_ext  = strtolower(end(explode('.',$file_name)));
        $file_tmp  = $_FILES['file']['tmp_name'];
 
 
                 if (in_array($file_ext, $allowed_ext) ===false){
         $errors[] = 'File extension not allowed';
         
       
        }
         
 
         if (empty($errors)) {
         
         if (isset($_POST['expiry'], $_FILES['file'])){ // This if statement is identical to the one a few lines above. Merge them!
   
            $file_name = mysql_real_escape_string($_FILES['file']['name']); // You're already doing this, but without mysql_real_escape_string, again, a few lines up.
           
         }
 
         if(empty($_POST['expiry'])) { // Checks to see if $_POST['expiry'] is empty. // This entire block should be put in the first if statement.
         
         $expiry = time() + (10 * 60); // Is empty. Set expiry time to 10 minutes ( 10 * 60 seconds ).
         } else {
         
         // Is not empty.
         
        if(!ctype_digit($_POST['expiry'])) { // Check if value is actually an Integer.
                       
        echo("Value is not an integer."); //Value is not an integer. Throw an error.
                                       
        } else {
       
        // Value is an integer.
                       
        $expiry = time() + ($_POST['expiry'] * 60); // User sets the expiry time.
       
        }
       }    
       
        mysql_query("INSERT INTO files (file_name, file_expiry) VALUES ('{$file_name}', {$expiry})");
       
        move_uploaded_file($_FILES['file']['tmp_name'], "assets/files/{$_FILES['file']['name']}");
       
        echo "<p>". htmlentities($_FILES['file']['name']) ." has been successfully uploaded.<p>";
         
                     
                 } else {
         foreach ($errors as $error){
         echo $error,'<br /><br />';
         
   }
       
 }
       
}                
?>
      <div>
      <form action="" method="post" enctype="multipart/form-data">
      <table>
       
      <tr>
      <td><b>Set Expiry Time:</b> <input type="text" name="expiry" size="6" /> <b>Minutes Only<b></td>
      </tr>
     
      <tr>
      <td><b>Choose a file:</b> <input type="file" name="file" /></td>
      </tr>
     
       <tr>
      <td><input type="submit" value="Upload!" /></td>
      </tr>
     
      <tr>
      <td><p><a href="file_list.php">Click here</a> to download your time sensitive file, or files.</p></td>
      </tr>
 
    </table>
    </form>
    </div>
    </body>
    </html>
 
I swapped things around for you... This should now work:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html>
    <head>
    <title>Upload a File</title>
    <style type="text/css">
table {
border-collapse:collapse;
}
 
table, td, th {
border:1px solid #999;
height:43px;
}
    </style>
    </head>
    <body>
    <?php
   
    include('assets/inc/init.inc.php');
   
    if (isset($_POST['expiry'], $_FILES['file'])){
        $errors = array();
        $allowed_ext = array("mp3","doc","txt","jpg","jpeg","gif","png");
       
        $file_name = mysql_real_escape_string($_FILES['file']['name']);
        $file_ext  = strtolower(end(explode('.',$file_name)));
        $file_tmp  = $_FILES['file']['tmp_name'];
 
 
                 if (in_array($file_ext, $allowed_ext) ===false){
         $errors[] = 'File extension not allowed';
		 
		if(empty($_POST['expiry'])) { 
			$expiry = time() + (10 * 60); 
		} else {     
		  
			if(!ctype_digit($_POST['expiry'])) {        
				echo("Value is not an integer.");                    
			} else {       
				$expiry = time() + ($_POST['expiry'] * 60); 
			}
		}   
         
       
        }
         
 
         if (empty($errors)) {

       
        mysql_query("INSERT INTO files (file_name, file_expiry) VALUES ('{$file_name}', {$expiry})");
       
        move_uploaded_file($_FILES['file']['tmp_name'], "assets/files/{$_FILES['file']['name']}");
       
        echo "<p>". htmlentities($_FILES['file']['name']) ." has been successfully uploaded.<p>";
         
                     
                 } else {
         foreach ($errors as $error){
         echo $error,'<br /><br />';
         
   }
       
 }
       
}                
?>
      <div>
      <form action="" method="post" enctype="multipart/form-data">
      <table>
       
      <tr>
      <td><b>Set Expiry Time:</b> <input type="text" name="expiry" size="6" /> <b>Minutes Only<b></td>
      </tr>
     
      <tr>
      <td><b>Choose a file:</b> <input type="file" name="file" /></td>
      </tr>
     
       <tr>
      <td><input type="submit" value="Upload!" /></td>
      </tr>
     
      <tr>
      <td><p><a href="file_list.php">Click here</a> to download your time sensitive file, or files.</p></td>
      </tr>
 
    </table>
    </form>
    </div>
    </body>
    </html>
 

Re: Temporary link Download

Posted: Tue Aug 27, 2013 2:50 pm
by Ehrmantraut
Temor wrote:You shouldn't just paste the code in there. You have doubles now!
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html>
    <head>
    <title>Upload a File</title>
    <style type="text/css">
table {
border-collapse:collapse;
}
 
table, td, th {
border:1px solid #999;
height:43px;
}
    </style>
    </head>
    <body>
    <?php
   
    include('assets/inc/init.inc.php');
   
    if (isset($_POST['expiry'], $_FILES['file'])){
        $errors = array();
        $allowed_ext = array("mp3","doc","txt","jpg","jpeg","gif","png");
       
        $file_name = $_FILES['file']['name'];
        $file_ext  = strtolower(end(explode('.',$file_name)));
        $file_tmp  = $_FILES['file']['tmp_name'];
 
 
                 if (in_array($file_ext, $allowed_ext) ===false){
         $errors[] = 'File extension not allowed';
         
       
        }
         
 
         if (empty($errors)) {
         
         if (isset($_POST['expiry'], $_FILES['file'])){ // This if statement is identical to the one a few lines above. Merge them!
   
            $file_name = mysql_real_escape_string($_FILES['file']['name']); // You're already doing this, but without mysql_real_escape_string, again, a few lines up.
           
         }
 
         if(empty($_POST['expiry'])) { // Checks to see if $_POST['expiry'] is empty. // This entire block should be put in the first if statement.
         
         $expiry = time() + (10 * 60); // Is empty. Set expiry time to 10 minutes ( 10 * 60 seconds ).
         } else {
         
         // Is not empty.
         
        if(!ctype_digit($_POST['expiry'])) { // Check if value is actually an Integer.
                       
        echo("Value is not an integer."); //Value is not an integer. Throw an error.
                                       
        } else {
       
        // Value is an integer.
                       
        $expiry = time() + ($_POST['expiry'] * 60); // User sets the expiry time.
       
        }
       }    
       
        mysql_query("INSERT INTO files (file_name, file_expiry) VALUES ('{$file_name}', {$expiry})");
       
        move_uploaded_file($_FILES['file']['tmp_name'], "assets/files/{$_FILES['file']['name']}");
       
        echo "<p>". htmlentities($_FILES['file']['name']) ." has been successfully uploaded.<p>";
         
                     
                 } else {
         foreach ($errors as $error){
         echo $error,'<br /><br />';
         
   }
       
 }
       
}                
?>
      <div>
      <form action="" method="post" enctype="multipart/form-data">
      <table>
       
      <tr>
      <td><b>Set Expiry Time:</b> <input type="text" name="expiry" size="6" /> <b>Minutes Only<b></td>
      </tr>
     
      <tr>
      <td><b>Choose a file:</b> <input type="file" name="file" /></td>
      </tr>
     
       <tr>
      <td><input type="submit" value="Upload!" /></td>
      </tr>
     
      <tr>
      <td><p><a href="file_list.php">Click here</a> to download your time sensitive file, or files.</p></td>
      </tr>
 
    </table>
    </form>
    </div>
    </body>
    </html>
 
I swapped things around for you... This should now work:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html>
    <head>
    <title>Upload a File</title>
    <style type="text/css">
table {
border-collapse:collapse;
}
 
table, td, th {
border:1px solid #999;
height:43px;
}
    </style>
    </head>
    <body>
    <?php
   
    include('assets/inc/init.inc.php');
   
    if (isset($_POST['expiry'], $_FILES['file'])){
        $errors = array();
        $allowed_ext = array("mp3","doc","txt","jpg","jpeg","gif","png");
       
        $file_name = mysql_real_escape_string($_FILES['file']['name']);
        $file_ext  = strtolower(end(explode('.',$file_name)));
        $file_tmp  = $_FILES['file']['tmp_name'];
 
 
                 if (in_array($file_ext, $allowed_ext) ===false){
         $errors[] = 'File extension not allowed';
		 
		if(empty($_POST['expiry'])) { 
			$expiry = time() + (10 * 60); 
		} else {     
		  
			if(!ctype_digit($_POST['expiry'])) {        
				echo("Value is not an integer.");                    
			} else {       
				$expiry = time() + ($_POST['expiry'] * 60); 
			}
		}   
         
       
        }
         
 
         if (empty($errors)) {

       
        mysql_query("INSERT INTO files (file_name, file_expiry) VALUES ('{$file_name}', {$expiry})");
       
        move_uploaded_file($_FILES['file']['tmp_name'], "assets/files/{$_FILES['file']['name']}");
       
        echo "<p>". htmlentities($_FILES['file']['name']) ." has been successfully uploaded.<p>";
         
                     
                 } else {
         foreach ($errors as $error){
         echo $error,'<br /><br />';
         
   }
       
 }
       
}                
?>
      <div>
      <form action="" method="post" enctype="multipart/form-data">
      <table>
       
      <tr>
      <td><b>Set Expiry Time:</b> <input type="text" name="expiry" size="6" /> <b>Minutes Only<b></td>
      </tr>
     
      <tr>
      <td><b>Choose a file:</b> <input type="file" name="file" /></td>
      </tr>
     
       <tr>
      <td><input type="submit" value="Upload!" /></td>
      </tr>
     
      <tr>
      <td><p><a href="file_list.php">Click here</a> to download your time sensitive file, or files.</p></td>
      </tr>
 
    </table>
    </form>
    </div>
    </body>
    </html>
 
Note to self don't code when half asleep lol... Code works but the files ain't showing on the file_list.php page.

Re: Temporary link Download

Posted: Tue Aug 27, 2013 3:05 pm
by ScTech
One small problem. Where it is validating with ctype_digit, you are using echo which won't stop it from continuing. You should set that as $errors instead of echoing it.

Have you edited file_list.php since? What does the database show when you leave it blank and when you insert a number?

Re: Temporary link Download

Posted: Tue Aug 27, 2013 11:52 pm
by Ehrmantraut
ScTech wrote:One small problem. Where it is validating with ctype_digit, you are using echo which won't stop it from continuing. You should set that as $errors instead of echoing it.

Have you edited file_list.php since? What does the database show when you leave it blank and when you insert a number?
No, I haven't edited the file_list.php page at all. I've changed the error message its now set as $errors[] = 'Value is not an integer.'; instead of echoing. When I upload a file it uploads to the files folder but it ins't inserting the info into the mysql database table.

Re: Temporary link Download

Posted: Wed Aug 28, 2013 12:31 am
by ScTech
You're missing apostrophes around $expiry in your query on upload.php

Re: Temporary link Download

Posted: Wed Aug 28, 2013 2:58 pm
by Ehrmantraut
ScTech wrote:You're missing apostrophes around $expiry in your query on upload.php
Files is now showing in the file_list.php. but, I can't download the file as its set the date and time to the following 01/01/1970 00:00:00

Re: Temporary link Download

Posted: Wed Aug 28, 2013 7:02 pm
by ScTech
Please post file_list.php in case there's a difference. Also, what are the expiry values in the database both when you don't insert a number, and when you do.

Re: Temporary link Download

Posted: Wed Aug 28, 2013 7:42 pm
by Ehrmantraut
ScTech wrote:Please post file_list.php in case there's a difference. Also, what are the expiry values in the database both when you don't insert a number, and when you do.
<?php

include('assets/inc/init.inc.php');

$files = mysql_query("SELECT file_id, file_name, file_expiry FROM files");

?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>File List</title>
</head>
<style type="text/css">
table { border-collapse:collapse; width:600px; }
td, th {border: solid 1px #999; padding: 4px;}
</style>
<body>
<table>
<tr>
<th>File Name:</th>
<th>Expiry:</th>

</tr>

<?php

while(($row = mysql_fetch_assoc($files))!==false ){
?>
<tr>
<td><a href="download.php?file_id=<?php echo $row['file_id'] ?>"><?php echo $row['file_name']; ?></a></td>
<td><?php  echo date('d/m/Y H:i:s', $row['file_expiry']); ?></td>

</tr>

<?php
}
?>
</table>
</body>
</html>
When you insert data the expiry time shows as 0 and when you upload a file from the upload.php page the time and date are set as 01/01/1970 00:00:00. P.S file_expiry is set to a int with a value of 10 in the mysql database.

Re: Temporary link Download

Posted: Wed Aug 28, 2013 8:31 pm
by Temor
Could you post all the code you have now, so I can get an overview?

Re: Temporary link Download

Posted: Wed Aug 28, 2013 8:59 pm
by Ehrmantraut
Temor wrote:Could you post all the code you have now, so I can get an overview?
File Name: init.inc.php
<?php
mysql_connect('localhost','username','password');
mysql_select_db('database');
?>
File Name: upload.php
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html>
    <head>
    <title>Upload a File</title>
    <style type="text/css">
table {
border-collapse:collapse;
}
 
table, td, th {
border:1px solid #999;
height:43px;
}
    </style>
    </head>
    <body>
    <?php
   
    include('assets/inc/init.inc.php');
   
    if (isset($_POST['expiry'], $_FILES['file'])){
        $errors = array();
        $allowed_ext = array("mp3","doc","txt","jpg","jpeg","gif","png");
       
        $file_name = mysql_real_escape_string($_FILES['file']['name']);
        $file_ext  = strtolower(end(explode('.',$file_name)));
        $file_tmp  = $_FILES['file']['tmp_name'];
 
 
                 if (in_array($file_ext, $allowed_ext) ===false){
         		     $errors[] = 'File extension not allowed';
                 
                if(empty($_POST['expiry'])) {
                        $expiry = time() + (10 * 60);
                } else {    
                 
                        if(!ctype_digit($_POST['expiry'])) {        
                                $errors[] = 'Value is not an integer.';                   
                        } else {      
                        
                        $expiry = time() + ($_POST['expiry'] * 60);
                        
                        }
                }  
         
       
        }
         
 
         if (empty($errors)) {
 
       
        mysql_query("INSERT INTO files (file_name, file_expiry) VALUES ('{$file_name}','{$expiry}')");
       
        move_uploaded_file($_FILES['file']['tmp_name'], "assets/files/{$_FILES['file']['name']}");
       
        echo "<p>". htmlentities($_FILES['file']['name']) ." has been successfully uploaded.<p>";
         
                     
                 } else {
         foreach ($errors as $error){
         echo $error,'<br /><br />';
         
   }
       
 }
       
}                
?>
      <div>
      <form action="" method="post" enctype="multipart/form-data">
      <table>
       
      <tr>
      <td><b>Set Expiry Time:</b> <input type="text" name="expiry" size="6" /> <b>Minutes Only<b></td>
      </tr>
     
      <tr>
      <td><b>Choose a file:</b> <input type="file" name="file" /></td>
      </tr>
     
       <tr>
      <td><input type="submit" value="Upload!" /></td>
      </tr>
     
      <tr>
      <td><p><a href="file_list.php">Click here</a> to download your time sensitive file, or files.</p></td>
      </tr>
 
    </table>
    </form>
    </div>
    </body>
    </html>
File Name: file_list.php
<?php

include('assets/inc/init.inc.php');

$files = mysql_query("SELECT file_id, file_name, file_expiry FROM files");

?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>File List</title>
</head>
<style type="text/css">
table { border-collapse:collapse; width:600px; }
td, th {border: solid 1px #999; padding: 4px;}
</style>
<body>
<table>
<tr>
<th>File Name:</th>
<th>Expiry:</th>

</tr>

<?php

while(($row = mysql_fetch_assoc($files))!==false ){
?>
<tr>
<td><a href="download.php?file_id=<?php echo $row['file_id'] ?>"><?php echo $row['file_name']; ?></a></td>
<td><?php  echo date('d/m/Y H:i:s', $row['file_expiry']); ?></td>

</tr>

<?php
}
?>
</table>
</body>
</html>
File Name: download.php
<?php

include('assets/inc/init.inc.php');

if (isset($_GET['file_id'])){
	$file_id = (int)$_GET['file_id'];
	
	
	$files = mysql_query("SELECT file_name, file_expiry FROM files WHERE file_id={$file_id}");
	
	if (mysql_num_rows($files) !=1){
	
		echo "Invalid File ID";
	}else{
	
		$row = mysql_fetch_assoc($files);
		
		if($row['file_expiry'] < time())
		{
			echo "This file has now expired. Please contact the administrator for more details.";
		}
		else 
		{
			$path = "assets/files/{$row['file_name']}";
			header("Content-Type: application/octetstream");
			header("Content-Description: File Transfer");
			header("Content-Disposition: attachment; filename=\"{$row['file_name']}\"");
			header("Content-Length: ". filesize($path));
			readfile($path);
		}
	}
}
?>
File Name: files.sql
CREATE TABLE IF NOT EXISTS `files` (
  `file_id` int(6) NOT NULL AUTO_INCREMENT,
  `file_name` varchar(255) NOT NULL,
  `file_expiry` int(10) NOT NULL,
  PRIMARY KEY (`file_id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

Re: Temporary link Download

Posted: Wed Aug 28, 2013 9:28 pm
by ScTech
Weird. Tested to make sure $expiry worked and it displays the correct time for me. And you said that file_expiry column is showing a 0, but only when you insert a number?

Re: Temporary link Download

Posted: Wed Aug 28, 2013 10:18 pm
by Temor
What happens if you remove the quotes around $expiry in your upload query?
  mysql_query("INSERT INTO files (file_name, file_expiry) VALUES ('{$file_name}','{$expiry}')");
  mysql_query("INSERT INTO files (file_name, file_expiry) VALUES ('{$file_name}',{$expiry})");
It is, after all, an integer, and should be treated as such. Maybe SQL thinks you're trying to insert a string and defaults to 0.