• Welcome to Valhalla Legends Archive.
 

PHP Upload Script

Started by CrAz3D, November 27, 2003, 10:49 AM

Previous topic - Next topic

CrAz3D

Please bare with me, my php knowledge is quite limited.  I am trying to restrict the upload type to only gif, jpeg, & png images.  This is what I have for that.
The maximum size for a file is 20000 bytes.
<form enctype="multipart/form-data" action="
<?php echo $_SERVER["PHP_SELF"]; ?>
" method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="20000">
File: <input name="userfile" type="file" /><br />
<input type="submit" value="Upload" />
</form>

<a href="http://crazedmind.net/">CrAz3D MiND</a>
</center>
<?phpif (@is_uploaded_file($_FILES["userfile"]["type"] !="image/gif" AND $_FILES["userfile"]["type"] !="image/pjpeg")){      echo "<p>Invalid file type</p>";      unlink($_FILES["userfile"]["tmp_name"]);            }      else      {      if (@is_uploaded_file($_FILES["userfile"]["tmp_name"])) {        copy($_FILES["userfile"]["tmp_name"], "files/" . $_FILES["userfile"]["name"]);        echo "<p>File uploaded successfully.</p>";      echo "<br>File is located at: http://sigs.crazedmind.net/files/*FILENAME*";   }   ?>



This is what I have before I try to restrict the files:
The maximum size for a file is 20000 bytes.
<form enctype="multipart/form-data" action="
<?php echo $_SERVER["PHP_SELF"]; ?>
" method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="20000">
File: <input name="userfile" type="file" /><br />
<input type="submit" value="Upload" />
</form>

<a href="http://crazedmind.net/">CrAz3D MiND</a>
</center>
<?php      if (@is_uploaded_file($_FILES["userfile"]["tmp_name"])) {        copy($_FILES["userfile"]["tmp_name"], "files/" . $_FILES["userfile"]["name"]);        echo "<p>File uploaded successfully.</p>";      echo "<br>File is located at: http://sigs.crazedmind.net/files/*FILENAME*";      ?>




The second code works fine but doesn't restrict file type, second one gives me an error on 'line 77' which is the "?>" which closes the php.

If anyone can steer me in the correct direction here I'd appreciate it.
rebundance - having or being in excess of sheer stupidity
(ré-bun-dance)
Quote from: Spht on June 22, 2004, 07:32 PMSlap.
Quote from: Adron on January 28, 2005, 09:17 AMIn a way, I believe that religion is inherently evil, which includes Christianity. I'd also say Christianity is eviller than Buddhism (has more potential for evil).
Quote from: iago on April 19, 2005, 01:06 PM
CrAz3D's ... is too big vertically, at least, too big with ... iago ...

Skywing

#1
Note that unless you inspect the file contents yourself, there is nothing stopping somebody from claiming a file is a jpeg but really uploading anything.

CrAz3D

I know, I just don't want them to be able to upload php scripts or w/e.
rebundance - having or being in excess of sheer stupidity
(ré-bun-dance)
Quote from: Spht on June 22, 2004, 07:32 PMSlap.
Quote from: Adron on January 28, 2005, 09:17 AMIn a way, I believe that religion is inherently evil, which includes Christianity. I'd also say Christianity is eviller than Buddhism (has more potential for evil).
Quote from: iago on April 19, 2005, 01:06 PM
CrAz3D's ... is too big vertically, at least, too big with ... iago ...

Kp

#3
It's usually a very bad idea to put limits like file size clientside (only).  If your script just queries the submitted MAX_FILE_SIZE field and compares that to the file size actually sent, I could easily allow uploading a multi-megabyte file just by saving your form to disk, editing the MAX_FILE_SIZE field, and using my modified form to post back.  Your script would see that I was under the limit I claimed (which was artificially high), and allow it.  I don't see anything in the posted code which actually checks file size at all presently, but this is just a reminder for when you add that check.

Also, if you're trying to keep them from uploading runnable content, you may want to restrict the file extension.  Again, it's fairly arbitrary (they could rename a .php to a .jpg), but if it doesn't have the php extension, it (probably) won't be treated as php by your server.

[Edit: I just found what's wrong with your code.  You should see it pretty readily once you fix your bracing style.  (Hint: line up open and close braces)]
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

CrAz3D

rebundance - having or being in excess of sheer stupidity
(ré-bun-dance)
Quote from: Spht on June 22, 2004, 07:32 PMSlap.
Quote from: Adron on January 28, 2005, 09:17 AMIn a way, I believe that religion is inherently evil, which includes Christianity. I'd also say Christianity is eviller than Buddhism (has more potential for evil).
Quote from: iago on April 19, 2005, 01:06 PM
CrAz3D's ... is too big vertically, at least, too big with ... iago ...

CrAzY

Scripts okay, I didn't read over the whole thing so I didn't see any flawls.  I suggest you make it "Prettier" and add more varibles so you script isn't so bunched up.  Just an idea :-)
CrAzY

CrAzY

#6

<?
$blah = explode($filenamewithfiletypeinit, '.');

if ($blah['1']=="jpg")
{
//Do Script for The Files that You want to accept
}else if($blah['1']=="gif"{
// ''
}else if($blah['1']=="png"{
// '' again
}else{
echo("Invalid File Type!");
}
?>


Just wrote that off the top of my head.  some one correct it if it does't work.  Thank you
CrAzY

venox

I would suggest using PHP's EXIF extension.  You can view some stuff about it at http://us2.php.net/exif  hope this helps