Are these upload scripts safe? solved.
Posted: Mon Oct 26, 2009 3:37 pm
Hey guys I have an mp3 and image upload script, almost identical in form just with different checks. I was wondering if anyone could give me security tips on them. Thanks in advance.
Code: Select all
<?php
//file is mp3
if($_POST["selection"]==2){
# edit #
$max_filesize = 5024000;
$uploads = "../usercontent/";
$types_array = array('audio/mpeg','audio/mpeg3','audio/mpg');
# end edit #
if($_FILES['file']['name'] == "")
{
echo"<script>
alert(\"Please select a file to upload!\");
</script>";
return;
}
if(!in_array($_FILES['file']['type'], $types_array))
{
echo"<script>
alert(\"This is not an mp3!\");
</script>";
return;
}
$max_filesize_kb = ($max_filesize / 1024);
if($_FILES['file']['size'] > $max_filesize)
{
echo"<script>
alert(\"Your file is too large it must be.$max_filesize_kb.kb\");
</script>";
return;
}
else{
move_uploaded_file($_FILES['file']['tmp_name'], $uploads.'/'.urlencode($_FILES['file']['name']))
or die ("Couldn't upload ".$_FILES['file']['name']."\n");
echo"<script>
alert(\"File uploaded\");
</script>";
return;
}
}
//FILE IS IMAGE
if($_POST["selection"]==1){
# edit #
$maxwidth = 1024;
$maxheight = 1024;
$max_filesize = 1024000;
$uploads = "../usercontent/";
$types_array = array('image/gif','image/jpeg','image/x-png', 'image/jpg');
# end edit #
if($_FILES['file']['name'] == "")
{
echo"<script>
alert(\"Please select a file to upload!\");
</script>";
return;
}
if(!in_array($_FILES['file']['type'], $types_array))
{
echo"<script>
alert(\"That file type is not allowed!\");
</script>";
return;
}
$max_filesize_kb = ($max_filesize / 1024);
if($_FILES['file']['size'] > $max_filesize)
{
echo"<script>
alert(\"Your file is too large it must be.$max_filesize_kb\");
</script>";
return;
}
$imagesize = getimagesize($_FILES['file']['tmp_name']);
$imagewidth = $imagesize[0];
$imageheight = $imagesize[1];
if($imagewidth > $maxwidth || $imageheight > $maxheight)
{
echo"<script>
alert(\"The resolution is too large files may be up to ".$maxwidth."px x ".$maxheight."px in size\n\");
</script>";
return;
}
else{
move_uploaded_file($_FILES['file']['tmp_name'], $uploads.'/'.urlencode($_FILES['file']['name']))
or die ("Couldn't upload ".$_FILES['file']['name']."\n");
echo"<script>
alert(\"File uploaded\");
</script>";
return;
}
}
?>