Upload script request

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
CatherinePHP
Forum Newbie
Posts: 4
Joined: Mon Apr 29, 2013 8:30 am

Upload script request

Post by CatherinePHP »

Hello

I've been struggling with trying to code a upload script that hashes the file name after it gets uploaded and allow certain files to be uploaded and gives the link to the file after it's uploaded.

those 3 factors are VERY important, I can't find any script online that meets my requirements. I've tried coding one myself by following youtube tutorials and asking help from other forums but I had no luck whatsoever :(

I know this might be easy to code but I'm a biginner in PHP programming so please no hateful replies.

If anyone could provide me with a script I'd really appreciate it.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Upload script request

Post by Christopher »

There was a recent discussion of an upload script:

Here:
forums.devnetwork.net/viewtopic.php?f=1&t=137664

And the final script here:
viewtopic.php?p=685146#p685146

I think that code can be improved.
(#10850)
CatherinePHP
Forum Newbie
Posts: 4
Joined: Mon Apr 29, 2013 8:30 am

Re: Upload script request

Post by CatherinePHP »

Christopher wrote:There was a recent discussion of an upload script:

Here:
forums.devnetwork.net/viewtopic.php?f=1&t=137664

And the final script here:
viewtopic.php?p=685146#p685146

I think that code can be improved.
Thanks for the reply, Christopher.

Unfortunately that script is unsecure, people could still upload harmful PHP scripts on the server through the Tamper Data addon on firefox.

Please help me, I want to make the script 100% secure, only certain files uploaded.

Thanks for your help
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Upload script request

Post by requinix »

The final script is secure. What do you think is wrong with it?
CatherinePHP
Forum Newbie
Posts: 4
Joined: Mon Apr 29, 2013 8:30 am

Re: Upload script request

Post by CatherinePHP »

requinix wrote:The final script is secure. What do you think is wrong with it?
Sadly, it's not secure. I've tested it on my localhost and managed to upload a PHP file even though that extension is prohibted. I've used the "Tamper Data" firefox addon which is common between hackers.

I've looked everywhere for a secure version that checks the last extension but no luck so far :(
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Upload script request

Post by Christopher »

CatherinePHP wrote:Sadly, it's not secure. I've tested it on my localhost and managed to upload a PHP file even though that extension is prohibted. I've used the "Tamper Data" firefox addon which is common between hackers.

I've looked everywhere for a secure version that checks the last extension but no luck so far :(
So you are a beginning programmer and want an upload script that meets these criteria:

1. a script that hashes the file name after it gets uploaded
2. allow certain files to be uploaded
3. gives the link to the file after it's uploaded.
4. there is something specific that you are doing with Tamper Data (which you did not reveal) that you also need dealt with

The script referenced was written by a member like you and improved to meet the member's needs. It is pretty basic and could certainly be improved. If you have further requirements, we can certainly try to implement them here by improving that script (or code that you have). Just give us some specifics on how that script does not deal with your requirements above.
(#10850)
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Upload script request

Post by requinix »

Oh, I bet...

Code: Select all

//  if (($_FILES["file"]["size"] < $maxFileSize) && in_array($_FILES["file"]["type"], $allowedMimes) && in_array($extension, $allowedExts)) {
Did you uncomment that line? It needs to be uncommented. The code also has other edits to it to assist with debugging upload problems, like

Code: Select all

  echo $_FILES["file"]["size"]." test1<br>";
  echo $_FILES["file"]["type"]." test2<br>";
  echo $extension." test3<br>";
and

Code: Select all

        if($_FILES["file"]["size"] < $maxFileSize) {
                if ($_FILES["file"]["error"] > 0) {
                  echo "Size: " . $_FILES["file"]["type"] . "<br>";
                  echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
                } 
        }       
        if (in_array($_FILES["file"]["type"], $allowedMimes)) {
                if ($_FILES["file"]["error"] > 0) {
                  echo "Type: " . $_FILES["file"]["type"] . "<br>";
                  echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
                }               
        }
        if(in_array($extension, $allowedExts)) {
                if ($_FILES["file"]["error"] > 0) {
                  echo $extension . "<br>";
                  echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
                }               
        }
that you wouldn't want to keep once the code is ready to go live.

The unedited version is

Code: Select all

<?php
if (isset($_POST["submit"])) {
  $path = './../upload/';
  $maxFileSize = 1 * (1024 * 1024 * 20);     // 20Mb
  $allowedExts = array("mp3", "wma", "aif");
  $allowedMimes = array("audio/mp3", "audio/mpeg", "audio/x-ms-wma", "audio/x-aiff");
//  $extension = end(explode(".", $_FILES["file"]["name"])); this generates warning pathinfo doesn't
  $extension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);
  
  if (($_FILES["file"]["size"] < $maxFileSize) && in_array($_FILES["file"]["type"], $allowedMimes) && in_array($extension, $allowedExts)) {
        if($_FILES["file"]["error"] == 0) {             
          if (file_exists($path . $_FILES["file"]["name"])) {
                echo $_FILES["file"]["name"] . " already exists. ";
          } else {
                move_uploaded_file($_FILES["file"]["tmp_name"], $path . $_FILES["file"]["name"]);
          }
        } else {
        echo "Invalid file<br/>";
        }
  }
}

?>
CatherinePHP
Forum Newbie
Posts: 4
Joined: Mon Apr 29, 2013 8:30 am

Re: Upload script request

Post by CatherinePHP »

Code: Select all

<!doctype html>
<html>
<head>
<title> upload songs </title>
</head>
<body>
<form action="upload_songs.php" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" id="submit" value="Submit">
</form>


<?php
if (isset($_POST["submit"])) {
  $path = 'upload/';
  $maxFileSize = 1 * (1024 * 1024 * 20);     // 20Mb
  $allowedExts = array("mp3", "wma", "aif");
  $allowedMimes = array("audio/mp3", "audio/mpeg", "audio/x-ms-wma", "audio/x-aiff");
//  $extension = end(explode(".", $_FILES["file"]["name"])); this generates warning pathinfo doesn't
  $extension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);
 
  echo $_FILES["file"]["size"]." test1<br>";
  echo $_FILES["file"]["type"]." test2<br>";
  echo $extension." test3<br>";
 
//  if (($_FILES["file"]["size"] < $maxFileSize) && in_array($_FILES["file"]["type"], $allowedMimes) && in_array($extension, $allowedExts)) {
        if($_FILES["file"]["size"] < $maxFileSize) {
                if ($_FILES["file"]["error"] > 0) {
                  echo "Size: " . $_FILES["file"]["type"] . "<br>";
                  echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
                }
        }      
        if (in_array($_FILES["file"]["type"], $allowedMimes)) {
                if ($_FILES["file"]["error"] > 0) {
                  echo "Type: " . $_FILES["file"]["type"] . "<br>";
                  echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
                }              
        }
        if(in_array($extension, $allowedExts)) {
                if ($_FILES["file"]["error"] > 0) {
                  echo $extension . "<br>";
                  echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
                }              
        }
        if($_FILES["file"]["error"] == 0) {            
          echo "Upload: " . $_FILES["file"]["name"] . "<br>";
          echo "Type: " . $_FILES["file"]["type"] . "<br>";
          echo "Size: " . ($_FILES["file"]["size"] / 1024) . " kB<br>";
          echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br>";

          if (file_exists($path . $_FILES["file"]["name"])) {
                echo $_FILES["file"]["name"] . " already exists. ";
          } else {
                move_uploaded_file($_FILES["file"]["tmp_name"], $path . $_FILES["file"]["name"]);
                echo "Stored in: $path" . $_FILES["file"]["name"];
          }
        } else {
        echo "Type: " . $_FILES["file"]["type"] . "<br>";
        echo "Invalid file<br/>";
        echo '<pre>' . print_r($_FILES) . '</pre>';
  }
}

?>
</body>
</html>
That's the script that i'm using, it doesn't limit the file extensions. Anybody could upload .php extension through it.

I've still didn't delete the unnecessary lines, i'll do it as soon as i get back home.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Upload script request

Post by Christopher »

requinix wrote:Did you uncomment that line? It needs to be uncommented. The code also has other edits to it to assist with debugging upload problems, like

that you wouldn't want to keep once the code is ready to go live.
I actually recommended that he do something like the below. Then the script can identify the exact error to generate a reasonable error message for the user.

Code: Select all

<?php
$no_overwrite = true;
$error = 0;
if (isset($_POST["submit"])) {
  $path = './../upload/';
  $maxFileSize = 1 * (1024 * 1024 * 20);     // 20Mb
  $allowedExts = array("mp3", "wma", "aif");
  $allowedMimes = array("audio/mp3", "audio/mpeg", "audio/x-ms-wma", "audio/x-aiff");
  $extension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);
  
  if ($_FILES["file"]["size"] <= $maxFileSize) {
    if (in_array($_FILES["file"]["type"], $allowedMimes) {
      if (in_array($extension, $allowedExts) {
        if($_FILES["file"]["error"] == 0) {             
          if ($no_overwrite && file_exists($path . $_FILES["file"]["name"])) {
                $error = 6;     // File already exists
          } else {
                move_uploaded_file($_FILES["file"]["tmp_name"], $path . $_FILES["file"]["name"]);
          }
        } else {
            $error = 5;     // upload error
        }
      } else {
          $error = 4;     // extension not allowed
      }
    } else {
        $error = 3;     // MIME type not allowed
    }
  } else {
      $error = 2;     // File too large
  }
} else {
    $error = 1;     // Not submitted
}
(#10850)
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Upload script request

Post by Christopher »

CatherinePHP wrote:That's the script that i'm using, it doesn't limit the file extensions. Anybody could upload .php extension through it.

I've still didn't delete the unnecessary lines, i'll do it as soon as i get back home.
The script above should limit by file extension and MIME type, and limit the file size. But that does not deal with #1 and #4 of your requirements I listed above.
(#10850)
Post Reply