Page 1 of 1
Upload script request
Posted: Mon Apr 29, 2013 8:36 am
by CatherinePHP
Hello
I've been struggling with trying to code a upload script that hashes the file name after it gets uploaded and allow certain files to be uploaded and gives the link to the file after it's uploaded.
those 3 factors are VERY important, I can't find any script online that meets my requirements. I've tried coding one myself by following youtube tutorials and asking help from other forums but I had no luck whatsoever
I know this might be easy to code but I'm a biginner in PHP programming so please no hateful replies.
If anyone could provide me with a script I'd really appreciate it.
Re: Upload script request
Posted: Mon Apr 29, 2013 11:24 am
by Christopher
There was a recent discussion of an upload script:
Here:
forums.devnetwork.net/viewtopic.php?f=1&t=137664
And the final script here:
viewtopic.php?p=685146#p685146
I think that code can be improved.
Re: Upload script request
Posted: Wed May 01, 2013 8:40 am
by CatherinePHP
Christopher wrote:There was a recent discussion of an upload script:
Here:
forums.devnetwork.net/viewtopic.php?f=1&t=137664
And the final script here:
viewtopic.php?p=685146#p685146
I think that code can be improved.
Thanks for the reply, Christopher.
Unfortunately that script is unsecure, people could still upload harmful PHP scripts on the server through the Tamper Data addon on firefox.
Please help me, I want to make the script 100% secure, only certain files uploaded.
Thanks for your help
Re: Upload script request
Posted: Wed May 01, 2013 1:13 pm
by requinix
The final script is secure. What do you think is wrong with it?
Re: Upload script request
Posted: Wed May 01, 2013 1:57 pm
by CatherinePHP
requinix wrote:The final script is secure. What do you think is wrong with it?
Sadly, it's not secure. I've tested it on my localhost and managed to upload a PHP file even though that extension is prohibted. I've used the "Tamper Data" firefox addon which is common between hackers.
I've looked everywhere for a secure version that checks the last extension but no luck so far

Re: Upload script request
Posted: Wed May 01, 2013 4:21 pm
by Christopher
CatherinePHP wrote:Sadly, it's not secure. I've tested it on my localhost and managed to upload a PHP file even though that extension is prohibted. I've used the "Tamper Data" firefox addon which is common between hackers.
I've looked everywhere for a secure version that checks the last extension but no luck so far

So you are a beginning programmer and want an upload script that meets these criteria:
1. a script that hashes the file name after it gets uploaded
2. allow certain files to be uploaded
3. gives the link to the file after it's uploaded.
4. there is something specific that you are doing with Tamper Data (which you did not reveal) that you also need dealt with
The script referenced was written by a member like you and improved to meet the member's needs. It is pretty basic and could certainly be improved. If you have further requirements, we can certainly try to implement them here by improving that script (or code that you have). Just give us some specifics on how that script does not deal with your requirements above.
Re: Upload script request
Posted: Wed May 01, 2013 6:47 pm
by requinix
Oh, I bet...
Code: Select all
// if (($_FILES["file"]["size"] < $maxFileSize) && in_array($_FILES["file"]["type"], $allowedMimes) && in_array($extension, $allowedExts)) {
Did you uncomment that line? It needs to be uncommented. The code also has other edits to it to assist with debugging upload problems, like
Code: Select all
echo $_FILES["file"]["size"]." test1<br>";
echo $_FILES["file"]["type"]." test2<br>";
echo $extension." test3<br>";
and
Code: Select all
if($_FILES["file"]["size"] < $maxFileSize) {
if ($_FILES["file"]["error"] > 0) {
echo "Size: " . $_FILES["file"]["type"] . "<br>";
echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
}
}
if (in_array($_FILES["file"]["type"], $allowedMimes)) {
if ($_FILES["file"]["error"] > 0) {
echo "Type: " . $_FILES["file"]["type"] . "<br>";
echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
}
}
if(in_array($extension, $allowedExts)) {
if ($_FILES["file"]["error"] > 0) {
echo $extension . "<br>";
echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
}
}
that you wouldn't want to keep once the code is ready to go live.
The unedited version is
Code: Select all
<?php
if (isset($_POST["submit"])) {
$path = './../upload/';
$maxFileSize = 1 * (1024 * 1024 * 20); // 20Mb
$allowedExts = array("mp3", "wma", "aif");
$allowedMimes = array("audio/mp3", "audio/mpeg", "audio/x-ms-wma", "audio/x-aiff");
// $extension = end(explode(".", $_FILES["file"]["name"])); this generates warning pathinfo doesn't
$extension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);
if (($_FILES["file"]["size"] < $maxFileSize) && in_array($_FILES["file"]["type"], $allowedMimes) && in_array($extension, $allowedExts)) {
if($_FILES["file"]["error"] == 0) {
if (file_exists($path . $_FILES["file"]["name"])) {
echo $_FILES["file"]["name"] . " already exists. ";
} else {
move_uploaded_file($_FILES["file"]["tmp_name"], $path . $_FILES["file"]["name"]);
}
} else {
echo "Invalid file<br/>";
}
}
}
?>
Re: Upload script request
Posted: Wed May 01, 2013 9:08 pm
by CatherinePHP
Code: Select all
<!doctype html>
<html>
<head>
<title> upload songs </title>
</head>
<body>
<form action="upload_songs.php" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" id="submit" value="Submit">
</form>
<?php
if (isset($_POST["submit"])) {
$path = 'upload/';
$maxFileSize = 1 * (1024 * 1024 * 20); // 20Mb
$allowedExts = array("mp3", "wma", "aif");
$allowedMimes = array("audio/mp3", "audio/mpeg", "audio/x-ms-wma", "audio/x-aiff");
// $extension = end(explode(".", $_FILES["file"]["name"])); this generates warning pathinfo doesn't
$extension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);
echo $_FILES["file"]["size"]." test1<br>";
echo $_FILES["file"]["type"]." test2<br>";
echo $extension." test3<br>";
// if (($_FILES["file"]["size"] < $maxFileSize) && in_array($_FILES["file"]["type"], $allowedMimes) && in_array($extension, $allowedExts)) {
if($_FILES["file"]["size"] < $maxFileSize) {
if ($_FILES["file"]["error"] > 0) {
echo "Size: " . $_FILES["file"]["type"] . "<br>";
echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
}
}
if (in_array($_FILES["file"]["type"], $allowedMimes)) {
if ($_FILES["file"]["error"] > 0) {
echo "Type: " . $_FILES["file"]["type"] . "<br>";
echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
}
}
if(in_array($extension, $allowedExts)) {
if ($_FILES["file"]["error"] > 0) {
echo $extension . "<br>";
echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
}
}
if($_FILES["file"]["error"] == 0) {
echo "Upload: " . $_FILES["file"]["name"] . "<br>";
echo "Type: " . $_FILES["file"]["type"] . "<br>";
echo "Size: " . ($_FILES["file"]["size"] / 1024) . " kB<br>";
echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br>";
if (file_exists($path . $_FILES["file"]["name"])) {
echo $_FILES["file"]["name"] . " already exists. ";
} else {
move_uploaded_file($_FILES["file"]["tmp_name"], $path . $_FILES["file"]["name"]);
echo "Stored in: $path" . $_FILES["file"]["name"];
}
} else {
echo "Type: " . $_FILES["file"]["type"] . "<br>";
echo "Invalid file<br/>";
echo '<pre>' . print_r($_FILES) . '</pre>';
}
}
?>
</body>
</html>
That's the script that i'm using, it doesn't limit the file extensions. Anybody could upload .php extension through it.
I've still didn't delete the unnecessary lines, i'll do it as soon as i get back home.
Re: Upload script request
Posted: Thu May 02, 2013 11:37 am
by Christopher
requinix wrote:Did you uncomment that line? It needs to be uncommented. The code also has other edits to it to assist with debugging upload problems, like
that you wouldn't want to keep once the code is ready to go live.
I actually recommended that he do something like the below. Then the script can identify the exact error to generate a reasonable error message for the user.
Code: Select all
<?php
$no_overwrite = true;
$error = 0;
if (isset($_POST["submit"])) {
$path = './../upload/';
$maxFileSize = 1 * (1024 * 1024 * 20); // 20Mb
$allowedExts = array("mp3", "wma", "aif");
$allowedMimes = array("audio/mp3", "audio/mpeg", "audio/x-ms-wma", "audio/x-aiff");
$extension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);
if ($_FILES["file"]["size"] <= $maxFileSize) {
if (in_array($_FILES["file"]["type"], $allowedMimes) {
if (in_array($extension, $allowedExts) {
if($_FILES["file"]["error"] == 0) {
if ($no_overwrite && file_exists($path . $_FILES["file"]["name"])) {
$error = 6; // File already exists
} else {
move_uploaded_file($_FILES["file"]["tmp_name"], $path . $_FILES["file"]["name"]);
}
} else {
$error = 5; // upload error
}
} else {
$error = 4; // extension not allowed
}
} else {
$error = 3; // MIME type not allowed
}
} else {
$error = 2; // File too large
}
} else {
$error = 1; // Not submitted
}
Re: Upload script request
Posted: Thu May 02, 2013 11:39 am
by Christopher
CatherinePHP wrote:That's the script that i'm using, it doesn't limit the file extensions. Anybody could upload .php extension through it.
I've still didn't delete the unnecessary lines, i'll do it as soon as i get back home.
The script above should limit by file extension and MIME type, and limit the file size. But that does not deal with #1 and #4 of your requirements I listed above.