Uploading a txt file problem (example script)...

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

jonas
Forum Commoner
Posts: 96
Joined: Sun May 23, 2004 9:25 pm

Post by jonas »

I tried your exact code and it still uploads .php files :S
User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

Post by Joe »

OK well im not too sure on the results of this but try:

Code: Select all

$file = $_POST['file'];

if(strstr($file,"php"))
{
echo "This file type is not allowed."; //Do not use a variable to hold the error
exit;
}

if ($HTTP_POST_VARS['submit']) {
  print_r($HTTP_POST_FILES);
  if (!is_uploaded_file($HTTP_POST_FILES['file']['tmp_name'])) {
    $error = "You did not upload a file!";
    unlink($HTTP_POST_FILES['file']['tmp_name']);
    // assign error message, remove uploaded file, redisplay form.
  } else {
    //a file was uploaded
    $maxfilesize=3000000;

    if ($HTTP_POST_FILES['file']['size'] > $maxfilesize) {
      $error = "This file is too large";
      unlink($HTTP_POST_FILES['file']['tmp_name']);
      // assign error message, remove uploaded file, redisplay form.
    } elseif ($HTTP_POST_FILES['file']['type'] != "text/plain") {
        $error = "This file type is not allowed";
        unlink($HTTP_POST_FILES['file']['tmp_name']);
        // assign error message, remove uploaded file, redisplay form.
      } else {
       //File has passed all validation, copy it to the final destination and remove the temporary file:
       copy($HTTP_POST_FILES['file']['tmp_name'],"faqs/".$HTTP_POST_FILES['file']['name']);
       unlink($HTTP_POST_FILES['file']['tmp_name']);
       print "File has been successfully uploaded!";
       exit;
     }
   }
}
jonas
Forum Commoner
Posts: 96
Joined: Sun May 23, 2004 9:25 pm

Post by jonas »

Code: Select all

<?php
include("dbcon/connect_db.inc.php");
$file = $_POST['file']; 

if (eregi(".php", $file)) 
{ 
echo "This file type is not allowed."; //Do not use a variable to hold the error 
exit; 
} 

if ($HTTP_POST_VARS['submit']) { 
  print_r($HTTP_POST_FILES); 
  if (!is_uploaded_file($HTTP_POST_FILES['file']['tmp_name'])) { 
    $error = "You did not upload a file!"; 
    unlink($HTTP_POST_FILES['file']['tmp_name']); 
    // assign error message, remove uploaded file, redisplay form. 
  } else { 
    //a file was uploaded 
    $maxfilesize=3000000; 

    if ($HTTP_POST_FILES['file']['size'] > $maxfilesize) { 
      $error = "This file is too large"; 
      unlink($HTTP_POST_FILES['file']['tmp_name']); 
      // assign error message, remove uploaded file, redisplay form. 
    } elseif ($HTTP_POST_FILES['file']['type'] != "text/plain") { 
        $error = "This file type is not allowed"; 
        unlink($HTTP_POST_FILES['file']['tmp_name']); 
        // assign error message, remove uploaded file, redisplay form. 
      } else { 
       //File has passed all validation, copy it to the final destination and remove the temporary file: 
       copy($HTTP_POST_FILES['file']['tmp_name'],"faqs/".$HTTP_POST_FILES['file']['name']); 
       unlink($HTTP_POST_FILES['file']['tmp_name']); 
       print "File has been successfully uploaded!"; 
       exit; 
     } 
   } 
} 
?>

<html>
<head></head>
<body>
<form action="<?=$PHP_SELF?>" method="post" enctype="multipart/form-data">
<?=$error?>
<br><br>
Choose a file to upload:<br>
<input type="file" name="file"><br>
<input type="submit" name="submit" value="submit">
</form>
</body>
</html>
This is my exact code as of now.
jonas
Forum Commoner
Posts: 96
Joined: Sun May 23, 2004 9:25 pm

Post by jonas »

Still allows .php with your latest version.

Hehe, maybe we found a bug or something....
User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

Post by Joe »

Actually perhaps it may be your script im not sure. I answered a question like this a while back:

viewtopic.php?t=19216&highlight=upload

Have a look!
jonas
Forum Commoner
Posts: 96
Joined: Sun May 23, 2004 9:25 pm

Post by jonas »

It could be my script, but I dunno. The file is uploaded into my specified folder, the only thing is that .php is considered a text/plain file.

Everything else works perfect.

Also, everything in that link you answered before is completed in my script.
The folder is chmoded, the upload works... the only thing is that it allows .php uploads which is bad for teh h@ckz0rz
User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

Post by Joe »

Well the eregi and strstr methods should have worked perfect. I think it's just down to finding a clever way to identify the filename.
jonas
Forum Commoner
Posts: 96
Joined: Sun May 23, 2004 9:25 pm

Post by jonas »

How about what is done for a mail server check?

Take the filename break it apart at the . into 2 variables (before . and after . )
Then check the later to see if it is php?

Would that work? Any help on this?
User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

Post by Joe »

Try this aswell:


if (!preg_match('!\.(txt|doc)$!', $file))
{
echo "Error";
exit;
}
jonas
Forum Commoner
Posts: 96
Joined: Sun May 23, 2004 9:25 pm

Post by jonas »

you mean $file right? just making sure so i dont mess something up
User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

Post by Joe »

Yes sorry I changed it I was confused for a moment :P
jonas
Forum Commoner
Posts: 96
Joined: Sun May 23, 2004 9:25 pm

Post by jonas »

It's not working. It's not allowing anything to go through now.

This is really odd.

How do we do that seperate at the . thing, that could work but I'm not sure how to do that.
jonas
Forum Commoner
Posts: 96
Joined: Sun May 23, 2004 9:25 pm

Post by jonas »

list($filename, $fileext) = split(".", $file);

Would that work?

Then go:

if ($fileext == "php")
{
echo "This file type is not allowed."; //Do not use a variable to hold the error
exit;
}
jonas
Forum Commoner
Posts: 96
Joined: Sun May 23, 2004 9:25 pm

Post by jonas »

Bah, it's not working either. It's like it's ignoring what I am telling it to do and just submitting a php file anyways.


Here is my script as of now:

Code: Select all

<?php
include("dbconnection/connect_db.inc.php");
if ($HTTP_POST_VARS['submit']) {
  list($filename, $fileext) = split(".", $HTTP_POST_FILES['file']);
  print_r($HTTP_POST_FILES);
  print_r($fileext);
  if (!is_uploaded_file($HTTP_POST_FILES['file']['tmp_name'])) { 
    $error = "You did not upload a file!"; 
    unlink($HTTP_POST_FILES['file']['tmp_name']); 
    // assign error message, remove uploaded file, redisplay form. 
  } else { 
    //a file was uploaded 
    $maxfilesize=3000000; 

    if ($fileext == "php") 
    { 
      $error = "This file type is not allowed.";
      unlink($HTTP_POST_FILES['file']['tmp_name']); 
      // assign error message, remove uploaded file, redisplay form. 
    } elseif ($HTTP_POST_FILES['file']['size'] > $maxfilesize) { 
      $error = "This file is too large"; 
      unlink($HTTP_POST_FILES['file']['tmp_name']); 
      // assign error message, remove uploaded file, redisplay form. 
    } elseif ($HTTP_POST_FILES['file']['type'] != "text/plain") { 
        $error = "This file type is not allowed"; 
        unlink($HTTP_POST_FILES['file']['tmp_name']); 
        // assign error message, remove uploaded file, redisplay form. 
      } else { 
       //File has passed all validation, copy it to the final destination and remove the temporary file: 
       copy($HTTP_POST_FILES['file']['tmp_name'],"faqs/".$HTTP_POST_FILES['file']['name']); 
       unlink($HTTP_POST_FILES['file']['tmp_name']); 
       print "File has been successfully uploaded!";
       print "$filename";
       print "$fileext";	
       exit; 
     } 
   } 
} 

?>
<html>
<head></head>
<body>
<form action="<?=$PHP_SELF?>" method="post" enctype="multipart/form-data">
<?=$error?>
<br><br>
Choose a file to upload:<br>
<input type="file" name="file"><br>
<input type="submit" name="submit" value="submit">
</form>
</body>
</html>
It's just ignoring this or something. It WONT print out the variables of filename and fileext in any case and it just submits it.

I have no idea why this is happening. I just want a script that only uploads a .txt file where I can control the size of what is uploaded.

Maybe an alternative?
jonas
Forum Commoner
Posts: 96
Joined: Sun May 23, 2004 9:25 pm

Post by jonas »

Anybody have anything, even an alternative!?
Post Reply