Page 2 of 3

Posted: Thu Jul 08, 2004 2:48 pm
by jonas
I tried your exact code and it still uploads .php files :S

Posted: Thu Jul 08, 2004 2:49 pm
by Joe
OK well im not too sure on the results of this but try:

Code: Select all

$file = $_POST['file'];

if(strstr($file,"php"))
{
echo "This file type is not allowed."; //Do not use a variable to hold the error
exit;
}

if ($HTTP_POST_VARS['submit']) {
  print_r($HTTP_POST_FILES);
  if (!is_uploaded_file($HTTP_POST_FILES['file']['tmp_name'])) {
    $error = "You did not upload a file!";
    unlink($HTTP_POST_FILES['file']['tmp_name']);
    // assign error message, remove uploaded file, redisplay form.
  } else {
    //a file was uploaded
    $maxfilesize=3000000;

    if ($HTTP_POST_FILES['file']['size'] > $maxfilesize) {
      $error = "This file is too large";
      unlink($HTTP_POST_FILES['file']['tmp_name']);
      // assign error message, remove uploaded file, redisplay form.
    } elseif ($HTTP_POST_FILES['file']['type'] != "text/plain") {
        $error = "This file type is not allowed";
        unlink($HTTP_POST_FILES['file']['tmp_name']);
        // assign error message, remove uploaded file, redisplay form.
      } else {
       //File has passed all validation, copy it to the final destination and remove the temporary file:
       copy($HTTP_POST_FILES['file']['tmp_name'],"faqs/".$HTTP_POST_FILES['file']['name']);
       unlink($HTTP_POST_FILES['file']['tmp_name']);
       print "File has been successfully uploaded!";
       exit;
     }
   }
}

Posted: Thu Jul 08, 2004 2:49 pm
by jonas

Code: Select all

<?php
include("dbcon/connect_db.inc.php");
$file = $_POST['file']; 

if (eregi(".php", $file)) 
{ 
echo "This file type is not allowed."; //Do not use a variable to hold the error 
exit; 
} 

if ($HTTP_POST_VARS['submit']) { 
  print_r($HTTP_POST_FILES); 
  if (!is_uploaded_file($HTTP_POST_FILES['file']['tmp_name'])) { 
    $error = "You did not upload a file!"; 
    unlink($HTTP_POST_FILES['file']['tmp_name']); 
    // assign error message, remove uploaded file, redisplay form. 
  } else { 
    //a file was uploaded 
    $maxfilesize=3000000; 

    if ($HTTP_POST_FILES['file']['size'] > $maxfilesize) { 
      $error = "This file is too large"; 
      unlink($HTTP_POST_FILES['file']['tmp_name']); 
      // assign error message, remove uploaded file, redisplay form. 
    } elseif ($HTTP_POST_FILES['file']['type'] != "text/plain") { 
        $error = "This file type is not allowed"; 
        unlink($HTTP_POST_FILES['file']['tmp_name']); 
        // assign error message, remove uploaded file, redisplay form. 
      } else { 
       //File has passed all validation, copy it to the final destination and remove the temporary file: 
       copy($HTTP_POST_FILES['file']['tmp_name'],"faqs/".$HTTP_POST_FILES['file']['name']); 
       unlink($HTTP_POST_FILES['file']['tmp_name']); 
       print "File has been successfully uploaded!"; 
       exit; 
     } 
   } 
} 
?>

<html>
<head></head>
<body>
<form action="<?=$PHP_SELF?>" method="post" enctype="multipart/form-data">
<?=$error?>
<br><br>
Choose a file to upload:<br>
<input type="file" name="file"><br>
<input type="submit" name="submit" value="submit">
</form>
</body>
</html>
This is my exact code as of now.

Posted: Thu Jul 08, 2004 2:51 pm
by jonas
Still allows .php with your latest version.

Hehe, maybe we found a bug or something....

Posted: Thu Jul 08, 2004 2:54 pm
by Joe
Actually perhaps it may be your script im not sure. I answered a question like this a while back:

viewtopic.php?t=19216&highlight=upload

Have a look!

Posted: Thu Jul 08, 2004 2:56 pm
by jonas
It could be my script, but I dunno. The file is uploaded into my specified folder, the only thing is that .php is considered a text/plain file.

Everything else works perfect.

Also, everything in that link you answered before is completed in my script.
The folder is chmoded, the upload works... the only thing is that it allows .php uploads which is bad for teh h@ckz0rz

Posted: Thu Jul 08, 2004 3:00 pm
by Joe
Well the eregi and strstr methods should have worked perfect. I think it's just down to finding a clever way to identify the filename.

Posted: Thu Jul 08, 2004 3:02 pm
by jonas
How about what is done for a mail server check?

Take the filename break it apart at the . into 2 variables (before . and after . )
Then check the later to see if it is php?

Would that work? Any help on this?

Posted: Thu Jul 08, 2004 3:10 pm
by Joe
Try this aswell:


if (!preg_match('!\.(txt|doc)$!', $file))
{
echo "Error";
exit;
}

Posted: Thu Jul 08, 2004 3:11 pm
by jonas
you mean $file right? just making sure so i dont mess something up

Posted: Thu Jul 08, 2004 3:12 pm
by Joe
Yes sorry I changed it I was confused for a moment :P

Posted: Thu Jul 08, 2004 3:16 pm
by jonas
It's not working. It's not allowing anything to go through now.

This is really odd.

How do we do that seperate at the . thing, that could work but I'm not sure how to do that.

Posted: Thu Jul 08, 2004 3:21 pm
by jonas
list($filename, $fileext) = split(".", $file);

Would that work?

Then go:

if ($fileext == "php")
{
echo "This file type is not allowed."; //Do not use a variable to hold the error
exit;
}

Posted: Thu Jul 08, 2004 3:28 pm
by jonas
Bah, it's not working either. It's like it's ignoring what I am telling it to do and just submitting a php file anyways.


Here is my script as of now:

Code: Select all

<?php
include("dbconnection/connect_db.inc.php");
if ($HTTP_POST_VARS['submit']) {
  list($filename, $fileext) = split(".", $HTTP_POST_FILES['file']);
  print_r($HTTP_POST_FILES);
  print_r($fileext);
  if (!is_uploaded_file($HTTP_POST_FILES['file']['tmp_name'])) { 
    $error = "You did not upload a file!"; 
    unlink($HTTP_POST_FILES['file']['tmp_name']); 
    // assign error message, remove uploaded file, redisplay form. 
  } else { 
    //a file was uploaded 
    $maxfilesize=3000000; 

    if ($fileext == "php") 
    { 
      $error = "This file type is not allowed.";
      unlink($HTTP_POST_FILES['file']['tmp_name']); 
      // assign error message, remove uploaded file, redisplay form. 
    } elseif ($HTTP_POST_FILES['file']['size'] > $maxfilesize) { 
      $error = "This file is too large"; 
      unlink($HTTP_POST_FILES['file']['tmp_name']); 
      // assign error message, remove uploaded file, redisplay form. 
    } elseif ($HTTP_POST_FILES['file']['type'] != "text/plain") { 
        $error = "This file type is not allowed"; 
        unlink($HTTP_POST_FILES['file']['tmp_name']); 
        // assign error message, remove uploaded file, redisplay form. 
      } else { 
       //File has passed all validation, copy it to the final destination and remove the temporary file: 
       copy($HTTP_POST_FILES['file']['tmp_name'],"faqs/".$HTTP_POST_FILES['file']['name']); 
       unlink($HTTP_POST_FILES['file']['tmp_name']); 
       print "File has been successfully uploaded!";
       print "$filename";
       print "$fileext";	
       exit; 
     } 
   } 
} 

?>
<html>
<head></head>
<body>
<form action="<?=$PHP_SELF?>" method="post" enctype="multipart/form-data">
<?=$error?>
<br><br>
Choose a file to upload:<br>
<input type="file" name="file"><br>
<input type="submit" name="submit" value="submit">
</form>
</body>
</html>
It's just ignoring this or something. It WONT print out the variables of filename and fileext in any case and it just submits it.

I have no idea why this is happening. I just want a script that only uploads a .txt file where I can control the size of what is uploaded.

Maybe an alternative?

Posted: Thu Jul 08, 2004 5:07 pm
by jonas
Anybody have anything, even an alternative!?