file-type of upload

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

scriptmaster
Forum Newbie
Posts: 20
Joined: Wed May 21, 2003 8:26 pm

file-type of upload

Post by scriptmaster »

ok, I tried the following:

Code: Select all

echo escapeshellcmd($_FILES[$myfile]['name'])
it came back empty

so does this:

Code: Select all

echo $_FILES[$myfile]['type']
this:

Code: Select all

echo mime_content_type($myfile)
come out:

Code: Select all

Fatal error: Call to undefined function: mime_content_type()
now what? how can I check the file uploaded was really an image?
of course I check the file name but that is very low security type of check


feyd | this post was split from an existing thread: viewtopic.php?t=22923
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

scriptmaster
Forum Newbie
Posts: 20
Joined: Wed May 21, 2003 8:26 pm

Post by scriptmaster »

feyd wrote:getimagesize()
thanks but I tried that and exif_imagetype().
and I forgot to tell you I wish to check the file BEFORE uploading iit, isn't there a way?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

php cannot check the file type before uploading.
scriptmaster
Forum Newbie
Posts: 20
Joined: Wed May 21, 2003 8:26 pm

Post by scriptmaster »

feyd wrote:php cannot check the file type before uploading.
hmmm.....I see
so my only option is check all these after upload and delete the file if there is a danger? is that the safest way?
seems too risky IMO :(
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

yep. It's rarely risky per se, but considering no browser gives a site direct access to the file system (without jumping through a LOT of hoops) that's the only safe way to check an upload.
scriptmaster
Forum Newbie
Posts: 20
Joined: Wed May 21, 2003 8:26 pm

Post by scriptmaster »

the problem I now having is that sometimes $_FILES['imagefile']['tmp_name'] is empty so I can't upload the file.
with some files $_FILES['imagefile']['tmp_name'] is empty and with some it is not.
wtf?
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

Post by Charles256 »

actually.i did something like this..it doesn't really do beefore upload and it can be spoofed but it does give you some control.and if i mis-understood your question excuse me for wasting space...

Code: Select all

//Below is the directory we're going to store our avatars in. We'll need this later on.
	$avatar= "../images/avatars/";
	
	// Here we try to validate the avatar upload.
	// Let's see if the file is too big!
	if ($_FILES['file']['size'] > $oSettings->MaxFileSize)
	{
		$_SESSION['maxfile'] = "Your file exceeds".$oSettings->MaxFileSize." bytes. Please try again.";
		$_SESSION['isError']= "true";
	}
	// Now let's see if we're allowed to upload this type of file. Also need to make our file extensions into an array.
	$explode=explode(",",$oSettings->Extension);
	$check=strrchr($_FILES['file'][name],'.');
	// there we perform the check to see what the file extension is. Below let's see if we don't have a match.
	if (!in_array($check,$explode))
	{
		$_SESSION['extension']="Your file is not one of the allowed formats. It must be".$oSettings->Extension.".";
		$_SESSION['isError']= "true";
	}
	// We're going to give the file name the same file name as the client hide. Let's assign it to a variable.
	$name=$_FILES['file']['name'];
now please note before that script is run the file is technically all ready loaded into the tmp folder which is no big deal. if the isError is equal to true just delete the file immediatly,else move it to the proper directory..hope htat helps..
scriptmaster
Forum Newbie
Posts: 20
Joined: Wed May 21, 2003 8:26 pm

Post by scriptmaster »

Charles256 wrote:actually.i did something like this..it doesn't really do beefore upload and it can be spoofed but it does give you some control.and if i mis-understood your question excuse me for wasting space...

Code: Select all

//Below is the directory we're going to store our avatars in. We'll need this later on.
	$avatar= "../images/avatars/";
	
	// Here we try to validate the avatar upload.
	// Let's see if the file is too big!
	if ($_FILES['file']['size'] > $oSettings->MaxFileSize)
	{
		$_SESSION['maxfile'] = "Your file exceeds".$oSettings->MaxFileSize." bytes. Please try again.";
		$_SESSION['isError']= "true";
	}
	// Now let's see if we're allowed to upload this type of file. Also need to make our file extensions into an array.
	$explode=explode(",",$oSettings->Extension);
	$check=strrchr($_FILES['file'][name],'.');
	// there we perform the check to see what the file extension is. Below let's see if we don't have a match.
	if (!in_array($check,$explode))
	{
		$_SESSION['extension']="Your file is not one of the allowed formats. It must be".$oSettings->Extension.".";
		$_SESSION['isError']= "true";
	}
	// We're going to give the file name the same file name as the client hide. Let's assign it to a variable.
	$name=$_FILES['file']['name'];
now please note before that script is run the file is technically all ready loaded into the tmp folder which is no big deal. if the isError is equal to true just delete the file immediatly,else move it to the proper directory..hope htat helps..
what question are you answering here mate? :)
it's not mine about the $_FILES['imagefile']['tmp_name'] being empty , a?
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

Post by Charles256 »

i thought your question was how to check the file type..and that's a general way :) though with further reflection the rest of your (the specifics) question..not too sure what you're talking about...clarify?
scriptmaster
Forum Newbie
Posts: 20
Joined: Wed May 21, 2003 8:26 pm

Post by scriptmaster »

Charles256 wrote:i thought your question was how to check the file type..and that's a general way :) though with further reflection the rest of your (the specifics) question..not too sure what you're talking about...clarify?
hehe.
sure I'll clarify. :)
the general question WAS how to check the type of the file, but the problem was I was trying to check the type of the file before the upload - that I understand is not possible.
after uploading I have a few methods of checking - so that's solved.

now I'm failing at 1 stage before that.
uploading fails for some reason, so I checked the $_FILES['imagefile']['tmp_name'], and it seems to be empty.
with some files I try to upload the $_FILES['imagefile']['tmp_name'] is NOT empty and it works and with some files the $_FILES['imagefile']['tmp_name'] is EMPTY and the upload fails.

now why is the $_FILES['imagefile']['tmp_name'] empty sometimes? I can't upload if it's empty. how can this happen?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the tmp_name element will be empty if and when there either wasn't a file, the file uploaded was too large (killed by php itself) or there was an unrecoverable error.. you should check the 'error' element.
scriptmaster
Forum Newbie
Posts: 20
Joined: Wed May 21, 2003 8:26 pm

Post by scriptmaster »

feyd wrote:the tmp_name element will be empty if and when there either wasn't a file, the file uploaded was too large (killed by php itself) or there was an unrecoverable error.. you should check the 'error' element.
ok guys, I thank you a lot for your help, all of you, it was this im my from:

Code: Select all

<input type="hidden" name="MAX_FILE_SIZE" value="4000">
:)

the error element was "2" which means the file was bigger than what I have defined (4k).
now I am uploading the files and checking:

file type by:
a) ext. (".JPG" or ".jpg" or ".jpeg") (which is not secure enough)
b) $_FILES['imagefile']['type'] (which is a joke security speaking)
c) getimagesize()

file size by:
a)

Code: Select all

<input type="hidden" name="MAX_FILE_SIZE" value="4000">
in the form

b) $_FILES['imagefile']['size']

and dimensions by:

Code: Select all

list($width, $height, $type, $w) = getimagesize($_FILES['imagefile']['tmp_name']);
this doesn't seem like enough for me and I live in continual fear that someone will upload a nasty file and kill my biz forever 8O

but I guess i'll get over it
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

Post by Charles256 »

you could try exploding for chaercteristic code tell tails (i.e. <?php) and if you find that in the file delete:-D
scriptmaster
Forum Newbie
Posts: 20
Joined: Wed May 21, 2003 8:26 pm

Post by scriptmaster »

Charles256 wrote:you could try exploding for chaercteristic code tell tails (i.e. <?php) and if you find that in the file delete:-D
something about php files: if the file uploaded is in fact has a php code in it but it is called "myphpfile.jpg", could it still be run via browser as a .php file? doesn't the browser try to open it as a ".jpg" file? or am I way off about these things.

by the way, my greatest fear is a .exe file
Last edited by scriptmaster on Sat Oct 08, 2005 5:44 pm, edited 1 time in total.
Post Reply