Page 1 of 2
file-type of upload
Posted: Sat Oct 08, 2005 11:50 am
by scriptmaster
ok, I tried the following:
Code: Select all
echo escapeshellcmd($_FILES[$myfile]['name'])
it came back empty
so does this:
this:
come out:
Code: Select all
Fatal error: Call to undefined function: mime_content_type()
now what? how can I check the file uploaded was really an image?
of course I check the file name but that is very low security type of check
feyd | this post was split from an existing thread: viewtopic.php?t=22923
Posted: Sat Oct 08, 2005 11:55 am
by feyd
Posted: Sat Oct 08, 2005 11:57 am
by scriptmaster
thanks but I tried that and exif_imagetype().
and I forgot to tell you I wish to check the file BEFORE uploading iit, isn't there a way?
Posted: Sat Oct 08, 2005 11:58 am
by feyd
php cannot check the file type before uploading.
Posted: Sat Oct 08, 2005 12:08 pm
by scriptmaster
feyd wrote:php cannot check the file type before uploading.
hmmm.....I see
so my only option is check all these after upload and delete the file if there is a danger? is that the safest way?
seems too risky IMO

Posted: Sat Oct 08, 2005 12:11 pm
by feyd
yep. It's rarely risky per se, but considering no browser gives a site direct access to the file system (without jumping through a LOT of hoops) that's the only safe way to check an upload.
Posted: Sat Oct 08, 2005 3:49 pm
by scriptmaster
the problem I now having is that sometimes $_FILES['imagefile']['tmp_name'] is empty so I can't upload the file.
with some files $_FILES['imagefile']['tmp_name'] is empty and with some it is not.
wtf?
Posted: Sat Oct 08, 2005 4:08 pm
by Charles256
actually.i did something like this..it doesn't really do beefore upload and it can be spoofed but it does give you some control.and if i mis-understood your question excuse me for wasting space...
Code: Select all
//Below is the directory we're going to store our avatars in. We'll need this later on.
$avatar= "../images/avatars/";
// Here we try to validate the avatar upload.
// Let's see if the file is too big!
if ($_FILES['file']['size'] > $oSettings->MaxFileSize)
{
$_SESSION['maxfile'] = "Your file exceeds".$oSettings->MaxFileSize." bytes. Please try again.";
$_SESSION['isError']= "true";
}
// Now let's see if we're allowed to upload this type of file. Also need to make our file extensions into an array.
$explode=explode(",",$oSettings->Extension);
$check=strrchr($_FILES['file'][name],'.');
// there we perform the check to see what the file extension is. Below let's see if we don't have a match.
if (!in_array($check,$explode))
{
$_SESSION['extension']="Your file is not one of the allowed formats. It must be".$oSettings->Extension.".";
$_SESSION['isError']= "true";
}
// We're going to give the file name the same file name as the client hide. Let's assign it to a variable.
$name=$_FILES['file']['name'];
now please note before that script is run the file is technically all ready loaded into the tmp folder which is no big deal. if the isError is equal to true just delete the file immediatly,else move it to the proper directory..hope htat helps..
Posted: Sat Oct 08, 2005 4:12 pm
by scriptmaster
Charles256 wrote:actually.i did something like this..it doesn't really do beefore upload and it can be spoofed but it does give you some control.and if i mis-understood your question excuse me for wasting space...
Code: Select all
//Below is the directory we're going to store our avatars in. We'll need this later on.
$avatar= "../images/avatars/";
// Here we try to validate the avatar upload.
// Let's see if the file is too big!
if ($_FILES['file']['size'] > $oSettings->MaxFileSize)
{
$_SESSION['maxfile'] = "Your file exceeds".$oSettings->MaxFileSize." bytes. Please try again.";
$_SESSION['isError']= "true";
}
// Now let's see if we're allowed to upload this type of file. Also need to make our file extensions into an array.
$explode=explode(",",$oSettings->Extension);
$check=strrchr($_FILES['file'][name],'.');
// there we perform the check to see what the file extension is. Below let's see if we don't have a match.
if (!in_array($check,$explode))
{
$_SESSION['extension']="Your file is not one of the allowed formats. It must be".$oSettings->Extension.".";
$_SESSION['isError']= "true";
}
// We're going to give the file name the same file name as the client hide. Let's assign it to a variable.
$name=$_FILES['file']['name'];
now please note before that script is run the file is technically all ready loaded into the tmp folder which is no big deal. if the isError is equal to true just delete the file immediatly,else move it to the proper directory..hope htat helps..
what question are you answering here mate?

it's not mine about the $_FILES['imagefile']['tmp_name'] being empty , a?
Posted: Sat Oct 08, 2005 4:19 pm
by Charles256
i thought your question was how to check the file type..and that's a general way

though with further reflection the rest of your (the specifics) question..not too sure what you're talking about...clarify?
Posted: Sat Oct 08, 2005 4:26 pm
by scriptmaster
Charles256 wrote:i thought your question was how to check the file type..and that's a general way

though with further reflection the rest of your (the specifics) question..not too sure what you're talking about...clarify?
hehe.
sure I'll clarify.

the general question WAS how to check the type of the file, but the problem was I was trying to check the type of the file before the upload - that I understand is not possible.
after uploading I have a few methods of checking - so that's solved.
now I'm failing at 1 stage before that.
uploading fails for some reason, so I checked the $_FILES['imagefile']['tmp_name'], and it seems to be empty.
with some files I try to upload the $_FILES['imagefile']['tmp_name'] is NOT empty and it works and with some files the $_FILES['imagefile']['tmp_name'] is EMPTY and the upload fails.
now why is the $_FILES['imagefile']['tmp_name'] empty sometimes? I can't upload if it's empty. how can this happen?
Posted: Sat Oct 08, 2005 4:31 pm
by feyd
the tmp_name element will be empty if and when there either wasn't a file, the file uploaded was too large (killed by php itself) or there was an unrecoverable error.. you should check the 'error' element.
Posted: Sat Oct 08, 2005 5:22 pm
by scriptmaster
feyd wrote:the tmp_name element will be empty if and when there either wasn't a file, the file uploaded was too large (killed by php itself) or there was an unrecoverable error.. you should check the 'error' element.
ok guys, I thank you a lot for your help, all of you, it was this im my from:
Code: Select all
<input type="hidden" name="MAX_FILE_SIZE" value="4000">
the error element was "2" which means the file was bigger than what I have defined (4k).
now I am uploading the files and checking:
file type by:
a) ext. (".JPG" or ".jpg" or ".jpeg") (which is not secure enough)
b) $_FILES['imagefile']['type'] (which is a joke security speaking)
c) getimagesize()
file size by:
a)
Code: Select all
<input type="hidden" name="MAX_FILE_SIZE" value="4000">
in the form
b) $_FILES['imagefile']['size']
and dimensions by:
Code: Select all
list($width, $height, $type, $w) = getimagesize($_FILES['imagefile']['tmp_name']);
this doesn't seem like enough for me and I live in continual fear that someone will upload a nasty file and kill my biz forever
but I guess i'll get over it
Posted: Sat Oct 08, 2005 5:26 pm
by Charles256
you could try exploding for chaercteristic code tell tails (i.e. <?php) and if you find that in the file delete:-D
Posted: Sat Oct 08, 2005 5:31 pm
by scriptmaster
Charles256 wrote:you could try exploding for chaercteristic code tell tails (i.e. <?php) and if you find that in the file delete:-D
something about php files: if the file uploaded is in fact has a php code in it but it is called "myphpfile.jpg", could it still be run via browser as a .php file? doesn't the browser try to open it as a ".jpg" file? or am I way off about these things.
by the way, my greatest fear is a .exe file