Page 1 of 2

Upload Script - File Type Filter - HELP!!!!!!(2 pages)

Posted: Sun Sep 03, 2006 4:19 pm
by JustinMs66
i have a PHP upload script, that very much works, but it dosn't filter any file types out. i want to be able to block certain file types. or if thats not possible, then just specify which file types. but i'd be much better if i could block. anyway, here is my code:

Code: Select all

<?php

// Where the file is going to be placed 
$target_path = "uploads/";

/* Add the original filename to our target path.  
Result is "uploads/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 
$_FILES['uploadedfile']['tmp_name'];  


?>
  
  <?php

//$web_two = "<a href=http://www.csscobalt.com/uploads/"

$target_path = "uploads/";

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "The file ".  basename( $_FILES['uploadedfile']['name']). 
    " has been uploaded. here is the link to your file: <a href=uploads/".  basename( $_FILES['uploadedfile']['name']). ">".  basename( $_FILES['uploadedfile']['name'])."</a>";
} else{
    echo "There was an error uploading the file, please try again!";
}

?>

Posted: Sun Sep 03, 2006 5:07 pm
by Ollie Saunders
if you print_r($_FILES) you might find something of interest.
If you want to match image types then use exif_imagetype().

Posted: Sun Sep 03, 2006 5:09 pm
by jayshields
ole wrote:If you want to match image types then use exif_imagetype().
Sorry to hijack the thread, but why not use

Code: Select all

getimagesize()
for the image type?

Posted: Sun Sep 03, 2006 5:17 pm
by Ollie Saunders
getimagesize is probably better. getimagesize is actually a very bad name for the function.
I like exif_imagetype() for readability and the fact you don't have to fubble for the type in an array.

Posted: Sun Sep 03, 2006 5:21 pm
by jayshields
The return value is the same value that getimagesize() returns in index 2 but exif_imagetype() is much faster.
From the

Code: Select all

exif_imagetype()
page :) I should read up more before posting.

Posted: Sun Sep 03, 2006 5:31 pm
by JustinMs66
no i just wana ban certain file types from being uploaded....

Posted: Sun Sep 03, 2006 5:33 pm
by jayshields
ole wrote:if you print_r($_FILES) you might find something of interest.

Posted: Sun Sep 03, 2006 5:33 pm
by Ollie Saunders
The return value is the same value that getimagesize() returns in index 2 but exif_imagetype() is much faster.
I didn't see that either actually. Well there's another reason then :)

what types do you want to filter?

Posted: Sun Sep 03, 2006 5:38 pm
by JustinMs66
i wana filter:
.php .exe .js .html .xml

and i'm not the best at PHP code, so just keep that in mind.

Posted: Sun Sep 03, 2006 5:44 pm
by Ollie Saunders
Why do you want to filter those?

Posted: Sun Sep 03, 2006 5:45 pm
by JustinMs66
dude because people can make f**king hacking scripts, upload them, and f**K you over. so can u plz tell me how?
.php .exe .js .html .xml ok?

Posted: Sun Sep 03, 2006 5:53 pm
by feyd
Read through Useful Posts. There's a thread linked from it about determining various types of files. And keep the swearing to a minimum, there's rarely ever a need for it here.

Posted: Sun Sep 03, 2006 6:00 pm
by Ollie Saunders
OK here's some facts that i'm pretty sure about:
  • If you have any kind file upload service in place a hacker will be able to use it to put poteniually dangerous data on your server
  • You cannot easily discern between nice plain text and js/php/xml
  • You definately can't hack with an xml file, its just a data structure there is no behaviour
  • You are going to need a much longer list than that anyway. What about .vbs .cmd .sh .htaccess + extension of every interpretted lanaguage + the name of every directory aware configuration file for every piece of software on the OS your server is running?
  • The danger of these files only occurs when you execute them. If you are for some bizarre reason echoing them straight to the browser you can use htmlspecialchars() to twart that.
  • Being rude doesn't get you stuff
So you need to ask yourself. Why have I got a file upload service, can I provide the same functionality with a more secure alternative? If you do need file uploads ask when do these uploaded files see the light of day and how? Is there an escaping technique for that type of output to prevent them being executed?

Posted: Sun Sep 03, 2006 6:04 pm
by jayshields
Instead of filtering file types that you don't want to allow, it would be alot easier for you to allow only specific file types.

Posted: Sun Sep 03, 2006 6:09 pm
by JustinMs66
no i think i'd rather just disable the file types, not enable others, cuz it would take aLOT longer i upload aLOT of different stuff to this.

and yes, i'm sorry for being rude, but my website was hacked a couple days ago...everything deleted. so if you could PLEASE PLEASE just TELL ME how to disable file types.