Upload Script - File Type Filter - HELP!!!!!! (2 pages)

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
Gavin.Monroe
Forum Newbie
Posts: 12
Joined: Mon Sep 04, 2006 12:09 am
Location: Chesapeake, VA
Contact:

Post by Gavin.Monroe »

You are missing the comma between array values:

Code: Select all

$bad_types = array(
    'application/octet-stream', //<-- inserted a comma
        'application/x-msdos-program'

);
User avatar
JustinMs66
Forum Contributor
Posts: 127
Joined: Sun Sep 03, 2006 4:18 pm

Post by JustinMs66 »

ok i did that and there was no error. it uploaded the file. but THEN i tried uploading a .exe file and that DID WORK. :( so something still is not correct

here is all of my code:

Code: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>
<?php
$bad_types = array(
    'application/octet-stream', // .exe
	'application/x-msdos-program'
 //   'text/html' // html files
);

if ( in_array( $_FILES['uploadedfile']['type'], $bad_types ) )
{
        /*
		 echo "That File type is not supported.";
}
else
{

//
// Where the file is going to be placed 
$target_path = "uploads/";

/* Add the original filename to our target path.  
Result is "uploads/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 
$_FILES['uploadedfile']['tmp_name'];  

//

$target_path = "uploads/";

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 


if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "The file ".  basename( $_FILES['uploadedfile']['name']). 
    " has been uploaded. here is the link to your file: <a href=uploads/".  basename( $_FILES['uploadedfile']['name']). ">".  basename( $_FILES['uploadedfile']['name'])."</a>";
} else{
    echo "There was an error uploading the file, please try again!";
}
}
?>
</body>
</html>
User avatar
Gavin.Monroe
Forum Newbie
Posts: 12
Joined: Mon Sep 04, 2006 12:09 am
Location: Chesapeake, VA
Contact:

Post by Gavin.Monroe »

Your code should have come out looking like this:

Code: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>
<?php

$bad_types = array('application/octet-stream','application/x-msdos-program');

if( in_array( $_FILES['uploadedfile']['type'], $bad_types ) )
{
    echo "That File type is not supported.";
}
else
{

$target_path = "uploads/";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);

    if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
        echo "The file ".  basename( $_FILES['uploadedfile']['name']).
        " has been uploaded. here is the link to your file: <a href=uploads/".  basename( $_FILES['uploadedfile']['name']). ">".  basename( $_FILES['uploadedfile']['name'])."</a>";
    } else{
        echo "There was an error uploading the file, please try again!";
    }
}

?>
</body>
</html>
User avatar
JustinMs66
Forum Contributor
Posts: 127
Joined: Sun Sep 03, 2006 4:18 pm

Post by JustinMs66 »

i tried that exact code and it still dosn't work. it still lets it upload .exe files
User avatar
Gavin.Monroe
Forum Newbie
Posts: 12
Joined: Mon Sep 04, 2006 12:09 am
Location: Chesapeake, VA
Contact:

Post by Gavin.Monroe »

Are you using Opera, because it reports '.exe' as 'application/x-msdownload'.

Hence, you have stumbled upon the problem that I previously mentioned, and that is that browsers use their own system for reporting mime types. This is not a fool proof method for blocking the uploading of certain file types.

Other checks might include checking the file extension of the upload (not fool proof either) and actually scanning the file contents for validity. For example, if you want to check the validity of an image you can use the getimagesize() function, because it returns false if the file is not a valid image.

Hint: If you want to figure out what mime type a certain browser is reporting, just print the value of '$_FILES['uploadedfile']['type']'.
Last edited by Gavin.Monroe on Mon Sep 04, 2006 9:59 pm, edited 1 time in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Do not ever rely on the type given by the browser (agent) as being the truth. The only effective way is analyzing the file as I've already said in the previous thread.

If the server is set up correctly little of this would be a real concern. The only major concern would be if this is being hosted on a shared host and it isn't set up correctly.

The other protections don't involve any PHP, but directory level settings given to the web server. We've talked about that before and shouldn't be too difficult to search for (although everyone but me seems to have issues in searching... :roll:)
User avatar
JustinMs66
Forum Contributor
Posts: 127
Joined: Sun Sep 03, 2006 4:18 pm

Post by JustinMs66 »

YESS!!!!!!

so i did what u said, tested what type it was, and it was 'application/x' so i put that in and it worked!!!!!!!thank you SOOOOO much for ur help d00d. i rly appreciate it!!!btw i'm using firefox not oprah
User avatar
Gavin.Monroe
Forum Newbie
Posts: 12
Joined: Mon Sep 04, 2006 12:09 am
Location: Chesapeake, VA
Contact:

Post by Gavin.Monroe »

You're welcome! I'm glad that you achieved your desired result, but I urge you to consider the advice of feyd and myself. If you use this method as your sole way of validating uploads, you could run into trouble later on down the road. Think about it.
Post Reply