Page 2 of 2
Posted: Mon Sep 04, 2006 3:05 am
by Gavin.Monroe
You are missing the comma between array values:
Code: Select all
$bad_types = array(
'application/octet-stream', //<-- inserted a comma
'application/x-msdos-program'
);
Posted: Mon Sep 04, 2006 8:11 pm
by JustinMs66
ok i did that and there was no error. it uploaded the file. but THEN i tried uploading a .exe file and that DID WORK.

so something still is not correct
here is all of my code:
Code: Select all
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
<body>
<?php
$bad_types = array(
'application/octet-stream', // .exe
'application/x-msdos-program'
// 'text/html' // html files
);
if ( in_array( $_FILES['uploadedfile']['type'], $bad_types ) )
{
/*
echo "That File type is not supported.";
}
else
{
//
// Where the file is going to be placed
$target_path = "uploads/";
/* Add the original filename to our target path.
Result is "uploads/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
$_FILES['uploadedfile']['tmp_name'];
//
$target_path = "uploads/";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ". basename( $_FILES['uploadedfile']['name']).
" has been uploaded. here is the link to your file: <a href=uploads/". basename( $_FILES['uploadedfile']['name']). ">". basename( $_FILES['uploadedfile']['name'])."</a>";
} else{
echo "There was an error uploading the file, please try again!";
}
}
?>
</body>
</html>
Posted: Mon Sep 04, 2006 8:18 pm
by Gavin.Monroe
Your code should have come out looking like this:
Code: Select all
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
<body>
<?php
$bad_types = array('application/octet-stream','application/x-msdos-program');
if( in_array( $_FILES['uploadedfile']['type'], $bad_types ) )
{
echo "That File type is not supported.";
}
else
{
$target_path = "uploads/";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ". basename( $_FILES['uploadedfile']['name']).
" has been uploaded. here is the link to your file: <a href=uploads/". basename( $_FILES['uploadedfile']['name']). ">". basename( $_FILES['uploadedfile']['name'])."</a>";
} else{
echo "There was an error uploading the file, please try again!";
}
}
?>
</body>
</html>
Posted: Mon Sep 04, 2006 9:38 pm
by JustinMs66
i tried that exact code and it still dosn't work. it still lets it upload .exe files
Posted: Mon Sep 04, 2006 9:51 pm
by Gavin.Monroe
Are you using Opera, because it reports '.exe' as 'application/x-msdownload'.
Hence, you have stumbled upon the problem that I previously mentioned, and that is that browsers use their own system for reporting mime types. This is not a fool proof method for blocking the uploading of certain file types.
Other checks might include checking the file extension of the upload (not fool proof either) and actually scanning the file contents for validity. For example, if you want to check the validity of an image you can use the
getimagesize() function, because it returns false if the file is not a valid image.
Hint: If you want to figure out what mime type a certain browser is reporting, just print the value of '$_FILES['uploadedfile']['type']'.
Posted: Mon Sep 04, 2006 9:56 pm
by feyd
Do not ever rely on the type given by the browser (agent) as being the truth. The only effective way is analyzing the file as I've already said in the previous thread.
If the server is set up correctly little of this would be a real concern. The only major concern would be if this is being hosted on a shared host and it isn't set up correctly.
The other protections don't involve any PHP, but directory level settings given to the web server. We've talked about that before and shouldn't be too difficult to search for (although everyone but me seems to have issues in searching...

)
Posted: Mon Sep 04, 2006 10:05 pm
by JustinMs66
YESS!!!!!!
so i did what u said, tested what type it was, and it was 'application/x' so i put that in and it worked!!!!!!!thank you SOOOOO much for ur help d00d. i rly appreciate it!!!btw i'm using firefox not oprah
Posted: Mon Sep 04, 2006 10:09 pm
by Gavin.Monroe
You're welcome! I'm glad that you achieved your desired result, but I urge you to consider the advice of feyd and myself. If you use this method as your sole way of validating uploads, you could run into trouble later on down the road. Think about it.