Secure PHP File Upload
Moderator: General Moderators
-
neodjandre
- Forum Newbie
- Posts: 6
- Joined: Tue Oct 07, 2008 7:54 am
Secure PHP File Upload
Hello,
I am a complete newbie when it comes to PHP. In fact, I have never used it before.
I am ok with html and seem to understand concepts quite fast.
I want to create an upload form where users can upload only .Zip files up to 150MB.
Security is very very very important... I have an SSL certificate but the PHP script needs to be extra secured as well.
As an additional security measure, I want to give my customers a unique number which they should enter in the form before being able to upload.
I also want this unique number to be appended in front of the filename for identification purposes.
any help would do at this stage.
thanks in advance,
Andy
I am a complete newbie when it comes to PHP. In fact, I have never used it before.
I am ok with html and seem to understand concepts quite fast.
I want to create an upload form where users can upload only .Zip files up to 150MB.
Security is very very very important... I have an SSL certificate but the PHP script needs to be extra secured as well.
As an additional security measure, I want to give my customers a unique number which they should enter in the form before being able to upload.
I also want this unique number to be appended in front of the filename for identification purposes.
any help would do at this stage.
thanks in advance,
Andy
- aceconcepts
- DevNet Resident
- Posts: 1424
- Joined: Mon Feb 06, 2006 11:26 am
- Location: London
Re: Secure PHP File Upload
I always found this site useful as a reference when I started work on uploads: http://www.tizag.com/phpT/fileupload.php
Also, you may want to look at the PHP manual: http://uk3.php.net/features.file-upload
Once you know the basics, you can then investigate security.
Also, you may want to look at the PHP manual: http://uk3.php.net/features.file-upload
Once you know the basics, you can then investigate security.
-
neodjandre
- Forum Newbie
- Posts: 6
- Joined: Tue Oct 07, 2008 7:54 am
Re: Secure PHP File Upload
ok, I am starting to grasp the basics.
My html form is this:
My php script is:
The script appears to be executed correctly, however the file is not uploaded successfully.
any ideas on what might be wrong with my code?
thanks
Andy
My html form is this:
Code: Select all
<form enctype="multipart/form-data" action="./Uploadsf/uploader.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
Choose a file to upload: <input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
</form>
Code: Select all
<?php
$target_path = "Uploadsf/Up1oads";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ". basename( $_FILES['uploadedfile']['name']).
" has been uploaded";
} else{
echo "There was an error uploading the file, please contact us";
}
?>
any ideas on what might be wrong with my code?
thanks
Andy
- aceconcepts
- DevNet Resident
- Posts: 1424
- Joined: Mon Feb 06, 2006 11:26 am
- Location: London
Re: Secure PHP File Upload
What error messages do you get (if any)?
I would imagine there are permisson issues or an incorrect directory path.
I would imagine there are permisson issues or an incorrect directory path.
-
neodjandre
- Forum Newbie
- Posts: 6
- Joined: Tue Oct 07, 2008 7:54 am
Re: Secure PHP File Upload
I get the error message i wrote in the script "There was an error uploading the file, please contact us"
I have changed the permission in the folder "Up1oads" to 777 but still the same error...
I have changed the permission in the folder "Up1oads" to 777 but still the same error...
- aceconcepts
- DevNet Resident
- Posts: 1424
- Joined: Mon Feb 06, 2006 11:26 am
- Location: London
Re: Secure PHP File Upload
Oh ok, my apologies - didn't see it.
Take a look at this link: http://uk3.php.net/manual/en/features.f ... errors.php
Because you have written your error message as the result of a conditional else, you will be looking at messages values from 1 to 8, in the link above.
Take a look at this link: http://uk3.php.net/manual/en/features.f ... errors.php
Because you have written your error message as the result of a conditional else, you will be looking at messages values from 1 to 8, in the link above.
-
neodjandre
- Forum Newbie
- Posts: 6
- Joined: Tue Oct 07, 2008 7:54 am
Re: Secure PHP File Upload
ok I fixed it .. it works !
I was missing a dot !
$target_path = "./Up1oads";
Now, I need to do more advanced stuff ...
I was missing a dot !
$target_path = "./Up1oads";
Now, I need to do more advanced stuff ...
- aceconcepts
- DevNet Resident
- Posts: 1424
- Joined: Mon Feb 06, 2006 11:26 am
- Location: London
Re: Secure PHP File Upload
One common problem is the target_path - make sure its correct!
- aceconcepts
- DevNet Resident
- Posts: 1424
- Joined: Mon Feb 06, 2006 11:26 am
- Location: London
Re: Secure PHP File Upload
Excellent. Well done.
-
neodjandre
- Forum Newbie
- Posts: 6
- Joined: Tue Oct 07, 2008 7:54 am
Re: Secure PHP File Upload
This website is also good for php security
http://www.mysql-apache-php.com/fileupload-security.htm
I have created an .htaccess file as described but I get an error "You tried to access a document for which you don't have privileges." when I try to upload any kind of files..
any ideas on why this happens?
this is what I wrote inside the .htaccess file:
http://www.mysql-apache-php.com/fileupload-security.htm
I have created an .htaccess file as described but I get an error "You tried to access a document for which you don't have privileges." when I try to upload any kind of files..
any ideas on why this happens?
this is what I wrote inside the .htaccess file:
Code: Select all
Options -Indexes
Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi
Re: Secure PHP File Upload
On the security side of thing, make sure that you only allow uploads on files with specific extensions. It might even be a good idea to have the script check for proper file headers.
-
neodjandre
- Forum Newbie
- Posts: 6
- Joined: Tue Oct 07, 2008 7:54 am
Re: Secure PHP File Upload
ok I have tried to do that with the following code
However, I get the error "Error: Only .zip files under 150Mb are accepted for upload" even when I try to upload a .zip file.
can anyone spot what i am doing wrong in the above code?
thanks a lot again
Code: Select all
<?php
if((!empty($_FILES["uploaded_file"])) && ($_FILES['uploaded_file']['error'] == 0)) {
$filename = basename($_FILES['uploaded_file']['name']);
$ext = substr($filename, strrpos($filename, '.') + 1);
if (($ext == "zip") && ($_FILES["uploaded_file"]["type"] == "zip") &&
($_FILES["uploaded_file"]["size"] < 150000000)) {
//Determine the path to which we want to save this file
$newname = dirname(__FILE__).'/Up1oads/'.$filename;
//Check if the file with the same name is already exists on the server
if (!file_exists($newname)) {
//Attempt to move the uploaded file to it's new place
if ((move_uploaded_file($_FILES['uploaded_file']['tmp_name'],$newname))) {
echo "It's done! The file has been saved as: ".$newname;
} else {
echo "Error: A problem occurred during file upload!";
}
} else {
echo "Error: File ".$_FILES["uploaded_file"]["name"]." already exists";
}
} else {
echo "Error: Only .zip files under 150Mb are accepted for upload";
}
} else {
echo "Error: No file uploaded";
}
?>
can anyone spot what i am doing wrong in the above code?
thanks a lot again