Secure PHP File Upload

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
neodjandre
Forum Newbie
Posts: 6
Joined: Tue Oct 07, 2008 7:54 am

Secure PHP File Upload

Post by neodjandre »

Hello,

I am a complete newbie when it comes to PHP. In fact, I have never used it before.

I am ok with html and seem to understand concepts quite fast.

I want to create an upload form where users can upload only .Zip files up to 150MB.

Security is very very very important... I have an SSL certificate but the PHP script needs to be extra secured as well.

As an additional security measure, I want to give my customers a unique number which they should enter in the form before being able to upload.

I also want this unique number to be appended in front of the filename for identification purposes.

any help would do at this stage.

thanks in advance,
Andy
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Re: Secure PHP File Upload

Post by aceconcepts »

I always found this site useful as a reference when I started work on uploads: http://www.tizag.com/phpT/fileupload.php

Also, you may want to look at the PHP manual: http://uk3.php.net/features.file-upload

Once you know the basics, you can then investigate security.
neodjandre
Forum Newbie
Posts: 6
Joined: Tue Oct 07, 2008 7:54 am

Re: Secure PHP File Upload

Post by neodjandre »

ok, I am starting to grasp the basics.

My html form is this:

Code: Select all

 
<form enctype="multipart/form-data" action="./Uploadsf/uploader.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
Choose a file to upload: <input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
</form>
 
My php script is:

Code: Select all

 
<?php
 
$target_path = "Uploadsf/Up1oads";
 
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 
 
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "The file ".  basename( $_FILES['uploadedfile']['name']). 
    " has been uploaded";
} else{
    echo "There was an error uploading the file, please contact us";
}
 
?>
 
The script appears to be executed correctly, however the file is not uploaded successfully.

any ideas on what might be wrong with my code?

thanks
Andy
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Re: Secure PHP File Upload

Post by aceconcepts »

What error messages do you get (if any)?

I would imagine there are permisson issues or an incorrect directory path.
neodjandre
Forum Newbie
Posts: 6
Joined: Tue Oct 07, 2008 7:54 am

Re: Secure PHP File Upload

Post by neodjandre »

I get the error message i wrote in the script "There was an error uploading the file, please contact us"

I have changed the permission in the folder "Up1oads" to 777 but still the same error...
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Re: Secure PHP File Upload

Post by aceconcepts »

Oh ok, my apologies - didn't see it.

Take a look at this link: http://uk3.php.net/manual/en/features.f ... errors.php

Because you have written your error message as the result of a conditional else, you will be looking at messages values from 1 to 8, in the link above.
neodjandre
Forum Newbie
Posts: 6
Joined: Tue Oct 07, 2008 7:54 am

Re: Secure PHP File Upload

Post by neodjandre »

ok I fixed it .. it works !

I was missing a dot ! :-)

$target_path = "./Up1oads";

Now, I need to do more advanced stuff ...
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Re: Secure PHP File Upload

Post by aceconcepts »

One common problem is the target_path - make sure its correct!
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Re: Secure PHP File Upload

Post by aceconcepts »

Excellent. Well done.
neodjandre
Forum Newbie
Posts: 6
Joined: Tue Oct 07, 2008 7:54 am

Re: Secure PHP File Upload

Post by neodjandre »

This website is also good for php security

http://www.mysql-apache-php.com/fileupload-security.htm

I have created an .htaccess file as described but I get an error "You tried to access a document for which you don't have privileges." when I try to upload any kind of files..

any ideas on why this happens?

this is what I wrote inside the .htaccess file:

Code: Select all

 
Options -Indexes
Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi 
 
Masonan
Forum Newbie
Posts: 4
Joined: Tue Oct 07, 2008 10:21 am

Re: Secure PHP File Upload

Post by Masonan »

On the security side of thing, make sure that you only allow uploads on files with specific extensions. It might even be a good idea to have the script check for proper file headers.
neodjandre
Forum Newbie
Posts: 6
Joined: Tue Oct 07, 2008 7:54 am

Re: Secure PHP File Upload

Post by neodjandre »

ok I have tried to do that with the following code

Code: Select all

 
<?php
 
if((!empty($_FILES["uploaded_file"])) && ($_FILES['uploaded_file']['error'] == 0)) {
 
  $filename = basename($_FILES['uploaded_file']['name']);
  $ext = substr($filename, strrpos($filename, '.') + 1);
  if (($ext == "zip") && ($_FILES["uploaded_file"]["type"] == "zip") && 
    ($_FILES["uploaded_file"]["size"] < 150000000)) {
    //Determine the path to which we want to save this file
      $newname = dirname(__FILE__).'/Up1oads/'.$filename;
      //Check if the file with the same name is already exists on the server
      if (!file_exists($newname)) {
        //Attempt to move the uploaded file to it's new place
        if ((move_uploaded_file($_FILES['uploaded_file']['tmp_name'],$newname))) {
           echo "It's done! The file has been saved as: ".$newname;
        } else {
           echo "Error: A problem occurred during file upload!";
        }
      } else {
         echo "Error: File ".$_FILES["uploaded_file"]["name"]." already exists";
      }
  } else {
     echo "Error: Only .zip files under 150Mb are accepted for upload";
  }
} else {
 echo "Error: No file uploaded";
}
 
?>
 
However, I get the error "Error: Only .zip files under 150Mb are accepted for upload" even when I try to upload a .zip file.

can anyone spot what i am doing wrong in the above code?

thanks a lot again
Post Reply