Page 1 of 1

Secure PHP File Upload

Posted: Tue Oct 07, 2008 7:59 am
by neodjandre
Hello,

I am a complete newbie when it comes to PHP. In fact, I have never used it before.

I am ok with html and seem to understand concepts quite fast.

I want to create an upload form where users can upload only .Zip files up to 150MB.

Security is very very very important... I have an SSL certificate but the PHP script needs to be extra secured as well.

As an additional security measure, I want to give my customers a unique number which they should enter in the form before being able to upload.

I also want this unique number to be appended in front of the filename for identification purposes.

any help would do at this stage.

thanks in advance,
Andy

Re: Secure PHP File Upload

Posted: Tue Oct 07, 2008 8:26 am
by aceconcepts
I always found this site useful as a reference when I started work on uploads: http://www.tizag.com/phpT/fileupload.php

Also, you may want to look at the PHP manual: http://uk3.php.net/features.file-upload

Once you know the basics, you can then investigate security.

Re: Secure PHP File Upload

Posted: Tue Oct 07, 2008 9:44 am
by neodjandre
ok, I am starting to grasp the basics.

My html form is this:

Code: Select all

 
<form enctype="multipart/form-data" action="./Uploadsf/uploader.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
Choose a file to upload: <input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
</form>
 
My php script is:

Code: Select all

 
<?php
 
$target_path = "Uploadsf/Up1oads";
 
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 
 
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "The file ".  basename( $_FILES['uploadedfile']['name']). 
    " has been uploaded";
} else{
    echo "There was an error uploading the file, please contact us";
}
 
?>
 
The script appears to be executed correctly, however the file is not uploaded successfully.

any ideas on what might be wrong with my code?

thanks
Andy

Re: Secure PHP File Upload

Posted: Tue Oct 07, 2008 9:46 am
by aceconcepts
What error messages do you get (if any)?

I would imagine there are permisson issues or an incorrect directory path.

Re: Secure PHP File Upload

Posted: Tue Oct 07, 2008 9:53 am
by neodjandre
I get the error message i wrote in the script "There was an error uploading the file, please contact us"

I have changed the permission in the folder "Up1oads" to 777 but still the same error...

Re: Secure PHP File Upload

Posted: Tue Oct 07, 2008 10:02 am
by aceconcepts
Oh ok, my apologies - didn't see it.

Take a look at this link: http://uk3.php.net/manual/en/features.f ... errors.php

Because you have written your error message as the result of a conditional else, you will be looking at messages values from 1 to 8, in the link above.

Re: Secure PHP File Upload

Posted: Tue Oct 07, 2008 10:13 am
by neodjandre
ok I fixed it .. it works !

I was missing a dot ! :-)

$target_path = "./Up1oads";

Now, I need to do more advanced stuff ...

Re: Secure PHP File Upload

Posted: Tue Oct 07, 2008 10:14 am
by aceconcepts
One common problem is the target_path - make sure its correct!

Re: Secure PHP File Upload

Posted: Tue Oct 07, 2008 10:15 am
by aceconcepts
Excellent. Well done.

Re: Secure PHP File Upload

Posted: Tue Oct 07, 2008 11:06 am
by neodjandre
This website is also good for php security

http://www.mysql-apache-php.com/fileupload-security.htm

I have created an .htaccess file as described but I get an error "You tried to access a document for which you don't have privileges." when I try to upload any kind of files..

any ideas on why this happens?

this is what I wrote inside the .htaccess file:

Code: Select all

 
Options -Indexes
Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi 
 

Re: Secure PHP File Upload

Posted: Tue Oct 07, 2008 11:29 am
by Masonan
On the security side of thing, make sure that you only allow uploads on files with specific extensions. It might even be a good idea to have the script check for proper file headers.

Re: Secure PHP File Upload

Posted: Tue Oct 07, 2008 12:06 pm
by neodjandre
ok I have tried to do that with the following code

Code: Select all

 
<?php
 
if((!empty($_FILES["uploaded_file"])) && ($_FILES['uploaded_file']['error'] == 0)) {
 
  $filename = basename($_FILES['uploaded_file']['name']);
  $ext = substr($filename, strrpos($filename, '.') + 1);
  if (($ext == "zip") && ($_FILES["uploaded_file"]["type"] == "zip") && 
    ($_FILES["uploaded_file"]["size"] < 150000000)) {
    //Determine the path to which we want to save this file
      $newname = dirname(__FILE__).'/Up1oads/'.$filename;
      //Check if the file with the same name is already exists on the server
      if (!file_exists($newname)) {
        //Attempt to move the uploaded file to it's new place
        if ((move_uploaded_file($_FILES['uploaded_file']['tmp_name'],$newname))) {
           echo "It's done! The file has been saved as: ".$newname;
        } else {
           echo "Error: A problem occurred during file upload!";
        }
      } else {
         echo "Error: File ".$_FILES["uploaded_file"]["name"]." already exists";
      }
  } else {
     echo "Error: Only .zip files under 150Mb are accepted for upload";
  }
} else {
 echo "Error: No file uploaded";
}
 
?>
 
However, I get the error "Error: Only .zip files under 150Mb are accepted for upload" even when I try to upload a .zip file.

can anyone spot what i am doing wrong in the above code?

thanks a lot again