Page 1 of 1
Secure PHP File Upload
Posted: Tue Oct 07, 2008 7:59 am
by neodjandre
Hello,
I am a complete newbie when it comes to PHP. In fact, I have never used it before.
I am ok with html and seem to understand concepts quite fast.
I want to create an upload form where users can upload only .Zip files up to 150MB.
Security is very very very important... I have an SSL certificate but the PHP script needs to be extra secured as well.
As an additional security measure, I want to give my customers a unique number which they should enter in the form before being able to upload.
I also want this unique number to be appended in front of the filename for identification purposes.
any help would do at this stage.
thanks in advance,
Andy
Re: Secure PHP File Upload
Posted: Tue Oct 07, 2008 8:26 am
by aceconcepts
I always found this site useful as a reference when I started work on uploads:
http://www.tizag.com/phpT/fileupload.php
Also, you may want to look at the PHP manual:
http://uk3.php.net/features.file-upload
Once you know the basics, you can then investigate security.
Re: Secure PHP File Upload
Posted: Tue Oct 07, 2008 9:44 am
by neodjandre
ok, I am starting to grasp the basics.
My html form is this:
Code: Select all
<form enctype="multipart/form-data" action="./Uploadsf/uploader.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
Choose a file to upload: <input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
</form>
My php script is:
Code: Select all
<?php
$target_path = "Uploadsf/Up1oads";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ". basename( $_FILES['uploadedfile']['name']).
" has been uploaded";
} else{
echo "There was an error uploading the file, please contact us";
}
?>
The script appears to be executed correctly, however the file is not uploaded successfully.
any ideas on what might be wrong with my code?
thanks
Andy
Re: Secure PHP File Upload
Posted: Tue Oct 07, 2008 9:46 am
by aceconcepts
What error messages do you get (if any)?
I would imagine there are permisson issues or an incorrect directory path.
Re: Secure PHP File Upload
Posted: Tue Oct 07, 2008 9:53 am
by neodjandre
I get the error message i wrote in the script "There was an error uploading the file, please contact us"
I have changed the permission in the folder "Up1oads" to 777 but still the same error...
Re: Secure PHP File Upload
Posted: Tue Oct 07, 2008 10:02 am
by aceconcepts
Oh ok, my apologies - didn't see it.
Take a look at this link:
http://uk3.php.net/manual/en/features.f ... errors.php
Because you have written your error message as the result of a conditional else, you will be looking at messages values from 1 to 8, in the link above.
Re: Secure PHP File Upload
Posted: Tue Oct 07, 2008 10:13 am
by neodjandre
ok I fixed it .. it works !
I was missing a dot !
$target_path = "./Up1oads";
Now, I need to do more advanced stuff ...
Re: Secure PHP File Upload
Posted: Tue Oct 07, 2008 10:14 am
by aceconcepts
One common problem is the target_path - make sure its correct!
Re: Secure PHP File Upload
Posted: Tue Oct 07, 2008 10:15 am
by aceconcepts
Excellent. Well done.
Re: Secure PHP File Upload
Posted: Tue Oct 07, 2008 11:06 am
by neodjandre
This website is also good for php security
http://www.mysql-apache-php.com/fileupload-security.htm
I have created an .htaccess file as described but I get an error "You tried to access a document for which you don't have privileges." when I try to upload any kind of files..
any ideas on why this happens?
this is what I wrote inside the .htaccess file:
Code: Select all
Options -Indexes
Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi
Re: Secure PHP File Upload
Posted: Tue Oct 07, 2008 11:29 am
by Masonan
On the security side of thing, make sure that you only allow uploads on files with specific extensions. It might even be a good idea to have the script check for proper file headers.
Re: Secure PHP File Upload
Posted: Tue Oct 07, 2008 12:06 pm
by neodjandre
ok I have tried to do that with the following code
Code: Select all
<?php
if((!empty($_FILES["uploaded_file"])) && ($_FILES['uploaded_file']['error'] == 0)) {
$filename = basename($_FILES['uploaded_file']['name']);
$ext = substr($filename, strrpos($filename, '.') + 1);
if (($ext == "zip") && ($_FILES["uploaded_file"]["type"] == "zip") &&
($_FILES["uploaded_file"]["size"] < 150000000)) {
//Determine the path to which we want to save this file
$newname = dirname(__FILE__).'/Up1oads/'.$filename;
//Check if the file with the same name is already exists on the server
if (!file_exists($newname)) {
//Attempt to move the uploaded file to it's new place
if ((move_uploaded_file($_FILES['uploaded_file']['tmp_name'],$newname))) {
echo "It's done! The file has been saved as: ".$newname;
} else {
echo "Error: A problem occurred during file upload!";
}
} else {
echo "Error: File ".$_FILES["uploaded_file"]["name"]." already exists";
}
} else {
echo "Error: Only .zip files under 150Mb are accepted for upload";
}
} else {
echo "Error: No file uploaded";
}
?>
However, I get the error "Error: Only .zip files under 150Mb are accepted for upload" even when I try to upload a .zip file.
can anyone spot what i am doing wrong in the above code?
thanks a lot again