PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sat Jun 06, 2020 5:26 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Sat Aug 20, 2011 10:06 am 
Offline
Forum Commoner

Joined: Fri Dec 03, 2010 11:24 pm
Posts: 30
Here is what I use to upload profile pictures to a folder. I know this isn't secure yet. The folder's permission is set to 777 because that is the only way I could make it work.

Let me know what needs to be added/changed to keep hackers away.

Thanks!

Syntax: [ Download ] [ Hide ]
<?php
session_start();
if(!isset($_SESSION['username'])){header("location: ../index.php"); exit();}

$con = mysql_connect("**","**","**");
mysql_select_db("**", $con);

$username = mysql_real_escape_string($_SESSION['username']);

// get extension
if ($HTTP_POST_FILES['uploadedfile']["type"] == "image/gif") {$ext = ".gif";}
if ($HTTP_POST_FILES['uploadedfile']["type"] == "image/png") {$ext = ".png";}
if ($HTTP_POST_FILES['uploadedfile']["type"] == "image/jpeg") {$ext = ".jpg";}

// validate
if ($HTTP_POST_FILES['uploadedfile']["type"] != "image/gif" && $HTTP_POST_FILES['uploadedfile']["type"] != "image/png" && $HTTP_POST_FILES['uploadedfile']["type"] != "image/jpeg") {$valid = "false"; $errors = $errors . "1";}
if ($HTTP_POST_FILES['uploadedfile']['size'] > 3000000) {$valid = "false"; $errors = $errors . "2";}

// if invalid, go to error page
if ($valid == "false"){
header("location: ../error_pages/upload_picture_error.php?why=$errors");
exit();}

// resize, rename, copy to folder
$path = "../profile_pictures/".$username . $ext;
$file_name = $HTTP_POST_FILES['uploadedfile']['tmp_name'];

copy($file_name, $path);
   include('SimpleImage.php');
   $image = new SimpleImage();
   $image->load($path);
   $image->resizeToWidth(100);
   $image->save($path);
$picture = $username . $ext;

$result = mysql_query("SELECT * FROM perm WHERE username = '$username'");
while($row = mysql_fetch_array($result))
{$old_picture = $row['picture'];}

// delete old default picture
unlink("../profile_pictures/".$old_picture);

mysql_query("UPDATE perm SET picture = '$picture' WHERE username = '$username'");

echo '<script type="text/javascript">window.location = "../account.php";</script>';

?>
 


Top
 Profile  
 
PostPosted: Sat Aug 20, 2011 12:42 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13592
Location: New York, NY, US
The first think is to use move_uploaded_file() instead of copy() because it does security checks. See the manual for that function for more info about uploads. There is also a whole section of the manual about Handling file uploads - http://us.php.net/manual/en/features.file-upload.php

_________________
(#10850)


Top
 Profile  
 
PostPosted: Sat Aug 20, 2011 9:00 pm 
Offline
Forum Commoner

Joined: Fri Dec 03, 2010 11:24 pm
Posts: 30
I had to set the permissions of the folder that the files are uploaded into to 777. Is this what it should be?


Top
 Profile  
 
PostPosted: Sat Aug 20, 2011 9:26 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13592
Location: New York, NY, US
I would set the directory to the user that the web server runs as ... and then 700.

_________________
(#10850)


Top
 Profile  
 
PostPosted: Sun Aug 21, 2011 9:23 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
Have a look at these urls, specifically the first one
&

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Tue Aug 23, 2011 3:16 am 
Offline
Forum Commoner

Joined: Fri Dec 03, 2010 11:24 pm
Posts: 30


Top
 Profile  
 
PostPosted: Tue Aug 23, 2011 5:52 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group