uploading script

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
mainegate
Forum Newbie
Posts: 14
Joined: Sat Nov 29, 2008 5:49 pm

uploading script

Post by mainegate »

I picked up some good tips from O'Reilly 's book "Learning PHP & MySQL". This was in the book for an upload script. It makes sense. But I want to get a sense from you veterans what you think of it and if it needs more? Three other questions?

1) It looks at type...so technically it is looking at its headers? Can't a hacker fake those and/or put malicious stuff inside those legal files like a jpg or whatever?

2) Is there a good list somewhere that says all the different file types? I cannot find a good place that lists all the different syntacs for a file type. I never knew image/pjpeg was a jpg. I want to be able to add them in my script the different variations.

3) Should the real upload folder (the one we moved the file into) be up one directory..same one or down? Does it matter? Also what is the permissions for the folder and the file we upload should they have a chmod of anything special?

Code: Select all

<?php 
$maxsize=10486000; //set the max upload size in bytes
if (!$HTTP_POST_VARS['submit']) {
//print_r($HTTP_POST_FILES);
$error=" ";
//this will cause the rest of the processing to be skipped
//and the upload form displays
}
if (!is_uploaded_file($HTTP_POST_FILES['upload_file']['tmp_name']) AND !isset($error)) {
$error = "<b>Your must upload a file!</b><br /><br />";
unlink($HTTP_POST_FILES['upload_file']['tmp_name']);
}
 
 
if ($HTTP_POST_FILES['upload_file']['size'] > $maxsize AND !isset($error)) {
$error = "<b>Error, file must be less than $maxsize bytes.</b></br /><br />";
unlink($HTTP_POST_FILES['upload_file']['tmp_name']);
}
 
 
if($HTTP_POST_FILES['upload_file']['type'] != "image/gif" AND $HTTP_POST_FILES['upload_file']['type'] != "image/pjpeg" AND $HTTP_POST_FILES['upload_file']['type'] != "image/jpeg" AND !isset($error)) {
$error = "<b>You may only upload .gif or .jpeg files.<b></br /><br />";
unlink($HTTP_POST_FILES['upload_file']['tmp_name']);
}
 
 
 
 
if (!isset($error)) {
move_uploaded_file($HTTP_POST_FILES['upload_file']['tmp_name'], "uploads/".$HTTP_POST_FILES['upload_file']['name']);
print "Thank you for your upload.";
exit;
}
else
{
echo ("$error");
}
?>
 
<html>
<head></head>
<body>
<form action = "<?php echo(htmlspecialchars($_SERVER['PHP_SELF']))?>" method="post" enctype="multipart/form-data">
Choose a file to upload:<br />
<input type="file" name="upload_file" size="80">
<br />
<input type="submit" name="submit" value="submit">
</form>
</body>
</html>
Hannes2k
Forum Contributor
Posts: 102
Joined: Fri Oct 24, 2008 12:22 pm

Re: uploading script

Post by Hannes2k »

Hi,
use $_FILES instead of $HTTP_POST_FILES.
And next time please use the [ php] tag instead of the [ code] tag for your code.

The $_FILES['upload_file']['type'] is defined by the browser of the user, so you can upload an .exe, .php or what ever file and send as mime type e.g. image/gif. You just have to modify the header send by your browser (there are many plugins for Firefox where you can see and modify the HTTP header, e.g. Live HTTP Header).
So checking the 'type' do not prevent you from uploading bad files (.exe, .php, .html etc.)


To get a upload script secure isn't an easy job. Search the forum, in one post I have written how to secure an upload script.
mainegate
Forum Newbie
Posts: 14
Joined: Sat Nov 29, 2008 5:49 pm

Re: uploading script

Post by mainegate »

I don't get why $_FILES is better than $HTTP_POST_FILES? The latter is checking my type when I run the script..its echoing back....are you saying it secretly isn't?
Hannes2k
Forum Contributor
Posts: 102
Joined: Fri Oct 24, 2008 12:22 pm

Re: uploading script

Post by Hannes2k »

Hi,
mainegate wrote:I don't get why $_FILES is better than $HTTP_POST_FILES?
Because programmer are lazy....

You should use the short $_FILES, because this has 9 chars less than $HTTP_POST_FILES. So you increase the clarity of your script and increase your productivity.
And: As far as I know would $HTTP_POST_FILES doesn't work in PHP6 any more. So its advice to use the shorter version of it.


The latter is checking my type when I run the script..its echoing back....are you saying it secretly isn't?
I do not understand what you mean. Your script isn't secure.
mainegate
Forum Newbie
Posts: 14
Joined: Sat Nov 29, 2008 5:49 pm

Re: uploading script

Post by mainegate »

What do you mean it is not secure? What is wrong with it? I think using the short forum would be a good idea but how is it insecure? Is it because I didn't write shorthand or is it for another reason?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: uploading script

Post by Mordred »

The "long" version is/will be deprecated.
The code is insecure, as Hannes2k already mentioned.
I suggest you stop reading this book
mainegate
Forum Newbie
Posts: 14
Joined: Sat Nov 29, 2008 5:49 pm

Re: uploading script

Post by mainegate »

O.K...good to know about the depreciation. I would like to learn why it is not secure. Can you be more specific as to why and what it would need? What book(s) do you recommend?
Post Reply