Page 1 of 1

uploading script

Posted: Sat Nov 29, 2008 6:04 pm
by mainegate
I picked up some good tips from O'Reilly 's book "Learning PHP & MySQL". This was in the book for an upload script. It makes sense. But I want to get a sense from you veterans what you think of it and if it needs more? Three other questions?

1) It looks at type...so technically it is looking at its headers? Can't a hacker fake those and/or put malicious stuff inside those legal files like a jpg or whatever?

2) Is there a good list somewhere that says all the different file types? I cannot find a good place that lists all the different syntacs for a file type. I never knew image/pjpeg was a jpg. I want to be able to add them in my script the different variations.

3) Should the real upload folder (the one we moved the file into) be up one directory..same one or down? Does it matter? Also what is the permissions for the folder and the file we upload should they have a chmod of anything special?

Code: Select all

<?php 
$maxsize=10486000; //set the max upload size in bytes
if (!$HTTP_POST_VARS['submit']) {
//print_r($HTTP_POST_FILES);
$error=" ";
//this will cause the rest of the processing to be skipped
//and the upload form displays
}
if (!is_uploaded_file($HTTP_POST_FILES['upload_file']['tmp_name']) AND !isset($error)) {
$error = "<b>Your must upload a file!</b><br /><br />";
unlink($HTTP_POST_FILES['upload_file']['tmp_name']);
}
 
 
if ($HTTP_POST_FILES['upload_file']['size'] > $maxsize AND !isset($error)) {
$error = "<b>Error, file must be less than $maxsize bytes.</b></br /><br />";
unlink($HTTP_POST_FILES['upload_file']['tmp_name']);
}
 
 
if($HTTP_POST_FILES['upload_file']['type'] != "image/gif" AND $HTTP_POST_FILES['upload_file']['type'] != "image/pjpeg" AND $HTTP_POST_FILES['upload_file']['type'] != "image/jpeg" AND !isset($error)) {
$error = "<b>You may only upload .gif or .jpeg files.<b></br /><br />";
unlink($HTTP_POST_FILES['upload_file']['tmp_name']);
}
 
 
 
 
if (!isset($error)) {
move_uploaded_file($HTTP_POST_FILES['upload_file']['tmp_name'], "uploads/".$HTTP_POST_FILES['upload_file']['name']);
print "Thank you for your upload.";
exit;
}
else
{
echo ("$error");
}
?>
 
<html>
<head></head>
<body>
<form action = "<?php echo(htmlspecialchars($_SERVER['PHP_SELF']))?>" method="post" enctype="multipart/form-data">
Choose a file to upload:<br />
<input type="file" name="upload_file" size="80">
<br />
<input type="submit" name="submit" value="submit">
</form>
</body>
</html>

Re: uploading script

Posted: Sun Nov 30, 2008 8:25 am
by Hannes2k
Hi,
use $_FILES instead of $HTTP_POST_FILES.
And next time please use the [ php] tag instead of the [ code] tag for your code.

The $_FILES['upload_file']['type'] is defined by the browser of the user, so you can upload an .exe, .php or what ever file and send as mime type e.g. image/gif. You just have to modify the header send by your browser (there are many plugins for Firefox where you can see and modify the HTTP header, e.g. Live HTTP Header).
So checking the 'type' do not prevent you from uploading bad files (.exe, .php, .html etc.)


To get a upload script secure isn't an easy job. Search the forum, in one post I have written how to secure an upload script.

Re: uploading script

Posted: Sun Nov 30, 2008 12:46 pm
by mainegate
I don't get why $_FILES is better than $HTTP_POST_FILES? The latter is checking my type when I run the script..its echoing back....are you saying it secretly isn't?

Re: uploading script

Posted: Sun Nov 30, 2008 2:24 pm
by Hannes2k
Hi,
mainegate wrote:I don't get why $_FILES is better than $HTTP_POST_FILES?
Because programmer are lazy....

You should use the short $_FILES, because this has 9 chars less than $HTTP_POST_FILES. So you increase the clarity of your script and increase your productivity.
And: As far as I know would $HTTP_POST_FILES doesn't work in PHP6 any more. So its advice to use the shorter version of it.


The latter is checking my type when I run the script..its echoing back....are you saying it secretly isn't?
I do not understand what you mean. Your script isn't secure.

Re: uploading script

Posted: Sun Nov 30, 2008 8:05 pm
by mainegate
What do you mean it is not secure? What is wrong with it? I think using the short forum would be a good idea but how is it insecure? Is it because I didn't write shorthand or is it for another reason?

Re: uploading script

Posted: Mon Dec 01, 2008 3:02 am
by Mordred
The "long" version is/will be deprecated.
The code is insecure, as Hannes2k already mentioned.
I suggest you stop reading this book

Re: uploading script

Posted: Tue Dec 02, 2008 10:49 pm
by mainegate
O.K...good to know about the depreciation. I would like to learn why it is not secure. Can you be more specific as to why and what it would need? What book(s) do you recommend?