uploading script
Posted: Sat Nov 29, 2008 6:04 pm
I picked up some good tips from O'Reilly 's book "Learning PHP & MySQL". This was in the book for an upload script. It makes sense. But I want to get a sense from you veterans what you think of it and if it needs more? Three other questions?
1) It looks at type...so technically it is looking at its headers? Can't a hacker fake those and/or put malicious stuff inside those legal files like a jpg or whatever?
2) Is there a good list somewhere that says all the different file types? I cannot find a good place that lists all the different syntacs for a file type. I never knew image/pjpeg was a jpg. I want to be able to add them in my script the different variations.
3) Should the real upload folder (the one we moved the file into) be up one directory..same one or down? Does it matter? Also what is the permissions for the folder and the file we upload should they have a chmod of anything special?
1) It looks at type...so technically it is looking at its headers? Can't a hacker fake those and/or put malicious stuff inside those legal files like a jpg or whatever?
2) Is there a good list somewhere that says all the different file types? I cannot find a good place that lists all the different syntacs for a file type. I never knew image/pjpeg was a jpg. I want to be able to add them in my script the different variations.
3) Should the real upload folder (the one we moved the file into) be up one directory..same one or down? Does it matter? Also what is the permissions for the folder and the file we upload should they have a chmod of anything special?
Code: Select all
<?php
$maxsize=10486000; //set the max upload size in bytes
if (!$HTTP_POST_VARS['submit']) {
//print_r($HTTP_POST_FILES);
$error=" ";
//this will cause the rest of the processing to be skipped
//and the upload form displays
}
if (!is_uploaded_file($HTTP_POST_FILES['upload_file']['tmp_name']) AND !isset($error)) {
$error = "<b>Your must upload a file!</b><br /><br />";
unlink($HTTP_POST_FILES['upload_file']['tmp_name']);
}
if ($HTTP_POST_FILES['upload_file']['size'] > $maxsize AND !isset($error)) {
$error = "<b>Error, file must be less than $maxsize bytes.</b></br /><br />";
unlink($HTTP_POST_FILES['upload_file']['tmp_name']);
}
if($HTTP_POST_FILES['upload_file']['type'] != "image/gif" AND $HTTP_POST_FILES['upload_file']['type'] != "image/pjpeg" AND $HTTP_POST_FILES['upload_file']['type'] != "image/jpeg" AND !isset($error)) {
$error = "<b>You may only upload .gif or .jpeg files.<b></br /><br />";
unlink($HTTP_POST_FILES['upload_file']['tmp_name']);
}
if (!isset($error)) {
move_uploaded_file($HTTP_POST_FILES['upload_file']['tmp_name'], "uploads/".$HTTP_POST_FILES['upload_file']['name']);
print "Thank you for your upload.";
exit;
}
else
{
echo ("$error");
}
?>
<html>
<head></head>
<body>
<form action = "<?php echo(htmlspecialchars($_SERVER['PHP_SELF']))?>" method="post" enctype="multipart/form-data">
Choose a file to upload:<br />
<input type="file" name="upload_file" size="80">
<br />
<input type="submit" name="submit" value="submit">
</form>
</body>
</html>