PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
i have a PHP upload script, that very much works, but it dosn't filter any file types out. i want to be able to block certain file types. or if thats not possible, then just specify which file types. but i'd be much better if i could block. anyway, here is my code:
<?php
// Where the file is going to be placed
$target_path = "uploads/";
/* Add the original filename to our target path.
Result is "uploads/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
$_FILES['uploadedfile']['tmp_name'];
?>
<?php
//$web_two = "<a href=http://www.csscobalt.com/uploads/"
$target_path = "uploads/";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ". basename( $_FILES['uploadedfile']['name']).
" has been uploaded. here is the link to your file: <a href=uploads/". basename( $_FILES['uploadedfile']['name']). ">". basename( $_FILES['uploadedfile']['name'])."</a>";
} else{
echo "There was an error uploading the file, please try again!";
}
?>
Last edited by JustinMs66 on Sun Sep 03, 2006 9:33 pm, edited 1 time in total.
getimagesize is probably better. getimagesize is actually a very bad name for the function.
I like exif_imagetype() for readability and the fact you don't have to fubble for the type in an array.
Read through Useful Posts. There's a thread linked from it about determining various types of files. And keep the swearing to a minimum, there's rarely ever a need for it here.
If you have any kind file upload service in place a hacker will be able to use it to put poteniually dangerous data on your server
You cannot easily discern between nice plain text and js/php/xml
You definately can't hack with an xml file, its just a data structure there is no behaviour
You are going to need a much longer list than that anyway. What about .vbs .cmd .sh .htaccess + extension of every interpretted lanaguage + the name of every directory aware configuration file for every piece of software on the OS your server is running?
The danger of these files only occurs when you execute them. If you are for some bizarre reason echoing them straight to the browser you can use htmlspecialchars() to twart that.
Being rude doesn't get you stuff
So you need to ask yourself. Why have I got a file upload service, can I provide the same functionality with a more secure alternative? If you do need file uploads ask when do these uploaded files see the light of day and how? Is there an escaping technique for that type of output to prevent them being executed?
no i think i'd rather just disable the file types, not enable others, cuz it would take aLOT longer i upload aLOT of different stuff to this.
and yes, i'm sorry for being rude, but my website was hacked a couple days ago...everything deleted. so if you could PLEASE PLEASE just TELL ME how to disable file types.
Last edited by JustinMs66 on Sun Sep 03, 2006 6:42 pm, edited 1 time in total.