Upload Script - File Type Filter - HELP!!!!!!(2 pages)

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
JustinMs66
Forum Contributor
Posts: 127
Joined: Sun Sep 03, 2006 4:18 pm

Upload Script - File Type Filter - HELP!!!!!!(2 pages)

Post by JustinMs66 »

i have a PHP upload script, that very much works, but it dosn't filter any file types out. i want to be able to block certain file types. or if thats not possible, then just specify which file types. but i'd be much better if i could block. anyway, here is my code:

Code: Select all

<?php

// Where the file is going to be placed 
$target_path = "uploads/";

/* Add the original filename to our target path.  
Result is "uploads/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 
$_FILES['uploadedfile']['tmp_name'];  


?>
  
  <?php

//$web_two = "<a href=http://www.csscobalt.com/uploads/"

$target_path = "uploads/";

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "The file ".  basename( $_FILES['uploadedfile']['name']). 
    " has been uploaded. here is the link to your file: <a href=uploads/".  basename( $_FILES['uploadedfile']['name']). ">".  basename( $_FILES['uploadedfile']['name'])."</a>";
} else{
    echo "There was an error uploading the file, please try again!";
}

?>
Last edited by JustinMs66 on Sun Sep 03, 2006 9:33 pm, edited 1 time in total.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

if you print_r($_FILES) you might find something of interest.
If you want to match image types then use exif_imagetype().
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

ole wrote:If you want to match image types then use exif_imagetype().
Sorry to hijack the thread, but why not use

Code: Select all

getimagesize()
for the image type?
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

getimagesize is probably better. getimagesize is actually a very bad name for the function.
I like exif_imagetype() for readability and the fact you don't have to fubble for the type in an array.
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

The return value is the same value that getimagesize() returns in index 2 but exif_imagetype() is much faster.
From the

Code: Select all

exif_imagetype()
page :) I should read up more before posting.
User avatar
JustinMs66
Forum Contributor
Posts: 127
Joined: Sun Sep 03, 2006 4:18 pm

Post by JustinMs66 »

no i just wana ban certain file types from being uploaded....
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

ole wrote:if you print_r($_FILES) you might find something of interest.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

The return value is the same value that getimagesize() returns in index 2 but exif_imagetype() is much faster.
I didn't see that either actually. Well there's another reason then :)

what types do you want to filter?
User avatar
JustinMs66
Forum Contributor
Posts: 127
Joined: Sun Sep 03, 2006 4:18 pm

Post by JustinMs66 »

i wana filter:
.php .exe .js .html .xml

and i'm not the best at PHP code, so just keep that in mind.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Why do you want to filter those?
User avatar
JustinMs66
Forum Contributor
Posts: 127
Joined: Sun Sep 03, 2006 4:18 pm

Post by JustinMs66 »

dude because people can make f**king hacking scripts, upload them, and f**K you over. so can u plz tell me how?
.php .exe .js .html .xml ok?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Read through Useful Posts. There's a thread linked from it about determining various types of files. And keep the swearing to a minimum, there's rarely ever a need for it here.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

OK here's some facts that i'm pretty sure about:
  • If you have any kind file upload service in place a hacker will be able to use it to put poteniually dangerous data on your server
  • You cannot easily discern between nice plain text and js/php/xml
  • You definately can't hack with an xml file, its just a data structure there is no behaviour
  • You are going to need a much longer list than that anyway. What about .vbs .cmd .sh .htaccess + extension of every interpretted lanaguage + the name of every directory aware configuration file for every piece of software on the OS your server is running?
  • The danger of these files only occurs when you execute them. If you are for some bizarre reason echoing them straight to the browser you can use htmlspecialchars() to twart that.
  • Being rude doesn't get you stuff
So you need to ask yourself. Why have I got a file upload service, can I provide the same functionality with a more secure alternative? If you do need file uploads ask when do these uploaded files see the light of day and how? Is there an escaping technique for that type of output to prevent them being executed?
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

Instead of filtering file types that you don't want to allow, it would be alot easier for you to allow only specific file types.
User avatar
JustinMs66
Forum Contributor
Posts: 127
Joined: Sun Sep 03, 2006 4:18 pm

Post by JustinMs66 »

no i think i'd rather just disable the file types, not enable others, cuz it would take aLOT longer i upload aLOT of different stuff to this.

and yes, i'm sorry for being rude, but my website was hacked a couple days ago...everything deleted. so if you could PLEASE PLEASE just TELL ME how to disable file types.
Last edited by JustinMs66 on Sun Sep 03, 2006 6:42 pm, edited 1 time in total.
Locked