Drongo_III

Hi Guys Bit of a noob question but i'm really rusty on javascript. I'm working on a simple example that is gonig to be used to create somethnig more complex. Anyway essentially i have a loop (below) and the intention is that it will append (to a paragraph) all the values from a few objects i've created. The issue is instead of appending the actual values i simply get the literal - e.g. the value of itm2.model should come out as 'boxter' but instead it gets apended as itm2.model. So how can i force it to interpret it as the value? It's quite hard to explain so i hope that gives you the idea. itm2= new Object(); itm2.make="porche"; itm2.model="boxter"; var g = <?php echo $count?>; for(i=1; i<=g; i++){ var handle = "itm" + i +'.model' ; $('#writer').append(handle + "<br/>"); }

thanks for all your help Xyph

Cool thanks for that Xyph. Good know i'm on the right track. i wast planning on concatenating time() and mt_rand() to produce random file name for when i move the file. When you talk about the destination, what's your opinion on the need to store the file outside the document root? I was planning to just store the files in the doc root but then place .htaccess file to stop execution of any scripts. That sound about right? it's purely an iamge directory.

yeah sorry for taking you round the houses...i think i need a few more early nights. Besides having a turnip for a brain...is that code sort of on the right road to being secure?

Oh i am a total prat! I have just realised the issue... if(!empty($value['tmp_name'])){ That's the first statement evaluated...and obviously a file that exceeds the limit doesn't get tmp_name set... I am a donkey. Apologies for being a waste of time guys. Out of interest though is my code on the road to being fairly secure?

That was a good call. It seems outside of my loop, and directly accessing the $_FILES array, it worked fine :/ Ok you're probably going to slam my poor coding now but here is the loop that checks the upload...its my first shot at trying to make an uploader that's secure so go easy hehe... The line thats causing the issue is around line 50. Have i just done this all wrong? public function imgcheck(){ $test = array(); foreach($_FILES as $key => $value){ if(!empty($value['tmp_name'])){ //Check that the file is an upload if(!is_uploaded_file($value['tmp_name'] )){ return "This file has not been uploaded. You cannot do this."; } //Check if we're dealing with real images if(!getimagesize($value['tmp_name'])){ return "The image you uploaed for " . $key . "is not a valid image type"; } // CHECK FILE TYPE IS VALID $allowed_types = array("image/gif","image/jpeg","image/pjpeg"); if(!in_array($value["type"],$allowed_types)) { return "You have attempted to upload an unsupported file type. The system only accepts JPEG and GIF files" . $key . " " . $value['size'] . " " . $value['error'] ; } // THIS IS THE CODE CAUSING ME AN ISSUE if($value['error'] == 1) { return "The file you've attempted to upload exceeds the server limit"; } if($value['size'] > 2097140) { return "The file you're attempting to upload exceeds the maximum file limit of 2MB"; } } else{ return "clean";} }

Hi xyph I wasn't necessarily trying to argue that my point was correct...just trying to convey my understanding of it so you can set me straight as i am clearly doing something wrong. I wasn't changing codes per se. What i meant was if i do: if($value['error'] == 0) { return "This triggered the return"; } and then upload a file that is within the upload limit, as set in php.ini, then i get the statement returned - indicating the code works. But if i do: if($value['error'] == 1) { return "This triggered the return"; } this time uploading the big image file, i get nothing returned. Even though a print_r of files shows that this large file has an error code of 1. So to me it seemed that based on that test, scenario two meant that when i uploaded a large image file it bypassed this condition somehow. But that might have been a poor choice of words. I will try your code out now and thank you for your patience

Stick with me on this one and i apologise if i'm being slow on the uptake. It occurs to me that the $_FILES array is being set because when i print_r of $_FILES after i upload i see the array in my original post -i.e. listing the file i uploaded. So i might be misunderstanding you but doesn;t that signify the array is set? The only issue with testing $_SERVER['CONTENT_LENGTH'] is that I have three upload fields - so the user could legitimately exceed the limit - i.e. if i just trest content_length against 2mb

Well when i say "bypassing"as it seems as though it is, because if i upload a file within the upload limit and set the code to 0 it returns the statement. content_length is returning - 3498774 - i.e. the file size of the large file. What am i doing wrong?

Hi PFMaBiSmAd I thought checking the error code would solve the issue but for some reason when the file far exceeds the php.ini limit it just seems to bypass the script. The code below works fine if I upload an image that's within the upload limit but it won't work if the file exceeds the upload limit. Any ideas why that might be? if($value['error'] == 1) { return "The file you've attempted to upload exceeds the server limit"; } Incidentally the reason the array is $value['error'] is because its part of a loop on the files array.

Ahh that's good to know. I might try the array method in future

You can also do something like: $ext = pathinfo($file, PATHINFO_EXTENSION); Where $file is a handle for your uploaded file. Just another option

Of course! I completely forgot to check errors... Thanks for the help PFMaBiSmAd - you are teaching me a lot.

Hi Guys Probably a simple answer here that i'm missing. I've got a simple upload script for an image uploader that does various checks for security sake. One of the checks is on file size to make sure it doesn't exceed the upload limit set in php.ini . The limit is set at 2mb, so the script checks that the file doesn't exceed this limit. The problem occurs when I try to upload a file that far exceeds the limit (the one below is 3.5mb). When i do this the upload gets passed my script because the $_FILES['picture1']['size'] gets set to no value. A print_r of the files array shows: [picture1] => Array ( [name] => DSC01468.JPG [type] => [tmp_name] => [error] => 1 [size] => 0 ) So what i wanted to know was whether this was normal? And should i simply do a check to see if the size value is empty? Any advice would be good! Thanks Drongo

Hi guys Sorry i keep asking noob questions today... I'm working on something that has a user facing image upload facility. So i'm slowly working through a class to make this as secure as possible. One of the tips online is to use the method "is_uploaded_file ( )". According to php.net - "Returns TRUE if the file named by filename was uploaded via HTTP POST. This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working--for instance, /etc/passwd. " I'm not one to just use things without understanding why. So how exactly could someone get a script to work on an internal file via a browse/upload facility?

All makes sense now. Thanks for taking the time

Thanks both! PFMaBiSmAd: That really helps me to understand. And you're perfectly correct in spotting w3schools haha. I wasn't intending to use it exactly as it was written I was just curious as to why and when you should use that sort of grouping. Your advice on using an array looks much cleaner though and I'll certainly adopt this method from here on in. Very glad i asked OH and it occurs to me now that using arrays like that can help make the function reusable...the penny drops Thank you!

Hi Sorry, realise this is a bit of a noob question but can someone explain why this if statement uses multiple parenthesis? Is this a good way of grouping conditionals and when should you use it? if ((($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/jpeg") || ($_FILES["file"]["type"] == "image/pjpeg")) && ($_FILES["file"]["size"] < 20000))

Sorry i might not be explaining myself very well. I intend to do lots of other checks. What I am trying to discover is whether $_FILES[name][type] or getimagesize() is better for discovering the true file type? OR are they exactly the same in what they'll return? You should use several different types of checks, not just one, and in a somewhat logical order.

Thank MMDE That's a very useful post. What i am trying to discover is which method is most robust for discovering file type though? Or are they just the same?

Hi Guys Quick question. I am just starting an application that enables users to upload files - specifically image files. As one of the validation/security steps I want to run a check on file type and file size. As far as i can see you do this one of two ways: 1) using the $_FILES array - i.e. $_FILES[name][type] and $_FILES[name] or 2) using the getimagesize() function. What i want to know is whether one of these methods is preferable for security or do they both suffer the same inherent flaws - because lots of post online seem to suggest filetype can be faked. advice would be appreciated

Hi Barand Thanks for that. I thought imap might be the way to go but wanted to make sure i wasn't missing some simpler solution.

can anyone offer some advice on if i'm doing this right?

Hi Guys I'm just looking for some advice to make sure i go in the right direction from the off! Building a new system for a client. They'll receive contact information from a contact form on their website and the details of the contact form are logged in the admin area of the cms. The client wants to be able to respond to these contacts via email without logging into the system and then have the details of the reply logged in the admin area of the cms to know when something has been responded to. So essentially i need some way of getting that email into the database. The only way i can see this happening is to setup a new mailbox, the client blind copies that mailbox address into all replies, a cron then runs a php script that picks up most recent emails via imap and then reads in the data - thereby registering the fact a response has happened (probably from the subject line reference) and it would then update the status of the contact. I am assuming this is theoretically possible as i've never done anything like that before. So... 1) Is there a better way of doing this without having the client login to the site to respond? 2) Does the proposal above sound reasonable? Any advice would be much appreciated... Drongo

Ahh probably should have stated that I'm in the UK. I've done loads of searches but just can't seem to find anyone who offfers this :/ I thought it would be an outside chance that anyone would know. Thank you very much for the info tho!