Drongo_III
-
Posts
579 -
Joined
-
Last visited
Posts posted by Drongo_III
-
-
thanks for all your help Xyph
IMO it's not a big deal if you have checks in place. If the file can't be executed, even a script making it to web root shouldn't do damage.
It's a solid extra layer of security though, so I don't think it should be dismissed completely.
-
Cool thanks for that Xyph. Good know i'm on the right track.
i wast planning on concatenating time() and mt_rand() to produce random file name for when i move the file.
When you talk about the destination, what's your opinion on the need to store the file outside the document root?
I was planning to just store the files in the doc root but then place .htaccess file to stop execution of any scripts. That sound about right? it's purely an iamge directory.
Looks okay.
The most important part is when moving the file to it's final destination
You want to set the permissions to the minimum required
http://stackoverflow.com/questions/290483/what-file-permissions-should-i-set-for-uploaded-files
If you're using the $_FILES['fileInput']['name'] value at all, strip any bad characters out. Slashes, line-breaks, anything that shouldn't be in a filename. This is a pretty decent RegEx for that:
$fileName = preg_replace('/[^\w\._]+/', '_', $fileName);It converts anything that isn't a word character, fullstop or underscore to an underscore.
There might be more, but that covers the basics.
-
yeah sorry for taking you round the houses...i think i need a few more early nights.
Besides having a turnip for a brain...is that code sort of on the right road to being secure?
Your first check is
!empty($value['tmp_name'])
So, if it's empty (which it is in your example), your function will return 'clean'
-
Oh i am a total prat!
I have just realised the issue...
if(!empty($value['tmp_name'])){That's the first statement evaluated...and obviously a file that exceeds the limit doesn't get tmp_name set... I am a donkey.
Apologies for being a waste of time guys.
Out of interest though is my code on the road to being fairly secure?
-
That was a good call. It seems outside of my loop, and directly accessing the $_FILES array, it worked fine :/
Ok you're probably going to slam my poor coding now but here is the loop that checks the upload...its my first shot at trying to make an uploader that's secure so go easy hehe...
The line thats causing the issue is around line 50. Have i just done this all wrong?
public function imgcheck(){ $test = array(); foreach($_FILES as $key => $value){ if(!empty($value['tmp_name'])){ //Check that the file is an upload if(!is_uploaded_file($value['tmp_name'] )){ return "This file has not been uploaded. You cannot do this."; } //Check if we're dealing with real images if(!getimagesize($value['tmp_name'])){ return "The image you uploaed for " . $key . "is not a valid image type"; } // CHECK FILE TYPE IS VALID $allowed_types = array("image/gif","image/jpeg","image/pjpeg"); if(!in_array($value["type"],$allowed_types)) { return "You have attempted to upload an unsupported file type. The system only accepts JPEG and GIF files" . $key . " " . $value['size'] . " " . $value['error'] ; } // THIS IS THE CODE CAUSING ME AN ISSUE if($value['error'] == 1) { return "The file you've attempted to upload exceeds the server limit"; } if($value['size'] > 2097140) { return "The file you're attempting to upload exceeds the maximum file limit of 2MB"; } } else{ return "clean";} }Try bypassing whatever you're doing to convert it to $value['error'] and instead use the $_FILES values directly. This will help isolate the issue.
-
Hi xyph
I wasn't necessarily trying to argue that my point was correct...just trying to convey my understanding of it so you can set me straight as i am clearly doing something wrong.
I wasn't changing codes per se. What i meant was if i do:
if($value['error'] == 0) { return "This triggered the return"; }and then upload a file that is within the upload limit, as set in php.ini, then i get the statement returned - indicating the code works.
But if i do:
if($value['error'] == 1) { return "This triggered the return"; }this time uploading the big image file, i get nothing returned. Even though a print_r of files shows that this large file has an error code of 1.
So to me it seemed that based on that test, scenario two meant that when i uploaded a large image file it bypassed this condition somehow. But that might have been a poor choice of words.
I will try your code out now and thank you for your patience
post_max_size would include all 3 files as well, so I don't understand your argument.
Your $_FILES array may not be empty, but it's returning ['error'] as 1
UPLOAD_ERR_INI_SIZE
Value: 1; The uploaded file exceeds the upload_max_filesize directive in php.ini.
You still haven't explained what you mean by bypass, at least using standard terminology that we can understand. Set what code to zero? Why are you setting codes? You should be reading them.
if( !isset($_FILES['yourInput']) || !empty($_FILES['yourInput']['error']) ) { echo 'There was something wrong uploading'; } else { echo 'The upload went fine'; }Should work fine for checking if it's uploaded.
Why is getting the size of the over-sized file important?
-
Stick with me on this one and i apologise if i'm being slow on the uptake.
It occurs to me that the $_FILES array is being set because when i print_r of $_FILES after i upload i see the array in my original post -i.e. listing the file i uploaded. So i might be misunderstanding you but doesn;t that signify the array is set?
The only issue with testing $_SERVER['CONTENT_LENGTH'] is that I have three upload fields - so the user could legitimately exceed the limit - i.e. if i just trest content_length against 2mb
As already stated, there is no $_FILES array when you exceed the post_max_size setting. There's nothing to loop over (you are likely getting php error messages when you do try.) You need to test for the existence of the $_FILES array and/or test the $_SERVER['CONTENT_LENGTH'] against the post_max_size value.
-
Well when i say "bypassing"as it seems as though it is, because if i upload a file within the upload limit and set the code to 0 it returns the statement.
content_length is returning - 3498774 - i.e. the file size of the large file.
What am i doing wrong?
Explain 'bypass.' It's definitely used incorrectly in this scope.
It would blow my mind if PHP wasn't running out of memory, sometimes an error message is generated, other times a 500 server error.
What is
$_SERVER['CONTENT_LENGTH']returning? -
Hi PFMaBiSmAd
I thought checking the error code would solve the issue but for some reason when the file far exceeds the php.ini limit it just seems to bypass the script.
The code below works fine if I upload an image that's within the upload limit but it won't work if the file exceeds the upload limit.
Any ideas why that might be?
if($value['error'] == 1) { return "The file you've attempted to upload exceeds the server limit"; }Incidentally the reason the array is $value['error'] is because its part of a loop on the files array.
You should check the ['error'] element for that particular problem. http://www.php.net/manual/en/features.file-upload.errors.php
Note, exceeding the post_max_size setting will result in both the $_POST and $_FILES arrays being empty. Also an invalid form, a form with no type='file' field, and uploads not enabled on the server will result in an empty $_FILES array. You can get the actual size of the uploaded file in $_SERVER['CONTENT_LENGTH']
-
Ahh that's good to know. I might try the array method in future
pathinfo works, but is quite a bit slower than using arrays, and even slower than string functions.
I don't think it would make a huge difference beyond the most efficiency-demanding applications though, so use whatever you find cleanest. This post is just for academic purposes.
-
You can also do something like:
$ext = pathinfo($file, PATHINFO_EXTENSION);
Where $file is a handle for your uploaded file. Just another option
-
Of course! I completely forgot to check errors...
Thanks for the help PFMaBiSmAd - you are teaching me a lot.
You should check the ['error] element for that particular problem. http://www.php.net/manual/en/features.file-upload.errors.php
Note, exceeding the post_max_size setting will result in both the $_POST and $_FILES arrays being empty. Also an invalid form, a form with no type='file' field, and uploads not enabled on the server will result in an empty $_FILES array. You can get the actual size of the uploaded file by testing $_SERVER['CONTENT_LENGTH']
-
Hi Guys
Probably a simple answer here that i'm missing.
I've got a simple upload script for an image uploader that does various checks for security sake.
One of the checks is on file size to make sure it doesn't exceed the upload limit set in php.ini . The limit is set at 2mb, so the script checks that the file doesn't exceed this limit.
The problem occurs when I try to upload a file that far exceeds the limit (the one below is 3.5mb). When i do this the upload gets passed my script because the $_FILES['picture1']['size'] gets set to no value. A print_r of the files array shows:
[picture1] => Array ( [name] => DSC01468.JPG [type] => [tmp_name] => [error] => 1 [size] => 0 )
So what i wanted to know was whether this was normal?
And should i simply do a check to see if the size value is empty?
Any advice would be good!
Thanks Drongo
-
Hi guys
Sorry i keep asking noob questions today...
I'm working on something that has a user facing image upload facility. So i'm slowly working through a class to make this as secure as possible.
One of the tips online is to use the method "is_uploaded_file ( )".
According to php.net - "Returns TRUE if the file named by filename was uploaded via HTTP POST. This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working--for instance, /etc/passwd. "
I'm not one to just use things without understanding why. So how exactly could someone get a script to work on an internal file via a browse/upload facility?
-
All makes sense now. Thanks for taking the time
Here's the operator precedence table, which shows why you have to force the ||'s to be evaluated together before the && (&& has higher precedence than ||) - http://us2.php.net/manual/en/language.operators.precedence.php
-
Thanks both!
PFMaBiSmAd: That really helps me to understand. And you're perfectly correct in spotting w3schools haha. I wasn't intending to use it exactly as it was written I was just curious as to why and when you should use that sort of grouping.
Your advice on using an array looks much cleaner though and I'll certainly adopt this method from here on in. Very glad i asked
OH and it occurs to me now that using arrays like that can help make the function reusable...the penny drops
Thank you!
The person writing that was probably unsure of the operator precedence and wanted to make sure it worked.
The only () needed are those around the group of ||'ed values (which itself can be simplified, see below) -
<?php if (($_FILES["file"]["type"] == "image/gif" || $_FILES["file"]["type"] == "image/jpeg" || $_FILES["file"]["type"] == "image/pjpeg") && $_FILES["file"]["size"] < 20000){However, there are other problems with that logic (which probably came from the w3schools.com upload example). When validating user supplied input, you should never lump together tests and output a generic 'sorry, you did something wrong' message. You should validate everything about the user supplied input and specifically tell the user what was wrong with his input (provided telling him isn't a security issue.) If it was the wrong mime type, tell him what the mime type was that he submitted and what the valid types are. If there is something wrong with the size of the file, tell him what size he uploaded and what the valid size range is.
Also, for that code, when you are testing if a value is one of several possible values, you should make an array of the acceptable values and use an in_array statement -
<?php $allowed_types = array("image/gif","image/jpeg","image/pjpeg"); // just add values here instead of modifying the logic in the if() statement if(in_array($_FILES["file"]["type"],$allowed_types){ } -
Hi
Sorry, realise this is a bit of a noob question but can someone explain why this if statement uses multiple parenthesis? Is this a good way of grouping conditionals and when should you use it?
if ((($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/jpeg") || ($_FILES["file"]["type"] == "image/pjpeg")) && ($_FILES["file"]["size"] < 20000))
-
Sorry i might not be explaining myself very well.
I intend to do lots of other checks.
What I am trying to discover is whether $_FILES[name][type] or getimagesize() is better for discovering the true file type? OR are they exactly the same in what they'll return?
Thank MMDE
That's a very useful post.
What i am trying to discover is which method is most robust for discovering file type though? Or are they just the same?
Googling some will find you some nice answers!
For example:
http://stackoverflow.com/questions/4166762/php-image-upload-security-check-list
You should use several different types of checks, not just one, and in a somewhat logical order.
-
Thank MMDE
That's a very useful post.
What i am trying to discover is which method is most robust for discovering file type though? Or are they just the same?
Googling some will find you some nice answers!
For example:
http://stackoverflow.com/questions/4166762/php-image-upload-security-check-list
-
Hi Guys
Quick question.
I am just starting an application that enables users to upload files - specifically image files.
As one of the validation/security steps I want to run a check on file type and file size.
As far as i can see you do this one of two ways:
1) using the $_FILES array - i.e. $_FILES[name][type] and $_FILES[name]
or
2) using the getimagesize() function.
What i want to know is whether one of these methods is preferable for security or do they both suffer the same inherent flaws - because lots of post online seem to suggest filetype can be faked.
advice would be appreciated
-
Hi Barand
Thanks for that. I thought imap might be the way to go but wanted to make sure i wasn't missing some simpler solution.
You can use IMAP functions to read mail. eg
<?php if (!extension_loaded('imap')) { dl('php_imap.dll'); } /* conneciont to mail */ $hostname = "{servername:110/pop3}INBOX"; $username = 'domain\\mailboxusername'; $password = 'password'; /* try to connect */ $inbox = imap_open($hostname,$username,$password) or die('Cannot connect to server: ' . imap_last_error()); $startdate = date('d M Y', strtotime($_GET['date'])); $nowdate = date ('d M Y'); /* grab emails */ $emails = imap_search($inbox, "ALL SINCE \"$startdate\" BEFORE \"$nowdate\""); ?> -
can anyone offer some advice on if i'm doing this right?
-
Hi Guys
I'm just looking for some advice to make sure i go in the right direction from the off!
Building a new system for a client. They'll receive contact information from a contact form on their website and the details of the contact form are logged in the admin area of the cms. The client wants to be able to respond to these contacts via email without logging into the system and then have the details of the reply logged in the admin area of the cms to know when something has been responded to.
So essentially i need some way of getting that email into the database. The only way i can see this happening is to setup a new mailbox, the client blind copies that mailbox address into all replies, a cron then runs a php script that picks up most recent emails via imap and then reads in the data - thereby registering the fact a response has happened (probably from the subject line reference) and it would then update the status of the contact. I am assuming this is theoretically possible as i've never done anything like that before.
So...
1) Is there a better way of doing this without having the client login to the site to respond?
2) Does the proposal above sound reasonable?
Any advice would be much appreciated...
Drongo
-
Ahh probably should have stated that I'm in the UK.
I've done loads of searches but just can't seem to find anyone who offfers this :/
I thought it would be an outside chance that anyone would know.
Thank you very much for the info tho!
If you're in the US both KBB and NADA sell API's to their prices.
KBB - http://www.800bluebook.com/oem-solutions/data-syndication/
NADA - http://www.nada.com/b2b/GetValues/APIandWebServicesProducts.aspx
Not getting the value i need...
in Javascript Help
Posted
Hi Guys
Bit of a noob question but i'm really rusty on javascript.
I'm working on a simple example that is gonig to be used to create somethnig more complex.
Anyway essentially i have a loop (below) and the intention is that it will append (to a paragraph) all the values from a few objects i've created.
The issue is instead of appending the actual values i simply get the literal - e.g. the value of itm2.model should come out as 'boxter' but instead it gets apended as itm2.model.
So how can i force it to interpret it as the value?
It's quite hard to explain so i hope that gives you the idea.
itm2= new Object(); itm2.make="porche"; itm2.model="boxter"; var g = <?php echo $count?>; for(i=1; i<=g; i++){ var handle = "itm" + i +'.model' ; $('#writer').append(handle + "<br/>"); }