BMR777

You can't force the browser to switch, but you can refuse to load your page for certain browsers. I can imagine maybe the OP wants to block IE6 or something. You'll have to get the user agent of the browser and then check that against a list and then you can do something, like show a page telling the user to use a different browser. The user agent can be changed by the user in some cases though, so it's not a fool-proof way to prevent someone from viewing your page.

Are you trying to load a valid web address? You have: $merch_map = "http://spot_map"; Then you have: $url = $merch_map.'/'.$thumbnails.''.$ext; Which gets passed to your download function and then to readfile. I think maybe it's having trouble because you're not ending up with a valid URL, that is http://spot_map/opt/... is not a valid url, there's no domain extension.

As Buddski already mentioned, you can place your uploaded files outside of the public_html directory so they cannot be loaded with a web browser. Then use something like readfile() to read in the files. Another precaution you can take if you are using a upload directory inside public_html is to use a .htaccess file to turn off PHP and disable other bad file extensions just in case something malicious gets past your uploader. Add to your .htaccess in your upload directory php_value engine Off AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI <FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh|php|php3|php4|php5|pl|cgi)$"> Order Allow,Deny Deny from all </FilesMatch> That is no substitute for good PHP code but provides a last line of defense in case something bad does try and get by. Note that the first one or two parts of that code is known to cause 500 errors on some servers, so you may need to play with it a bit and remove bits if you get errors.

Thanks for testing Coreye. I was able to fix the full path disclosures you posted. Is there anything else I need to be aware of? Thanks, Brandon

Hello, My new script, Max Volume is complete and I would really like it if you could test the script for security vulnerabilities such as SQL injection and other security-related issues. The script is installed at: http://www.mybbmultiforums.com/mvinstall2/index.php Verification file: http://www.mybbmultiforums.com/mvinstall2/phpfreaks.php The script is designed so that artists can upload MP3 files to the server and listeners can listen to the songs and download them, as well as make comments on their favorite bands. I have made some test accounts so you can try the listener or artist end of the script: Artist Account: Can upload MP3 files artist demopass Listener Account: Cannot upload MP3 files listener demopass What I am looking for from testers is first and foremost discovery of security holes that I may have missed. Basically, users should not be able to SQL inject the site. Artists should ONLY be able to upload MP3, gif and jpg files, with listeners only able to upload gif and jpg files. Users should NOT be able to use any HTML or javascript on their profiles. Anything you find would be really helpful to me. Please if possible post detailed results so I can replicate them so I can fix them. Thanks, Brandon

Well printf, Thanks. Are there any checks then that you would recommend that I run on the uploaded file? Basically my thinking is that if it fails any one of the checks I run, the script doesn't upload the file. I've been reading various tutorials on the internet about safely uploading files in PHP and they all seem to have various methods of verifying the uploaded files. Some say you should check the file extension, some say you should use getimagesize to determine if the file is really an image, so I have tried to take the best of all the tutorials and make a secure uploader. Is there any check I should run on the uploaded file that I haven't already run on it? From what I've been reading a lot of things like mimetype sent by the browser can be faked, so I use the server getimagesize() to check the mime type on the server end as part of the checks. Can this be faked / bypassed as well and if so what can I do to prevent against this type of attack? You mention basic tools of PHP to process uploads securely, so if you would be so kind as to point me in the right direction of what you mean I would appreciate it. Thanks, BMR777

Hello All, I'm working on a script where registered users should be able to upload either a .gif or .jpg file to the server. I have made a file upload script and I was hoping some of you could look over it for security and tell me if there is anything that is not secure about it or anything I could add to it to increase security and prevent against users adding malicious files to the server. Here's the script: <?php // Wake the sleeping giant include("inc/functions.php"); connect(); $themeurl = themeurl(); $site_title = sitetitle(); $site_name = sitename(); $slogan = slogan(); $newsbar = newsbar(); if($newsbar != ""){ $shownews = "<div class='subheader'><p>".$newsbar."</p></div>"; } else{ $shownews = "<div class='subheader'></div>"; } // ********************************************************************** // Check if user is logged in // ********************************************************************** $userdata = logincheck(); $isloggedin = $userdata[loginstatus]; $loggedinname = $userdata[username]; // ********************************************************************** // We do all our prepwork here // ********************************************************************** // If we're not logged in, we cannot access this page... if($isloggedin != "yes"){ $article_title = "403 Forbidden"; $article_content = "You do not have permission to access the file uploads page. Only artists may access this page. Are you an artist? <a href='login.php'>Log in</a> or <a href='register.php'>register</a> to upload files."; } else{ // BEGIN FILE UPLOAD $flag = 0; // Safety net, if this gets to 1 at any point in the process, we don't upload. $filesize = $_FILES['uploadedfile']['size']; $mimetype = $_FILES['uploadedfile']['type']; $filename = $_FILES['uploadedfile']['name']; $filename = htmlentities($filename); $filesize = htmlentities($filesize); $mimetype = htmlentities($mimetype); //Default upload directory $uploaddir = "picuploads/gif"; //*************************************************************************** //First we determine if the file is a gif or a jpg by checking the extension //First check and see if the file is a .gif file $isgif = "no"; $whitelist = array(".gif"); foreach ($whitelist as $ending) { if(substr($filename, -(strlen($ending))) != $ending) { //File is not a gif file, so let's do nothing right now //When we check for if it is a jpg we will flag the file } else{ //The file IS a gif file, so we set the isgif to true $isgif = "yes"; } } // Now we check if it is a .jpg file or not, because it is not a gif if($isgif != "yes"){ $whitelist = array(".jpg"); foreach ($whitelist as $ending) { if(substr($filename, -(strlen($ending))) != $ending) { if($flag == 0){ $error = "The file type or extention you are trying to upload is not allowed! You can only upload gif or jpg files to the server!"; } $flag++; } } } //*************************************************************************** /* if($filename != ""){ echo "Beginning upload process for file named: ".$filename."<br>"; echo "Filesize: ".$filesize."<br>"; echo "Type: ".$mimetype."<br><br>"; } */ //First generate a MD5 hash of what the new file name will be //Force a file extention on the file we are uploading //Now we create a hashed file name of the file and set the upload directory... if($isgif == "yes"){ $date = date('Y-m-d'); $hashstring = $filename."_".$date; $hashedfilename = md5($hashstring); $hashedfilename = $hashedfilename.".gif"; $target_path = "picuploads/gif/"; $uploaddir = "picuploads/gif"; } else if ($isgif == "no" and $flag == 0){ //File is a jpg $date = date('Y-m-d'); $hashstring = $filename."_".$date; $hashedfilename = md5($hashstring); $hashedfilename = $hashedfilename.".jpg"; $target_path = "picuploads/jpg/"; $uploaddir = "picuploads/jpg"; } //SET TARGET PATH? $target_path = $target_path . basename( $filename ); //Check for empty file if($hashedfilename == ""){ if($error == ""){ $error = "No File Exists!"; } $flag = $flag + 1; } //Now we check that the file doesn't already exist. $existname = $uploaddir."/".$hashedfilename; if(file_exists($existname)){ if($flag == 0){ $error = "Your file already exists on the server! Please choose another file to upload or rename the file on your computer and try uploading it again!"; } $flag = $flag + 1; } //////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////// //Now we check the filesize. If it is too big then we reject it if($filesize > 153600){ //File is too large if($flag == 0){ $error = "The file you are trying to upload is too large! Files must be under 150 KB."; } $flag = $flag + 1; } //////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////// //Check the mimetype of the file if($mimetype != "image/gif" and $mimetype != "image/jpeg"){ if($flag == 0){ $error = "The file you are trying to upload does not contain expected data. Are you sure that the file is a .gif or .jpg file?"; } $flag = $flag + 1; } //////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////// //Now that we checked the mime type client side, let's check it again server side... $imageInfo = getimagesize($_FILES["uploadedfile"]["tmp_name"]); // note that we need to use the temporal name since it has not yet been moved if($imageInfo["mime"] != "image/gif" and $imageInfo["mime"] != "image/jpeg") { if($error == ""){ $error = "The file you are trying to upload does not contain expected data. Are you sure that the file is a .gif or .jpg file?"; } $flag++; } //////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////// //All checks are done, actually move the file... if($flag == 0){ if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $uploaddir."/".$hashedfilename)) { if(@file_exists($uploaddir."/".$hashedfilename)){ $article_title = "Success!"; /* $article_content = "The file ". basename( $filename ). " has been uploaded. Your file is <a href='uploads/$uploaddir/$hashedfilename'>here</a>."; */ $article_content = "The file ". basename( $filename ). " has been uploaded successfully! It will now appear on your profile and in your photo gallery."; } else{ $article_title = "ERROR!"; $article_content = "There was an error uploading the file, please try again!"; } } else{ $article_title = "ERROR!"; $article_content = "There was an error uploading the file, please try again!"; } } else { $article_title = "ERROR!"; if($error != ""){ $article_content = $error; } else{ $article_content = "File Upload Failed!"; } } //More code here //Done with upload, so insert data into database $origfilename = secure(basename( $filename )); $hashedfilename = secure($hashedfilename); $location = $uploaddir."/".$hashedfilename; //******************************************************* $info = $_POST['info']; $info = secure($info); //******************************************************* if($flag == 0){ $crdate = date('Y-m-d'); mysql_query("INSERT INTO picsmap VALUES ('', '$loggedinname', '','$location','$location', 'profileimage', '$crdate', '$info')"); } $article_content = $article_content."<br><br><u>What do you want to do now?<br><br> <a href='uploadpicform.php'>Upload another picture file</a><br> <a href='managepicuploads.php'>Manage uploads or change / delete file info</a><br> <a href='account.php'>Manage My Account</a>"; } // ********************************************************************** // End Prepwork - Output the page to the user // ********************************************************************** //Define our current theme $file = $themeurl; // Do the template changes and echo the ready template $template = file_get_contents($file); //$template = replace(':SITETITLE:',$site_title,$template); $template = replace(':SITENAME:',$site_name,$template); $template = replace(':SLOGAN:',$slogan,$template); $template = replace(':ARTICLETITLE:',$article_title,$template); $template = replace(':ARTICLEDATE:',$article_date,$template); $template = replace(':ARTICLECONTENT:',$article_content,$template); $template = replace(':LINK1:',$link1,$template); $template = replace(':LINK2:',$link2,$template); $template = replace(':LINK3:',$link3,$template); $template = replace(':NEWSBAR:',$shownews,$template); /* //Ad Management $header = @file_get_contents("ads/header.txt"); $footer = @file_get_contents("ads/footer.txt"); $tower = @file_get_contents("ads/tower.txt"); $header = stripslashes($header); $footer = stripslashes($footer); $tower = stripslashes($tower); $template = replace(':HEADERAD:',$header,$template); $template = replace(':FOOTERAD:',$footer,$template); $template = replace(':TOWERAD:',$tower,$template); */ //************************************************************** //Custom template replacement to allow the javascript to work properly $oldtext = "<head> <meta name=\"author\" content=\"Luka Cvrk (www.solucija.com)\" /> <meta http-equiv=\"content-type\" content=\"text/html;charset=iso-8859-2\" /> <link rel=\"stylesheet\" href=\"templates/default/images/style.css\" type=\"text/css\" /> <title>:SITETITLE:</title> </head>"; $newtext = "<head><title>File Upload</title> <script language=\"Javascript\"> <!-- Copyright 2001 Bontrager Connection, LLC function WorkingMessage() { var url=\"\"; // Blank for thankyou page. var height = 100; // Height of popup var width = 450; // Width of popup var att='width=' + width + ',height=' + height; WorkingMessagePopup=window.open(url,\"wmp\",att); } function KillWorkingMessagePopup(){ WorkingMessage(); WorkingMessagePopup.close(); } // --> </script> <meta name=\"author\" content=\"Luka Cvrk (www.solucija.com)\" /> <meta http-equiv=\"content-type\" content=\"text/html;charset=iso-8859-2\" /> <link rel=\"stylesheet\" href=\"templates/default/images/style.css\" type=\"text/css\" /></head>"; $template = replace($oldtext,$newtext,$template); $oldtext = "<body>"; $newtext = "<body onLoad=\"KillWorkingMessagePopup();\">"; $template = replace($oldtext,$newtext,$template); //************************************************************** //Is the user logged in? if ($isloggedin == "yes"){ $logincontent = logincontent($loggedinname); $template = replace(':LOGINBAR:',$logincontent[loginbar],$template); $template = replace(':WELCOMEORREGISTER:',$logincontent[welcome],$template); $template = replace(':LOGINORACCT:', $logincontent[content] ,$template); $friends = minifriends(); $template = replace(':FRIENDS:',$friends,$template); } else{ //User is not logged in $template = replace(':LOGINBAR:','<b>You are not Logged in!</b> <a href="login.php">Log in</a> or <a href="register.php">register</a> to start downloading music!',$template); $template = replace(':WELCOMEORREGISTER:','<u>Member Login:</u>',$template); $loginform = loginform(); $template = replace(':LOGINORACCT:', $loginform ,$template); $friends = ""; $template = replace(':FRIENDS:',$friends,$template); } $morecontent = morecontent(); $template = replace(':MORECONTENT:',$morecontent,$template); // ********************************************************************** // THIS IS THE LAST THING WE DO! // ********************************************************************** echo $template; ?> Any thoughts would be appreciated. Thanks for looking. Brandon

Well, with htmlentities if a user inserted html into a form, what would appear on the site, the HTML or the conversion such as &nsbp would appear instead of a space?

This sends it to a database which will then have the info pulled onto a page. From a security standpoint, is there any risk to leaving strip_tags in there? Also, looking at htmlentities it looks like it converts html to something else. For my script I do not want ANY html to show, even when the data is passed back to the page, so would strip tags be better in that case?

Hello, I'm writing a script and I have a function called secure to secure any incoming data that will be placed into the database: //This function performs security checks on all incoming form data function secure($data){ //MySQL Real Escape String $data = mysql_real_escape_string($data); //Strip HTML tags $data = strip_tags($data, ''); return $data; } I've also done some digging and found that there is a setting called magic quotes which can mess with data input. On my host for PHP info I have: magic_quotes_gpc On magic_quotes_runtime Off magic_quotes_sybase Off First question is, does this mean that magic quotes is on or off on the server I am using, that is will the data I am working with be affected by magic quotes? Secondly, are there any changes I need to make to my secure() function to deal with servers that have magic quotes enabled? Looking on my database the data entered such as ' is being escaped such as \' and I wanted to make sure that my secure() function is working and this is not just a result of the magic quotes. Thanks, Brandon

Yeah, upload_max_filesize and post_max_size can both affect file uploads, so if you changed one but not the other that could be the issue. A simple way to change is to add to a .htaccess file in your public_html folder: php_value upload_max_filesize 32M php_value post_max_size 32M Also, for the mimetype of the file, it may also be: audio/x-mp3 audio/mpeg BMR777

Hello All, I just finished working on a PHP script that will allow a user to upload a MP3 file to my website. Right now I have the file upload script done and I want to get some expert opinions to tell me if it is secure enough to be used in a live environment of if there is any security that needs to be added. If you could please look over the script below and point out any security flaws I would be very greatful. Thanks. The actual upload script: <?php $target_path = "uploads/"; $flag = 0; // Safety net, if this gets to 1 at any point in the process, we don't upload. $filename = $_FILES['uploadedfile']['name']; $filesize = $_FILES['uploadedfile']['size']; $mimetype = $_FILES['uploadedfile']['type']; $target_path = $target_path . basename( $filename ); echo "Beginning upload process for file named: ".$filename."<br>"; echo "Filesize: ".$filesize."<br>"; echo "Type: ".$mimetype."<br><br>"; //First generate a MD5 hash of what the new file name will be //Force a MP3 extention on the file we are uploading $hashedfilename = md5($filename); $hashedfilename = $hashedfilename.".mp3"; //Now we check that the file doesn't already exist. $existname = "uploads/".$hashedfilename; if(file_exists($existname)){ $error = "Your file already exists on the server! Please choose another file to upload or rename the file on your computer and try uploading it again!"; $flag = 1; // Set the flag, prevent upload } //Now we check the file's extention and make sure we are really uploading an MP3 file... //First do a blacklist approach and weed out all bad filetypes $blacklist = array(".php", ".phtml", ".php3", ".php4", ".js", ".shtml", ".pl" ,".py",".cgi",".php5"); foreach ($blacklist as $file) { if(preg_match("/$file\$/i", $filename)) { $error = "The file type you are trying to upload is not allowed! You can only upload MP3 files to the server!"; $flag = 1; } } //Now do a whitelist approach to allow only safe files... $whitelist = array(".mp3"); foreach ($whitelist as $file) { if(!preg_match("/$file\$/i", $filename)) { $error = "The file type you are trying to upload is not allowed! You can only upload MP3 files to the server!"; $flag = 1; } } //Now we check the filesize. If it is too big or too small then we reject it //MP3 files should be at least 1MB and no more than 6.5 MB if($filesize > 6920600){ //File is too large $flag = 1; $error = "The file you are trying to upload is too large! Your file can be up to 6.5 MB in size only. Please upload a smaller MP3 file or encode your file with a lower bitrate."; } if($filesize < 1048600){ //File is too small $flag = 1; $error = "The file you are trying to upload is too small! Your file has been marked as suspicious because our system has determined that it is too small to be a valid MP3 file. Valid MP3 files must be bigger than 1 MB and smaller than 6.5 MB."; } //Check the mimetype of the file if($mimetype != "audio/x-mp3" and $mimetype != "audio/mpeg"){ $flag = 1; $error = "The file you are trying to upload does not contain expected data. Are you sure that the file is an MP3?"; } //All checks are done, actually move the file... if($flag == 0){ if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { echo "The file ". basename( $filename ). " has been uploaded. Your file is <a href='uploads/$hashedfilename'>here</a>."; //Change the filename to MD5 hash and FORCE a MP3 extention. if(file_exists("uploads/".$filename)){ //Rename the file to an MD5 version rename("uploads/".$filename, "uploads/".$hashedfilename); } } else{ echo "There was an error uploading the file, please try again!"; } } else { echo "File Uploaded Failed!<br>"; if($error != ""){ echo $error; } } ?> The .htaccess for the uploads directory: php_value engine Off AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI <FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh|php|php3|php4|php5|pl|cgi)$"> Order Allow,Deny Deny from all </FilesMatch> # diguise all file extensions as mp3 ForceType audio/mpeg Thanks again for your time. BMR777