Search the Community

Can some tell me how to make this script check for the password before it starts the upload process instead of after the file is uploaded? Some of the files I need uploaded are big and it sucks to wait till the file is uploaded before it tells me that the password was wrong. Thanks for any help you can provide. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <title>ES Simple Uploader</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <meta name="generator" content="handmade" /> <style type="text/css"> <!-- body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; background-color: #DDDDDD; } .cnt { text-align: center; } .cnt_welcome { font-size: 16px; font-weight: bold; text-align: center; } .cnt_powered { font-size: 14px; font-weight: bold; text-align: center; } .cnt_small { font-size: 12px; text-align: center; padding-top: 50px; } .head_line { background-color: #BBBBBB; } .main_table { border: solid 1px #9D9992; font-size: 13px; } h4 { font-size: 12px; color: #DD0000; text-align: center; } .button { border: 1px solid #55555; font-weight: bold; } --> </style> </head> <body> <? include("config.php"); function path_options() { global $upload_dirs; $option = ""; foreach ($upload_dirs as $path => $pinfo) { $option .= '<option value="'.$path.'">'.$pinfo["name"].'</option>'; } return $option; } function check_vals() { global $upload_dirs, $err; if (!ini_get("file_uploads")) { $err .= "HTTP file uploading is blocked in php configuration file (php.ini). Please, contact to server administrator."; return 0; } $pos = strpos(ini_get("disable_functions"), "move_uploaded_file"); if ($pos !== false) { $err .= "PHP function move_uploaded_file is blocked in php configuration file (php.ini). Please, contact to server administrator."; return 0; } if (!isset($_POST["path"]) || (strlen($_POST["path"]) == 0)) { $err .= "Please fill out path"; return 0; } if (!isset($upload_dirs[$_POST["path"]])) { $err .= "Incorrect path"; return 0; } if (!isset($_POST["pwd"]) || (strlen($_POST["pwd"]) == 0)) { $err .= "Please fill out password"; return 0; } elseif ($_POST["pwd"] != $upload_dirs[$_POST["path"]]["password"]) { $err .= "The upload password is incorrect"; return 0; } if (!isset($_FILES["userfile"])) { $err .= "Empty file"; return 0; } elseif (!is_uploaded_file($_FILES['userfile']['tmp_name'])) { $err .= "Empty file"; return 0; } return 1; } $err = ""; $status = 0; if (isset($_POST["upload"])) { if (check_vals()) { if (filesize($_FILES["userfile"]["tmp_name"]) > $max_file_size) $err .= "Maximum file size limit: $max_file_size bytes"; else { if (move_uploaded_file($_FILES["userfile"]["tmp_name"], $upload_dirs[$_POST["path"]]["dir"].$_FILES["userfile"]["name"])) { $status = 1; } else $err .= "There are some errors!"; } } } if (!$status) { if (strlen($err) > 0) echo "<h4>$err</h4>"; } else { echo "<h4>"".$_FILES["userfile"]["name"]."" was successfully uploaded.</h4>"; } ?> <p class="cnt_welcome">Welcome to ES Simple Uploader v 1.1.</p> <p class="cnt">« <a href="http://www.energyscripts.com/Products/product2.html">Back to Product page</a> «</p> <p class="cnt">(Select folder, set it's password, then select a file to upload and click "Upload" button). <br />Note: Folder: "Images folder", Password: "images"; Folder: "Docs", Password: "docs"; Folder: "Common files", Password: "common"; Maximum file size: <?=$max_file_size/1024?> Kb.</p><br /> <form enctype="multipart/form-data" action="index.php" method="POST"> <input type="hidden" name="MAX_FILE_SIZE" value="<?=$max_file_size?>" /> <table class="main_table" align="center"> <tr> <td colspan="2" class="head_line"> </td> </tr> <tr> <td>Folder:</td> <td><select name="path"><?=path_options()?></select></td> </tr> <tr> <td>Password:</td> <td><input type="password" name="pwd" style="width: 217px;" /></td> </tr> <tr> <td>Choose file:</td> <td><input type="file" name="userfile" style="width: 222px;" /></td> </tr> <tr> <td colspan="2" align="right"><input type="submit" name="upload" value="Upload" class="button" /></td> </tr> </table> </form> </p> <p class="cnt_powered">Powered by <a href="http://www.energyscripts.com" target="_blank">EnergyScripts</a></p> <p class="cnt_small">Find more power solution: <a href="http://www.energyscripts.com/Products/product1.html" target="_blank">ES File Upload & Download Manager</a></p> </body> </html>

Hello people! I want to know some security features for file upload in PHP. I did read many stuffs, but not all have answered my questions. To start, I am more on front-end than back-end, so I am not a professional in PHP, but I do know several things in PHP (Procedural). I did create a file upload system before, which was to upload image, including security and validation. Anyway, I am planning to create a similar system again but I want to know more on things which I have applied before. Here are my questions: 1/ When validating file formats, which is better, validating by MIME or regular expression? I used regular expression before, because I have read MIME can be changed, even that I am curious. Here is an example of regular expression which accepts only JPG and GIF files: /\.(gif|jpg)$/i 2/ Can we upload file like EXE without affecting the server? I do not want the EXE file to execute now on the server, or simply, if it is infected, it can ruin the server. Is there a solution to tackle this or it is not recommended? Because many file hosting let you upload EX, RAR, ZIP, script formats etc... 3/ What other security measures should I take into account on file upload? All uploaded files will be in a folder, and the user will get their links to download. 4/ This question is not on security but mostly on cron job. Normally, file uploaded will be stored in a folder but not forever on the sever. I want that each 3 days, each file which has been uploaded, is deleted from the folder. I am not saying all files have to be deleted simultaneously, but each file which is more than 3 days. For example, I upload one today, on Sunday it will be deleted. If I upload another one tomorrow, on Monday it will be deleted. For this, a person told me to store the timestamps in a database and the name of the file. How to proceed the deletion with cron job? Thank!

Hello I have been using the wordpress plugin wp-Customer Reviews (http://wordpress.org...stomer-reviews/) and would like the try extending the capability of the plugin by adding an image upload function. The only problem is that I am not sure where to start? I have managed to add an upload button and field the to html form, but am not sure how to move on from there. If anyone can make any suggestions for me that would be a great help. Thanks garteth69

I have a script that allows for anyone to upload a file to my server using this method move_uploaded_file($_FILES["file"]["tmp_name"], "m/" . $newname); it lets the user select a file for upload and then uploads the file in a directory named "m" once the file upload it provides a link so they can share and anyone can download the file. can I make this safe using .htaccess premissions? I want them to be able to upload and download EXE files but not execute on my server. Thanks for any tips on how to make this safe? Paul