Jump to content

Question about uploading form!

Snooble

By Snooble
in PHP Coding Help

 Share

Recommended Posts

Snooble Regular Member

Snooble

Posted
Posted

Hey,

 

I've a quick question.. here's my upload form:

<!-- The data encoding type, enctype, MUST be specified as below -->
<form enctype="multipart/form-data" action="checkupload.php" method="POST">
   <!-- MAX_FILE_SIZE must precede the file input field -->
   <input type="hidden" name="MAX_FILE_SIZE" value="104857600" />
   <!-- Name of input element determines name in $_FILES array -->
   Send this file: <input name="userfile" type="file" />
   <input type="submit" value="Send File" />
</form>

 

And heres the checkupload.php:

 

<?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.
$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
$size = $_FILES['userfile']['size']/ 1024 / 1024;
$size = round($size, 2);

   echo "Successful Upload.\n $size MB";
} else {
   echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";

?>

 

When i try to upload a file called "Snooble's Game.mp3" The saved file is named "s Game.mp3"

 

So i need to escape the ' 's? how!?!? Thanks

 

Snoobs

Link to comment
Share on other sites
Snooble Regular Member

Snooble

Posted
  • Author
Posted

Why would you not allow spaces? should i strip everything harmful.. such as <>-'";:#[]{} etc. just leave _?

 

plus, would the file be uploaded before the page goes to checkupload.php? or is it safe to have the error checking on the checkupload.php page?

 

Thanks people !

 

Snoobs

Link to comment
Share on other sites
MadTechie Regular Member

MadTechie

Posted
Posted

When i try to upload a file called "Snooble's Game.mp3" The saved file is named "s Game.mp3"

 

So i need to escape the ' 's? how!?!? Thanks

 

Snoobs

 

Where is the filename being stored? as the upload routine you have is fine..

can you  post the part that stores the data..

 

as for filtering you should check the file type..

Link to comment
Share on other sites
Snooble Regular Member

Snooble

Posted
  • Author
Posted

right so after reading the artical. I've changed the checking process... Now looks like this!:

 

<?php
//Сheck that we have a file
if((!empty($_FILES["uploaded_file"])) && ($_FILES['uploaded_file']['error'] == 0)) {
  //Check if the file is JPEG image and it's size is less than 350Kb
  $name = basename($_FILES['uploaded_file']['name']);
  $filename = str_replace("'","",$name);
  $ext = substr($filename, strrpos($filename, '.') + 1);
  if (($ext == "mp3") && ($_FILES["uploaded_file"]["type"] == "audio/mpeg") && 
    ($_FILES["uploaded_file"]["size"] < 104857600)) {
    //Determine the path to which we want to save this file
      $newname = dirname(__FILE__).'/uploads/'.$filename;
      //Check if the file with the same name is already exists on the server
      if (!file_exists($newname)) {
        //Attempt to move the uploaded file to it's new place
        if ((move_uploaded_file($_FILES['uploaded_file']['tmp_name'],$newname))) {
           echo "It's done! The file has been saved as: ".$newname;
        } else {
           echo "Error: A problem occurred during file upload!";
        }
      } else {
         echo "Error: File ".$filename." already exists".$_FILES['uploaded_file']['name']."";
      }
  } else {
     echo "Error: Only .mp3 songs under 100MB are accepted for upload";
  }
} else {
echo "Error: No file uploaded";
}
?>

 

BUT! I'm still getting issues with the filename! It still only displays AFTER the apostrophe.

 

I tried echoing out $_FILES['uploaded_file']['name']. And i get "s Game.mp3"!

 

PLEASE HELP!

 

Snoobs

Link to comment
Share on other sites
Snooble Regular Member

Snooble

Posted
  • Author
Posted

What I'm saying is that the file's name that gets sent from:

 

<form enctype="multipart/form-data" action="checkupload.php" method="POST">
   <!-- MAX_FILE_SIZE must precede the file input field -->
   <input type="hidden" name="MAX_FILE_SIZE" value="104857600" />
   <!-- Name of input element determines name in $_FILES array -->
   Send this file: <input name="uploaded_file" type="file" />
   <input type="submit" value="Send File" />
</form>

 

Isn't the full title! I need it to be sent as a full title. How can I get the full filename sent to checkupload.php? Because then i can strip the invalid characters before upload.

 

Thanks

 

Snoobs

Link to comment
Share on other sites
premiso Regular Member

premiso

Posted
Posted

premiso: would you like to explain these "major issues and is a security flaw"

Snooble: please read my last post

 

If you have a test server upload a few files with a ', ; " / \ ? > < and then attempt to delete them.

 

Chances are you cannot delete some of them. I am not exactly sure the way to exploit the server, it has been years since I was in that scene, but uploading a file named something like this  filename/filenamed/file/file.php  will create those folders etc. And if the php ext is allowed one could just goto that area and execute that php script to easily exploit that server.

 

If you really want to learn about the security flaws for allowing any file to be named anything you can find it online if you know where to go. I do not really want to go into much detail other than that cause that stuff is bad. I can probably go in more detail if you PM me, I just do not feel like feeding script kiddies ideas, ya know?

Link to comment
Share on other sites
MadTechie Regular Member

MadTechie

Posted
Posted

uploading a file named something like this  filename/filenamed/file/file.php  will create those folders etc.

Not if basename() is used,

 

And if the php ext is allowed one could just goto that area and execute that php script to easily exploit that server.

and i agree, but thats why filtering is needed..

 

While i agree that renaming can be a idea for security.. their are many options, but you must always keep in mind,.

how is the system going to deal with these uploads ??

 

 

Snooble:

First thing

You say the file is being displayed as

When i try to upload a file called "Snooble's Game.mp3" The saved file is named "s Game.mp3"

I assume this is the actual filename and not the filename stored in a database..

if this is true then your need to update the code a little, try this

 

<?php
//check that we have a file
if((!empty($_FILES["uploaded_file"])) && ($_FILES['uploaded_file']['error'] == 0))
{
  //Check if the file is JPEG image and it's size is less than 350Kb
$name =(get_magic_quotes_gpc())?stripslashes($_FILES['uploaded_file']['name']):$_FILES['uploaded_file']['name'];
$filename = basename($name);
#$filename = str_replace("'","",$filename);
$ext = strtolower(substr($filename, strrpos($filename, '.') + 1));
if (($ext == "mp3") && ($_FILES["uploaded_file"]["type"] == "audio/mpeg") && 
	($_FILES["uploaded_file"]["size"] < 104857600)) {
    //Determine the path to which we want to save this file
      $newname = dirname(__FILE__).'/uploads/'.$filename;
      //Check if the file with the same name is already exists on the server
      if (!file_exists($newname)) {
        //Attempt to move the uploaded file to it's new place
        if ((move_uploaded_file($_FILES['uploaded_file']['tmp_name'],$newname))) {
           echo "It's done! The file has been saved as: ".$newname;
        } else {
           echo "Error: A problem occurred during file upload!";
        }
      } else {
         echo "Error: File ".$filename." already exists".$_FILES['uploaded_file']['name']."";
      }
  } else {
     echo "Error: Only .mp3 songs under 100MB are accepted for upload";
  }
} else {
echo "Error: No file uploaded";
}
?>

Link to comment
Share on other sites
premiso Regular Member

premiso

Posted
Posted

uploading a file named something like this   filename/filenamed/file/file.php   will create those folders etc.

Not if basename() is used,

 

And if the php ext is allowed one could just goto that area and execute that php script to easily exploit that server.

and i agree, but thats why filtering is needed..

 

While i agree that renaming can be a idea for security.. their are many options, but you must always keep in mind,.

how is the system going to deal with these uploads ??

 

Yea I just read the first post and missed the basename in the reply.

 

However, I would do a check to make sure that only numbers, (spaces maybe), periods and letters are allowed. As basename does not filter it, although it may not be a security deal it does some weird stuff when you cannot delete the file without going through the shell due to a ' etc.

 

But that is just me I guess. I am pretty paranoid when it comes to file uploads.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.