Jump to content


Photo

File Uploads via POST vars


  • Please log in to reply
3 replies to this topic

#1 ssjskipp

ssjskipp
  • Members
  • PipPip
  • Member
  • 22 posts

Posted 20 July 2006 - 02:34 PM

I know how to do images and flash (.swf) files (by "do" I mean check file type, etc.), but I'm curious to figure out how to make music, and script (.php; .html; etc.) uploads, and check what type of file they are...

#2 ChaosXero

ChaosXero
  • Members
  • PipPipPip
  • Advanced Member
  • 80 posts

Posted 20 July 2006 - 02:38 PM

Not entirely sure but you could:
<? 
$filename = $_POST['file'];
$ftype = explode(".", $filename);
switch ($ftype['1']){
case ".php":
//etc
case ".png":
//etc
}


#3 ssjskipp

ssjskipp
  • Members
  • PipPip
  • Member
  • 22 posts

Posted 20 July 2006 - 02:46 PM

Thanks, I'll give that a shot =]
BTW, this is only for me to upload, so it's okay if it's not secure.

Not entirely sure but you could:

<? 
$filename = $_POST['file'];
$ftype = explode(".", $filename);
switch ($ftype['1']){
case ".php":
//etc
case ".png":
//etc
}



#4 HeyRay2

HeyRay2
  • Members
  • PipPipPip
  • Advanced Member
  • 223 posts

Posted 20 July 2006 - 03:31 PM

Don't rely only on the file extension.

Unscrupulous people will change them on you to upload malicious code and "unwanted" files on your server.

A better method is to use an array of MIME filetypes and their associated extensions. This gives you two points of security that every file uploaded must adhere to in order to be considered valid. Like so:

<?php
$valid_files = array();
$valid_files[0] = array("image/png", "png");
$valid_files[1] = array("image/jpeg", "jpg");

$filename = $_POST['file'];
$ftype = $_POST['file']['type'];
$fext = explode(".", $filename);
// Since some people use "." in their filenames, we'll take the last item in the $fext array
$fext = $fext[count($fext)-1];

// Set a variable to flag if we find a valid file. Set to 0 by default (not valid until we verify)
$file_is_valid = 0;

foreach($valid_files as $key => $value){
   // $value[0] is the MIME type
   // $value[1] is the file extension
   if( ($value[0] == $ftype) && ($value[1] == $fext) ){
      $file_is_valid = 1;
   }
}

if( $file_is_valid = 1 ){
   // Upload file
} else {
   // Error out. File is not allowed
}
?>





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users