Securing an upload script

[razta]

Hello,

Im looking to secure the following code:

 

if (isset($_POST['Upload'])) {

		$target_path = "uploads/";
		$target_path = $target_path . basename( $_FILES['uploaded']['name']); 

		if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
			echo '<pre>Your image was not uploaded.</pre>';
      			} else {
			echo 'Image succesfully uploaded!';
			} 

 

This is for an opensource project called 'Damn Vulnerable Web App'. In dvwa there will be three tiers of security, the code above is low security, I need medium security and high security of the same code above. Ive searched and found some things however been unable to get them to work.

 

Any help much apretiated.

http://sourceforge.net/projects/dvwa

[Cosizzle]

I don't want to write out the solution... but something I tend to do is:

1. break apart the name and extension http://ca3.php.net/basename

2. give it a new name

3. error check against the extension

4. if everything passes take the newly named file and move it to the defined upload directory. http://ca3.php.net/move_uploaded_file

[razta]

Thanks for the info! I think I may have figured it out! 

 

EDIT---

 

For some reason I cannot edit the original post to markt the topic as 'SOLVED'.

 

My conclusion was to use the following:

if (($uploaded_type == "image/pjpeg") && ($uploaded_size < 100000))

[fantomel]

check extension change file name add a size limit add allowed type of files to be added if i come with other ideas.. i will let you know