cs.punk Posted June 14, 2009 Share Posted June 14, 2009 I am busy working on a 'profile pic' feature for my site, so far it seems to be working ok with this: if (isset($_POST[upload_pic])) {$file_name = $_FILES[pic][name]; $file_type = $_FILES[pic][type]; $file_tmp = $_FILES[pic][tmp_name]; $file_size = $_FILES[pic][size]; if (eregi(".jpg", $filename) || ereg(".jpeg", $filename)) {copy($file_tmp, "../file_uploads/profile_pic-$user-$user_id.jpeg"); } else {echo "File is NOT a jpeg format photo!"; } } Most importantly, is this a secure method for uploading files? Firstly, should I be using the 'copy()' function or the 'move_uploaded_file()'? Secondly, if someone had a file virus.exe and renamed it to virus.jpeg, uploaded it to my site, is there anyway he can run that file as a .exe? Thirdly, how do I make a photo id counter example (for the purpose of multiple pics): profile_pic-george-1-1.jpeg profile_pic-george-1-2.jpeg profile_pic-george-1-3.jpeg profile_pic-george-1-4.jpeg ? Using the mysql database seems to be a waste of resources for such a lil thing? Link to comment https://forums.phpfreaks.com/topic/162159-uploading-files-with-php-few-questions/ Share on other sites More sharing options...
wildteen88 Posted June 14, 2009 Share Posted June 14, 2009 1. You should be using move_upload_file. 2. No not possible. Any files uploaded to the server cannot be executed, unless they find a security hole in your site which allowed them to run malicious code. Link to comment https://forums.phpfreaks.com/topic/162159-uploading-files-with-php-few-questions/#findComment-855745 Share on other sites More sharing options...
cs.punk Posted June 14, 2009 Author Share Posted June 14, 2009 2. No not possible. Any files uploaded to the server cannot be executed, unless they find a security hole in your site which allowed them to run malicious code. ?... So then why do I often read that you should 'prevent' users from uploading malicious files?... Link to comment https://forums.phpfreaks.com/topic/162159-uploading-files-with-php-few-questions/#findComment-855795 Share on other sites More sharing options...
cs.punk Posted June 16, 2009 Author Share Posted June 16, 2009 Ok, that copy I gave doesn't seem to work.... I worked on it abit: if (isset($_POST[upload_pic])) {$file_name = $_FILES[pic][name]; $file_type = $_FILES[pic][type]; $file_tmp = $_FILES[pic][tmp_name]; $file_size = $_FILES[pic][size]; if (eregi (" .jpg", $file_name) || eregi(" .jpeg", $file_name) && eregi("image", $file_type)) {move_uploaded_file($file_tmp, "../file_uploads/profile_pic-$user-$user_id.jpeg"); } else {echo "<p class='error'>File is NOT a photo in jpeg format!</p>"; } //I only echo out this for me echo "<p class='smallheading'>File name: $file_name <br/> File type: $file_type <br/> File location: $file_tmp <br/> File size: $file_size"; // When someone loads a users profile, if the 'profile_pic' value is not equal // to 1, it must show the defualt picture $sql_u_profilepic = "UPDATE users_profile SET profile_pic='1' WHERE user_id='$user_id'"; $mq_u_profilepic = mysqli_query($mysqli_con, $sql_u_profilepic); } Two questions though, when a file bigger than the $_POST[max_file_size] is uploaded, the $_FILES[pic] becomes zero, so I can't make a <?php] $max_size = 500,000; //0.5 mb if ($_FILES[pic][size] > $max_size) {die; else {//copy the file } ?> As it will always be less than the $max_size... Secondly, eregi(" .jpeg", $file_name) Will allow any file containing " .jpeg" (so 'virus bad .jpeg .exe' will be allowed). How do I change it so that ".jpeg" MUST BE AT THE END of the file name?... Once again, thanks guys in advance! Link to comment https://forums.phpfreaks.com/topic/162159-uploading-files-with-php-few-questions/#findComment-857401 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.