Jump to content

Can anyone tell me if my script is secure?

cheezian

By cheezian
in PHP Coding Help

 Share

Recommended Posts

cheezian Newbie

cheezian

Posted
Posted

Hi, I've created a simple file uploading form and a page that allows people to download their file without linking directly to it. I've not allowed direct linking, and if someone does, their link becomes invalid within 24 hours. I've also not allowed the running of PHP scripts from the upload directory via a .htaccess setting. I'm sure there security flaws in this script but I'm not experienced enough in PHP to know.

 

You can check out the code in action here: http://cheezit.zapto.org/index.php?p=upload

 

and the code for the upload form...

		echo '<h2>Easy File Sharing</h2>
Upload files easily and share them with your friends or on a forum! After you hit "Upload" you will be given a link that anyone can use anywhere to download your file.
<br><br>
<div style="font-variant: small-caps">Disclaimer: We cannot guarantee that your files will remain online. Illegal material will be removed immediately. Other that, we have a freedom of access policy. Do not use this as your only form of backup. The only way to delete your files is to contact us.</div>
<br><br>
<center><form action="index.php?p=uploader" method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" /> 
<br />';
require_once('recaptchalib.php');
$publickey = "6LeMOwcAAAAAAL-3-BKTjzd1sqSCmOwrMpQoMx0p"; // you got this from the signup page
echo recaptcha_get_html($publickey);


echo '<br><input type="submit" name="submit" value="Upload" />
</form></center>';

 

the code that handles the form..

	echo "<h2>Easy File Sharing</h2>";

		$myFile = "uploaddirectory";
		$fh = fopen($myFile, 'r');
		$theData = fread($fh, 9);
		fclose($fh);

require_once('recaptchalib.php');
$privatekey = " 	6LeMOwcAAAAAAPwUdh8QoFw8T4VwPLX8_Z6__PjF ";
$resp = recaptcha_check_answer ($privatekey,
                                $_SERVER["REMOTE_ADDR"],
                                $_POST["recaptcha_challenge_field"],
                                $_POST["recaptcha_response_field"]);

if (!$resp->is_valid) {
  die ("The reCAPTCHA wasn't entered correctly. Go back and try it again." .
       "(reCAPTCHA said: " . $resp->error . ")");
}
else{
if ($_FILES["file"]["size"] < 2000000000000){
  if ($_FILES["file"]["error"] > 1)
    {
    echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
    }
  else
    {
    echo "Filename: " . $_FILES["file"]["name"] . "<br />";
    echo "Type: " . $_FILES["file"]["type"] . "<br />";
    echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
    //echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";

    if (file_exists("$theData" . "/" . $_FILES["file"]["name"]))
      {
      echo $_FILES["file"]["name"] . " already exists. Just rename your file before uploading. ";
      }
    else
      {
      move_uploaded_file($_FILES["file"]["tmp_name"],
      "$theData" . "/"  . $_FILES["file"]["name"]);
      //echo "Stored in: " . "upload/" . $_FILES["file"]["name"];
  echo "<br><br>You may access your file at the following link >><br> <a href=\"http://cheezit.zapto.org/fileviewer.php?t=upload&f=" . $_FILES["file"]["name"] . "\">" . "http://cheezit.zapto.org/fileviewer.php?t=upload&f=" . $_FILES["file"]["name"] . "</a>";
      }
    }
  }
  else
  echo "File too large! If you are spamming you will be banned swiftly with the power like that of a god.";
}

 

and finally the code that lets users download a file

 


	$filename = $_GET['f'];
	$type = $_GET['t'];
	if($type == "img"){
		echo "<b>You are viewing $filename </b><br><br>";
		echo "<img src=\"files/$filename\">";
	}
	if($type == "upload"){
		//echo "Please be patient! You're on your way to download a file! This will take FIVE seconds, do not leave this page!<br>File sharers: DO NOT directly link to the file you are about to see! In 5 minutes the direct link will not work, use the URL you see in your address bar now!<br>Make sure you're sharing the correct link <a href=\"fileviewer.php?t=img&f=correctLink.png\">here.</a>";
		echo "Attention File Sharers! DO NOT directly link to the file below! Use the URL that is currently in your address bar, or the link that appeared on the previous page. <a href=\"fileviewer.php?t=img&f=correctLink.png\">Click here</a> to make sure you're sharing/saving the correct link.<br><br><br><br><a href=\"http://cheezit.zapto.org/" . $theData . "/" . $filename . "\"><h2><b>CLICK HERE TO DOWNLOAD THE FILE</b></h2></a>";


	}
	else{
		echo "";
	}

 

Can you point out any flaws? Thanks :D

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.