some questions

[cskiwi]

Question 1)

 

hey, I was working on an upload script for uploading *.rar and *.zip files

first I created the script without any restrictions, and that worked great

 

the I wanted to add the restrictions, that he can only upload *.rar and *.zip

 

 

That didn't work out for me

I used this code:

<?php
if (($_FILES["file"]["type"] == "file/zip")
|| ($_FILES["file"]["type"] == "file/rar"))
  {
  if ($_FILES["file"]["error"] > 0)
    {
    echo "Error: " . $_FILES["file"]["error"] . "<br />";
    } else {
// upload script
}
} else
{
echo "File is invalid.";
}
?> 

 

---

question 2)

 

I have a shoutbox and I wanted to count how many post someone makes

the default value is 0

and for every post he makes I want to count the value with +1

it's just that the count doesn't work, I used this code:

<?php 
// een deel code
$post = $gegeven->sb_post + '1';
// meer code
?>

What am I doing rong?

[trq]

In case you haven't noticed this is an English speaking board.

[cskiwi]

In case you haven't noticed this is an English speaking board.

ow srry going to change it, in a sec srrryyy

 

edit: changed in my best englisch XD

[cskiwi]

no1 know some answers?

[cags]

From my experience the value in the "type" section of the array is far from accurate with regards to comparing it in the manner you have. For some reason, which I'm sure theres an explanation for, a file doesn't always have the correct type associated with it. A work around could be to check what the file extention of the filename is using the string functions or regex.

 

This obviously this isn't a perfect solution as somebody can change a file extension. No doubt somebody has a better idea, but since you seemed to be in a hurry I thought I'd share what I know.

[cskiwi]

From my experience the value in the "type" section of the array is far from accurate with regards to comparing it in the manner you have. For some reason, which I'm sure theres an explanation for, a file doesn't always have the correct type associated with it. A work around could be to check what the file extention of the filename is using the string functions or regex.

 

This obviously this isn't a perfect solution as somebody can change a file extension. No doubt somebody has a better idea, but since you seemed to be in a hurry I thought I'd share what I know.

first, yea I'm in a hurry

 

thc for the reply

 

my english isn't that good, but if I understand you right,

your telling me that I have to search for the right extensions, for in the script?

[PFMaBiSmAd]

The mime types for .zip and .rar can be -

 

'application/x-rar-compressed' for rar

application/x-zip-compressed' for zip

'application/zip' for zip

 

Unfortunately, different browsers send different values for the same file, so you need to test for all those. It is best to put the accepted values into an array and use in_array to test what was received against the values.

 

I know you probably got that upload code at w3schools.com, but it is WRONG and you need to fix it. When they added the ['type'] test to the example they were developing, they added it before the test of the uploaded ['error'] element. The ['error'] element must be tested first because several of the upload errors won't set the ['type'] element, so that code will report an invalid file type when in fact an upload error occurred and the code to test for and display which upload error occurred will never be executed.

 

The code to display the result of testing the ['type'] should also display the value that failed the test so that you can see exactly what it is (some browsers send different mime types for the same file.)

[cskiwi]

The mime types for .zip and .rar can be -

 

'application/x-rar-compressed' for rar

application/x-zip-compressed' for zip

'application/zip' for zip

 

Unfortunately, different browsers send different values for the same file, so you need to test for all those. It is best to put the accepted values into an array and use in_array to test what was received against the values.

 

I know you probably got that upload code at w3schools.com, but it is WRONG and you need to fix it. When they added the ['type'] test to the example they were developing, they added it before the test of the uploaded ['error'] element. The ['error'] element must be tested first because several of the upload errors won't set the ['type'] element, so that code will report an invalid file type when in fact an upload error occurred and the code to test for and display which upload error occurred will never be executed.

 

The code to display the result of testing the ['type'] should also display the value that failed the test so that you can see exactly what it is (some browsers send different mime types for the same file.)

 

I didn't get it from w3schools, but I figured it out that the person where I got it from got it from w3schools, I'm going to change my script now, I'll post what I get

[PFMaBiSmAd]

You need to validate everything possible about the uploaded file if you want your script to be safe. You must test the ['type'] and the file extension and if possible validate that the actual contents in the file matches what the type and extension indicates. You must also put uploaded files into a folder that either has the php language engine disabled or prevents direct http/https request to those files.

 

See the following thread for an example of what can happen when you don't do everything possible to secure what is uploaded and where it gets put on your server - http://www.phpfreaks.com/forums/index.php/topic,270592.0.html

[cskiwi]

OK, I've added to my code, placed the error in first,

 

now I have this, but it still says: invalid file

 

fulll script

<?php
if ($_FILES["file"]["error"] > 0)
    {
	echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
	}
  else
	{
		if (($_FILES["file"]["type"] == "application/x-rar-compressed")
		|| ($_FILES["file"]["type"] == "application/x-zip-compressed")
		|| ($_FILES["file"]["type"] == "apllication/zip"))
		  {

			$dll_source = $_FILES["file"]["name"];
			$dll_type = $_FILES["file"]["type"];
			$dll_comment = $_POST["comment"];
			$dll_file_name = $_POST["name"];

			include ('mysql.php');
			$sql= mysql_query ("
							   INSERT INTO download (source, name, type, comment) 
							   VALUES ('$dll_source', '$dll_file_name', '$dll_type', '$dll_comment')");
			header("refresh: 0; index.php?site=downloads");
		   if (file_exists("dll/" . $_FILES["file"]["name"]))
			  {
			 	 echo $_FILES["file"]["name"] . " already exists. ";
			  }
			else
			  {
				  move_uploaded_file($_FILES["file"]["tmp_name"],
				  "dll/" . $_FILES["file"]["name"]);
				  echo "Stored in: " . "dll/" . $_FILES["file"]["name"];
			  }

		} else {
			  echo "Invalid file";
}
}
  
?> 

[PFMaBiSmAd]

The code to display the result of testing the ['type'] should also display the value that failed the test so that you can see exactly what it is

If you don't display the value that is failing, you will never find out why your test is failing.

[cskiwi]

The code to display the result of testing the ['type'] should also display the value that failed the test so that you can see exactly what it is

If you don't display the value that is failing, you will never find out why your test is failing.

 

how do you mean?

I get the error, invailid file

[PFMaBiSmAd]

Echo $_FILES["file"]["type"] as part of the "Invalid file" message.

[cskiwi]

Echo $_FILES["file"]["type"] as part of the "Invalid file" message.

 

ow yea thx, I must alsow add: application/force-download

[cskiwi]

Yeay, script 100% works now thanks

 

now, my second question (check my first post)