Jump to content

Recommended Posts

<?php
    // Maximum file size for upload
    $maxFileSize = 5242880;
    
    // If file is too large
    if(!empty($_SERVER['CONTENT_LENGTH']) && $_SERVER['CONTENT_LENGTH'] > $maxFileSize)
        echo "File too large";
    else
    {
        if(isset($_POST['submit']))
        {
            // List of acceptable file types
            $whitelist = array(
                "application/vnd.openxmlformats-officedocument.wordprocessingml.document",    // .docx
                "application/msword",                                                        // .doc, .rtf
                "text/plain",
                "image/jpeg",
                "image/gif",
                "image/png",
                "application/pdf",
                "application/octet-stream",                                                    // .rar
                "application/x-zip"                                                            // .zip
            );
            
            // Is uploaded file type in whitelist array
            if(!in_array($_FILES['file_upload']['type'], $whitelist))
                exit("Bad Filetype");
            
            // Don't allow php files
            if(preg_match("/\.php.*$/i", $_FILES['file_upload']['name']))
                exit("We do not allow uploading PHP files\n");
            
            // Move the file
            $uploaddir = '../uploads/';
            $uploadfile = $uploaddir . "[" . time(). "]." . basename($_FILES['file_upload']['name']);
            
            if (move_uploaded_file($_FILES['file_upload']['tmp_name'], $uploadfile))
                exit("File is valid, and was successfully uploaded.\n");
            else
                exit("File uploading failed.\n");
        }
    }
?>
<html>
    <head>
        <title>Upload Test</title>
    </head>
    <body>
        <form action="<?php echo $_SERVER['PHP_SELF']; ?>" enctype="multipart/form-data" method="POST">
            <input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $maxFileSize; ?>" />
            <input type="file" name="file_upload" />
            <input type="submit" name="submit" value="upload" />
            <br />
            <?php echo "(Max: " . number_format($maxFileSize/1048576,0) . " MB)" ?>
        </form>
    </body>
</html>

Link to comment
https://forums.phpfreaks.com/topic/237668-is-this-upload-script-secure/
Share on other sites

You may want to use a more graceful technique for stopping your script rather than exiting mid execution. Also, MIME types are browser dependent I believe, meaning that not all browsers send the same MIME type for the same file type (although this may have changed with new versions of browsers. Its been a while since i've made an upload script). Also MIME types can be spoofed. You may want to also check the extension as well as the MIME type

You may want to use a more graceful technique for stopping your script rather than exiting mid execution. Also, MIME types are browser dependent I believe, meaning that not all browsers send the same MIME type for the same file type (although this may have changed with new versions of browsers. Its been a while since i've made an upload script). Also MIME types can be spoofed. You may want to also check the extension as well as the MIME type

 

Yea, I was unsure about exit(), I'll just nest everything in if() statements instead. Should I replace the MIME types with a file extension whitelist instead? I know file extensions can also be faked. Is MIME type really that important?

 

Thanks for the feedback.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.