PHP Creating Secure File Upload

[xmuzukerx]

 

 

Hello, i have a problem in developing a secure file upload/download system using php, whereby in this code, there is no restriction in choosing any file type, but there is restriction on file size. and the file info will be stored in the database.

Problem
# i'm stucked in creating a upload form whereby there is an message box popped out saying "there is an error due to no file selected" when i click on the upload button without selecting any file
# need help in setting the file size below 3MB whereby if i upload file more than 3MB there will be a message box popped out saying "maximum file size!" instead of showing Undefined index: on top of the browser

 

Here are the code in uploadaction.php

<?php
include "db_connect.php";
$uploaddir = 'folder/';
$uploadfile = $uploaddir . basename($_FILES['myfile']['name']);
move_uploaded_file($_FILES['myfile']['tmp_name'], $uploadfile);
//lol
$id = 'id';
$filename = $_FILES['myfile']['name'];
$title = $_POST['title'];
$name= $_POST['name'];
$date= date("Y-m-d");
$time= date("H:i:s");
// we got the name, so we just proceed to store them

$q = mysql_query("INSERT INTO files values ('$id','$filename','$title','$name','$date','$time')");

require "download.php";

?>

 

 

here are the form in download.php

<form method='post' action='uploadaction.php' enctype='multipart/form-data'>

<p>Title :  <input type='text' name='title'></p>

<p>File   :  <input type='file' name='myfile'></p><br />
<input type='hidden' name='name' maxlength='25' value='$username'>
<input type='submit' value='Upload' name='submit'>
</form>

 

* the form is on download.php whereby it will refer to uploadaction.php to do the upload
i've tried to find code from other sources but it didnt help, would love if javascript coding can be added to improve this coding. Thank you so much~

 

[AyKay47]

IMO there should always be a whitelist of file extensions so that users cannot download scripting files etc.

The $_FILES superglobal array gets populated with several bits of information about the file(s) that was uploaded via html form.

This includes (might forget some) ['size'], ['tmp_name'], ['name'], ['error'], ['type'].

Use this information to validate the file and check for any errors.

This might also help.

[xmuzukerx]

i didnt understand much, tried on some coding on the link, but didnt work like i'm expected

[AyKay47]

What part(s) don't you understand? What have you tried so far? Help me help you.

[xmuzukerx]

i want to make this upload form to display a notification (there is no file chosen) when the submit button is clicked

 

and also to make the submit button allow file that is below 3MB to be uploaded and deny any file that is more than 3MB by displaying message (max file size)

[91weblessons]

Try this

 

http://www.91weblessons.com/upload-form-using-ajax-jquery/

[Christian F.]

91weblessons: I would not recommend anyone following that tutorial: It is out of date, and quite lacking in security checks. Not to mention that the code blocks are nigh unreadable, thanks to the missing indentation and the fact that you don't check for errors but success. Which is causing nesting hell, and a disconnect between the error message and the actual check. (Exit early is a nice principle.)

We are already helping one person with cleaning up after your tutorials, I do not wish that number to increase. So, please clean them up, secure them, and make sure they are current.

 

xmuzukerx: What I suggest is that you take that list over conditions that you want to have met (or not), and set it up in a step-by-step list over what you want your code to do. Break it down to the smallest possible elements, preferably one a single verb-subject combination which accurately describes everything, in detail, that the code should do.

Once you have that list, you should pursue the docs as listen below, and try to figure out which functions and/or variables gives you what you need. Play around with the code a bit, use var_dump to echo out the contents of the variables, and see if you can't make the code match the logic you have on paper.

 

What you have above is a good start, for a basic uploader. All you need to do now, is to add the error-checking and conditional logic to it.

Edited March 1, 2013 by Christian F.

[AyKay47]

91weblessons: To be frank, don't give web lessons if you do not know what you are doing.

 

Your file upload backend code leaves a HUGE security hole that would allow me to pass any file I wanted to the server, not to mention what ChristianF already mentioned.