dsbpac Posted September 19, 2013 Share Posted September 19, 2013 I'm a little stuck on how to make it to where only images can be uploaded and not all files. Thanks in advance! <?php // Your file name you are uploading $file_name = $HTTP_POST_FILES['ufile']['name']; // random 4 digit to add to our file name // some people use date and time in stead of random digit $random_digit=rand(0000,9999); //combine random digit to you file name to create new file name //use dot (.) to combile these two variables $new_file_name=$random_digit.$file_name; //set where you want to store files //in this example we keep file in folder upload //$new_file_name = new upload file name //for example upload file name cartoon.gif . $path will be upload/cartoon.gif $path= "upload/".$new_file_name; if($ufile !=none) { if(copy($HTTP_POST_FILES['ufile']['tmp_name'], $path)) { echo "Successful<BR/>"; //$new_file_name = new file name //$HTTP_POST_FILES['ufile']['size'] = file size //$HTTP_POST_FILES['ufile']['type'] = type of file echo "File Name :".$new_file_name."<BR/>"; echo "File Size :".$HTTP_POST_FILES['ufile']['size']."<BR/>"; echo "File Type :".$HTTP_POST_FILES['ufile']['type']."<BR/>"; } else { echo "Error"; } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/282267-only-allowin-images-to-be-uploaded/ Share on other sites More sharing options...
fastsol Posted September 19, 2013 Share Posted September 19, 2013 http://www.youtube.com/playlist?list=PL10C2E583722F66E7 Quote Link to comment https://forums.phpfreaks.com/topic/282267-only-allowin-images-to-be-uploaded/#findComment-1450176 Share on other sites More sharing options...
Rifts Posted September 19, 2013 Share Posted September 19, 2013 just check the file type? $info = pathinfo($pathtofile); if ($info["extension"] == "jpg") { .... } Quote Link to comment https://forums.phpfreaks.com/topic/282267-only-allowin-images-to-be-uploaded/#findComment-1450180 Share on other sites More sharing options...
jcbones Posted September 19, 2013 Share Posted September 19, 2013 HTTP_POST_FILES was deprecated in PHP4.1.0, which was release December 10, 2001. You should be using the $_FILES array. This one point alone, makes the current script 10+ years out of date. PLEASE don't use the video's as a valid way to check if the file uploaded is an actual image. Anyone can put an image ext on any file they wish to. My suggestion would be to use finfo_open() asking for mime type, finfo_file(), and finfo_close(), and checking against the IMAGETYPE_*** constants. You could use getimagesize(), or exif_imagetype(), the first just gives more info than the second. You can also try to recreate the image with imagecreatefromjpeg() (or png, gif, etc), which will fail if it isn't an image. This way is more resource intensive, but it will let you know 100% if it is an image or not. Bottom line is, don't trust file extensions. Quote Link to comment https://forums.phpfreaks.com/topic/282267-only-allowin-images-to-be-uploaded/#findComment-1450182 Share on other sites More sharing options...
fastsol Posted September 19, 2013 Share Posted September 19, 2013 I fully admit that the video's method does nothing to validate it's actually an image, but is there any security risk in it's method. Allowing only a white list of extensions would surely be safe at the minimum, granted it doesn't mean a image will actually display if it's not truly a image but it shouldn't harm anything either. Quote Link to comment https://forums.phpfreaks.com/topic/282267-only-allowin-images-to-be-uploaded/#findComment-1450184 Share on other sites More sharing options...
kicken Posted September 19, 2013 Share Posted September 19, 2013 but is there any security risk in it's method. Potentially yes, if your server is poorly configured. Quote Link to comment https://forums.phpfreaks.com/topic/282267-only-allowin-images-to-be-uploaded/#findComment-1450200 Share on other sites More sharing options...
vinny42 Posted September 19, 2013 Share Posted September 19, 2013 the first just gives more info than the second. But can be spoofed because it only looks at the first few bytes of the file to see if it defines a set of dimensions. The rest of the data is ignored and could for example be malicious PHP code. You can also try to recreate the image with imagecreatefromjpeg() (or png, gif, etc), which will fail if it isn't an image. This way is more resource intensive, but it will let you know 100% if it is an image or not. +1 Potentially yes, if your server is poorly configured. Not checking the file's content is dangerous on any server, because hackers don't just call the .jpg file to try to execute it, they also exploit holes in include and require. Those will happily load any file on the server including PHP files disguised under a ".jpg" extension. Thus, giving a hacker the option to upload a PHP script is bad no matter what. Quote Link to comment https://forums.phpfreaks.com/topic/282267-only-allowin-images-to-be-uploaded/#findComment-1450219 Share on other sites More sharing options...
mac_gyver Posted September 19, 2013 Share Posted September 19, 2013 the safest thing to do with all uploaded files is to put them into a folder where there's no direct http access and no permissions to run (and assuming you don't provide a way of allowing them to be included into a script or executed via a shell command), then if something does get past your checking/validation, they cannot be requested on the server and executed as a script/application. you would then use a .php script to dynamically output the file's contents, so that they will only be treated as a data file on the server. Quote Link to comment https://forums.phpfreaks.com/topic/282267-only-allowin-images-to-be-uploaded/#findComment-1450228 Share on other sites More sharing options...
vinny42 Posted September 19, 2013 Share Posted September 19, 2013 And even then the file could contain javascript which the browser could pickup. For images you can use PHP's image functions and there are problably a few validations for other filetypes out there, but once you allow data from uncontrolled sources into your system you are op to all kinds of weird attacks. Quote Link to comment https://forums.phpfreaks.com/topic/282267-only-allowin-images-to-be-uploaded/#findComment-1450253 Share on other sites More sharing options...
jazzman1 Posted September 19, 2013 Share Posted September 19, 2013 (edited) the safest thing to do with all uploaded files is to put them into a folder where there's no direct http access and no permissions to run (and assuming you don't provide a way of allowing them to be included into a script or executed via a shell command), then if something does get past your checking/validation, they cannot be requested on the server and executed as a script/application. you would then use a .php script to dynamically output the file's contents, so that they will only be treated as a data file on the server. +1 mac File/directory permissions should be our essential part of building any web app. Then, we can apply the rules which were already mentioned above. Edited September 19, 2013 by jazzman1 Quote Link to comment https://forums.phpfreaks.com/topic/282267-only-allowin-images-to-be-uploaded/#findComment-1450257 Share on other sites More sharing options...
vinny42 Posted September 19, 2013 Share Posted September 19, 2013 The only really important bit is and assuming you don't provide a way of allowing them to be included into a script or executed via a shell command Not allowing certain files into your system is one thing, preventing them from being used in ways that you did not intend is another, and filesystem permissions are going to do very little against a bug in a piece of PHP code. Quote Link to comment https://forums.phpfreaks.com/topic/282267-only-allowin-images-to-be-uploaded/#findComment-1450261 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.