Looktrne Posted February 6, 2008 Share Posted February 6, 2008 ok I am writing a file upload form ... the upload file should be a .php or .ini or simalar text file... I want to make sure no .exe files are uploaded... if these files are being written into a folder called uploades with permisions of 777 is this a security issue??? and what should I put in the code to protect the upload from being executable??? thanks for any help guys here is the php I know it's probally a little sloppy <? $semail = $_POST['semail']; if (eregi('http:', $notes)) { die ("Do NOT try that! ! "); } if(!$semail == "" && (!strstr($semail,"@") || !strstr($semail,"."))) { echo "<h2>Use Back - Enter valid e-mail</h2>\n"; $badinput = "<h2>Feedback was NOT submitted</h2>\n"; echo $badinput; die ("Go back! ! "); } if(empty($semail)) { echo "<h2>Use Back - fill in all fields</h2>\n"; die ("Use back! ! "); } $todayis = date("l, F j, Y, g:i a") ; $attn = "blah blah:" ; $subject = "blah blah:"; $message = " $todayis [EST] \n Attention: $attn \n File Uploaded:".basename( $_FILES['uploadedfile']['name'])." \n From: $semail ($seamil)\n "; $from = "From: $semail\r\n"; mail("myemail.com", $subject, $message, $from); $target_path = "uploads/"; $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); $_FILES['uploadedfile']['tmp_name']; $target_path = "uploads/"; $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded"; } else if (!action){ echo "There was an error uploading the file, please try again!"; } //added ----------------------- require "index.php"; ?> I just need to make sure my server is secure with this uploaded file thanks Paul Link to comment https://forums.phpfreaks.com/topic/89740-file-upload-security-need-to-check-file-type/ Share on other sites More sharing options...
p2grace Posted February 6, 2008 Share Posted February 6, 2008 You can use the $fileType = $_FILES['file'] ['type']; // will return the file type Link to comment https://forums.phpfreaks.com/topic/89740-file-upload-security-need-to-check-file-type/#findComment-459862 Share on other sites More sharing options...
Looktrne Posted February 6, 2008 Author Share Posted February 6, 2008 ok I tried to ad this what am I doing wrong? $target_path = "uploads/"; $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); $_FILES['uploadedfile']['tmp_name']; $fileType = $_FILES['uploadedfile'] ['type']; // will return the file type echo "The File Type Is:";$fileType; $target_path = "uploads/"; $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded"; it returns nothing?? Paul Link to comment https://forums.phpfreaks.com/topic/89740-file-upload-security-need-to-check-file-type/#findComment-459892 Share on other sites More sharing options...
p2grace Posted February 6, 2008 Share Posted February 6, 2008 Your echo statement is wrong: // you have echo "The File Type Is:";$fileType; //should be echo "The File Type Is: $fileType"; Let me know if that works. Link to comment https://forums.phpfreaks.com/topic/89740-file-upload-security-need-to-check-file-type/#findComment-459901 Share on other sites More sharing options...
Looktrne Posted February 6, 2008 Author Share Posted February 6, 2008 What an ass I am anyway I changed it to echo "The File Type Is:".$fileType; Now it runs another question when I upload .exe file I get application/x-dosexec Php files return .php application/x-php INI files return .ini application/octet-stream the second two file types I want to allow... if I add a statement like ok this works but it does not return me to the index.php page how can I make this if / die return me to index.php after displaying the die message... also is this the only type of file I should block and be safe??/ thanks for all your help Paul if ($fileType=="application/x-dosexec"){ die("Invalid Php File Format"); require "index.php"; } Link to comment https://forums.phpfreaks.com/topic/89740-file-upload-security-need-to-check-file-type/#findComment-459954 Share on other sites More sharing options...
p2grace Posted February 6, 2008 Share Posted February 6, 2008 Something like this might work better: if ($fileType=="application/x-dosexec"){ // for error echo "<script type=\"text/javascript\">alert("Invalid PHP File Format");</script>"; // you can redirect with javascript, or if the error is above the html you can redirect with a php header call. So it's this: echo "<script type=\"text/javascript\">alert("window.location = 'index.php'");</script>"; // or this header("Location: index.php"); } Link to comment https://forums.phpfreaks.com/topic/89740-file-upload-security-need-to-check-file-type/#findComment-460009 Share on other sites More sharing options...
Looktrne Posted February 6, 2008 Author Share Posted February 6, 2008 thanks for this code I had to take out some of the quotes inside the echo and make them single qoutes it directs me back to the index.php but I never see the alert??? how can I make sure I see the alert on the index.php page?? if ($fileType=="application/x-dosexec"){ // for error echo "<script type=\'text/javascript\'>alert('Invalid PHP File Format');</script>"; // you can redirect with javascript, or if the error is above the html you can redirect with a php header call. So it's this: echo "<script type=\'text/javascript\'>alert('window.location = 'index.php'');</script>"; // or this header("Location: index.php"); } thanks for any ideas... I think the alert is being wiped out by the index.php page reloading Paul Link to comment https://forums.phpfreaks.com/topic/89740-file-upload-security-need-to-check-file-type/#findComment-460038 Share on other sites More sharing options...
p2grace Posted February 6, 2008 Share Posted February 6, 2008 Comment out the php redirect, let javascript do the redirect that way it'll process the alert first. Link to comment https://forums.phpfreaks.com/topic/89740-file-upload-security-need-to-check-file-type/#findComment-460040 Share on other sites More sharing options...
Looktrne Posted February 6, 2008 Author Share Posted February 6, 2008 the javascript way is not working the php way works but I cant send the warning the form is in a file called index.php the form action is done in uload.php when I redirect to index.php.. I can not display my warning message can I transfer a variable back to index.php with my error message? I know im probally doing this all wrong but just a thought Paul Link to comment https://forums.phpfreaks.com/topic/89740-file-upload-security-need-to-check-file-type/#findComment-460120 Share on other sites More sharing options...
p2grace Posted February 6, 2008 Share Posted February 6, 2008 Do you have javascript enabled? Link to comment https://forums.phpfreaks.com/topic/89740-file-upload-security-need-to-check-file-type/#findComment-460163 Share on other sites More sharing options...
Looktrne Posted February 6, 2008 Author Share Posted February 6, 2008 yea I have javascript working with my browser you don't mean on the server side? Paul Link to comment https://forums.phpfreaks.com/topic/89740-file-upload-security-need-to-check-file-type/#findComment-460174 Share on other sites More sharing options...
p2grace Posted February 6, 2008 Share Posted February 6, 2008 Oh woops I had a syntax error. try this: if ($fileType=="application/x-dosexec"){ // for error echo "<script type=\"text/javascript\">alert(\"Invalid PHP File Format\");</script>"; // you can redirect with javascript, or if the error is above the html you can redirect with a php header call. So it's this: echo "<script type=\"text/javascript\">alert(\"window.location = 'index.php'\");</script>"; // or this header("Location: index.php"); } Link to comment https://forums.phpfreaks.com/topic/89740-file-upload-security-need-to-check-file-type/#findComment-460190 Share on other sites More sharing options...
Looktrne Posted February 6, 2008 Author Share Posted February 6, 2008 I tried it the java window pops up with the error message then another java window pops up with : window.location = 'index.php but it does not redirect me to index.php?? I tried the header also nothing brings me back to index.php the code is inside uload.php the form is inside index.php Paul Link to comment https://forums.phpfreaks.com/topic/89740-file-upload-security-need-to-check-file-type/#findComment-460233 Share on other sites More sharing options...
p2grace Posted February 6, 2008 Share Posted February 6, 2008 You tested it in java? Javascript is a completely different language than Java, java wouldn't be able to interpret javascript. I just tested the code I gave you and it works. The php redirect probably doesn't work because you've already declared the header. Try putting this code at the top of your page and see what you get. error_reporting(E_ALL); ini_set('display_errors', 'On'); That should display any errors php has with the code. Thanks. Link to comment https://forums.phpfreaks.com/topic/89740-file-upload-security-need-to-check-file-type/#findComment-460239 Share on other sites More sharing options...
Looktrne Posted February 6, 2008 Author Share Posted February 6, 2008 It's obvious I am missing something I am ataching the two files... I stripped some code for security reasons the index.php file is here: <BODY onLoad="document.forms.SI.semail.focus()"> <table width="300" border="1" align="center" cellpadding="0" cellspacing="1" bgcolor="#0099FF" > <tbody><tr> <td> <form name="SI" enctype="multipart/form-data" action="uload.php" method="POST"> <div align="center"><br /> <span class="style5">Email To Send File To:</span><br /> <input type="text" name="semail" size="33" /><br /> <input type="hidden" name="MAX_FILE_SIZE" value="1000000" /> <br /> <span class="style5">Choose a File :</span><br /> <input name="uploadedfile" type="file" /> <br /> <br /> <input type="submit" value=" Upload File" /> <br /></div> </form><br /> </td> </tr> </tbody> </table> </body> </html> <? ?> next is uload.php: <? $semail = $_POST['semail']; $attn = " Request:" ; $subject = "Request :"; $message = " $todayis [EST] \n Attention: $attn \n File Uploaded:".basename( $_FILES['uploadedfile']['name'])." \n From: $semail ($semail)\n "; $from = "From: $semail\r\n"; //check file $fileType = $_FILES['uploadedfile'] ['type']; // will return the file type echo "type is=".$fileType; //added exe check here.. if ($fileType=="application/x-dosexec"){ // for error echo "<script type=\"text/javascript\">alert(\"Invalid PHP File Format\");</script>"; // you can redirect with javascript, or if the error is above the html you can redirect with a php header call. So it's this: echo "<script type=\"text/javascript\">alert(\"window.location = 'index.php'\");</script>"; // or this header("Location: index.php"); // I need this if statement to check for exe if so cancel upload and return to index.php it is not happening.. } /// end check $target_path = "uploads/"; $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); $_FILES['uploadedfile']['tmp_name']; $target_path = "uploads/"; $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded"; mail("myemail.com", $subject, $message, $from); echo " Request Sent To Server:"; } else if (!action){ echo "There was an error uploading the file, please try again!"; } require "index.php"; ?> So am I messing up royally or what? Paul Link to comment https://forums.phpfreaks.com/topic/89740-file-upload-security-need-to-check-file-type/#findComment-460281 Share on other sites More sharing options...
p2grace Posted February 6, 2008 Share Posted February 6, 2008 The script never stops after processing the validation check. Try changing your check file code to this: //check file $fileType = $_FILES['uploadedfile'] ['type']; // will return the file type echo "type is=".$fileType; //added exe check here.. if ($fileType=="application/x-dosexec"){ // for error echo "<script type=\"text/javascript\">alert(\"Invalid PHP File Format\");</script>"; // you can redirect with javascript, or if the error is above the html you can redirect with a php header call. So it's this: echo "<script type=\"text/javascript\">alert(\"window.location = 'index.php'\");</script>"; // or this //header("Location: index.php"); exit(); // I need this if statement to check for exe if so cancel upload and return to index.php it is not happening.. } Link to comment https://forums.phpfreaks.com/topic/89740-file-upload-security-need-to-check-file-type/#findComment-460285 Share on other sites More sharing options...
phpSensei Posted February 6, 2008 Share Posted February 6, 2008 <input type="hidden" name="MAX_FILE_SIZE" value="1000000" /> Remove that bit, it will be a security problem for you. People can change the value of that to a massive number. Use $_FILES['file']['size'] Link to comment https://forums.phpfreaks.com/topic/89740-file-upload-security-need-to-check-file-type/#findComment-460286 Share on other sites More sharing options...
Looktrne Posted February 7, 2008 Author Share Posted February 7, 2008 even with the exit(); it is still not returning to the index.php page where the form is located... I emailed you a link to look at... Paul Link to comment https://forums.phpfreaks.com/topic/89740-file-upload-security-need-to-check-file-type/#findComment-460366 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.