wgordonw1 Posted February 28, 2008 Share Posted February 28, 2008 Hello world. Figured I should say hello as this is my first time posting on this site. Thanks for any recommendations in advance =) Anyways, this is the first time I have ever used an upload script, so I was hoping someone would look at it and tell me if it is secure. I have read through a few guides on upload scripts but I couldn't find one that went into detail on security. The upload file will be coming from an upload page that has a drop down form with a few options that come from a mysql database. The first few lines just make sure that people fill them in, because I want them to make sure they are uploading the correct file. The filetype has three possible options: approach, beauty, or video. And I only want people to be able to upload a jpeg picture or a flash video. I set the size limit at 50mb for now and I figure I can adjust that later but the uploaded videos aren't going to be too terribly long. I didn't check to make sure the file didn't contain a nested name like file.php.jpg because I am renaming the file at the end of the script. I read the posting guidelines and I realize that it says not to post a full script unless it is short (I hope I don't piss anyone off on my first post). That is ambiguous however, and I don't really think my script is too terribly long. Here goes: <?PHP $state=$_POST['state']; $county=$_POST['county']; $city=$_POST['city']; $board=$_POST['board']; $face=$_POST['face']; $filetype=$_POST['filetype']; if ($state=="") { exit("You must select a state!"); } elseif ($county=="") { exit("You must select a county!"); } elseif ($city=="") { exit("You must select a city!"); } elseif ($board=="") { exit("You must select a board!"); } elseif ($face=="") { exit("You must select a face!"); } elseif ($filetype=="") { exit("You must select a file type!"); } elseif ($_FILES["file"]["size"]==0) { exit("You must select a file to upload!"); } elseif (($filetype=="approach" || $filetype=="beauty") && !($_FILES["file"]["type"]=="image/jpeg" || $_FILES["file"]["type"]=="image/pjpeg")) { exit("You must upload a jpeg image!"); } elseif ($filetype=="video" && $_FILES["file"]["type"]!="video/x-flv") { exit("You must upload a flash video!"); } elseif ($_FILES["file"]["size"]>52428800) { exit("Your file must be smaller than 50mb!"); } else { //set target path $target_path = "multimedia/" . $board . "/" . $face . "/"; //set new file name if ($filetype=="approach") { $new_file_name="a_".$face.".jpg"; } elseif ($filetype=="beauty") { $new_file_name="b_".$face.".jpg"; } elseif ($filetype=="video") { $new_file_name=$face.".flv"; } //backup file or create directory if (is_dir($target_path)){ if (file_exists($target_path.$new_file_name)) { rename($target_path.$new_file_name, $target_path.date('Y-m-d').time().$new_file_name); } } else { mkdir($target_path, 0700, true); //dirname, chmod permission, true sets the recursive flag } //create perm file move_uploaded_file($_FILES["file"]["tmp_name"], $target_path . $new_file_name); echo "You chose State: " . $state; echo "<br>You chose County: " . $county; echo "<br>You chose City: " . $city; echo "<br>You chose Board: " . $board; echo "<br>You chose Face: " . $face; echo "<br>Your File Type: " . $_FILES["file"]["type"]; echo "<br>Your File Size: " . $_FILES["file"]["size"]; } ?> Thanks again =) Link to comment https://forums.phpfreaks.com/topic/93460-please-help-with-php-upload-script/ Share on other sites More sharing options...
bluebutterflyofyourmind Posted February 28, 2008 Share Posted February 28, 2008 It looks pretty solid to me. You probably won't find all that much on security around as it is very specific to each application. Every time you create an upload page for something the circumstances are gonna be different. All you gotta do is run a ton of checks like you have to look for every possible scenario. I really suggested trying to "break" your code by trying to upload in ways it should reject you. This is normally the most lengthly process as the number of combinations are sometimes endless....but it never hurts to try to break your code. If you find a hole and write some more script to patch it up. Eventually you should feel confident that it's secure. hope this helps Link to comment https://forums.phpfreaks.com/topic/93460-please-help-with-php-upload-script/#findComment-478821 Share on other sites More sharing options...
spikeon Posted February 28, 2008 Share Posted February 28, 2008 really, all u wanna worry about is making SURE that they can't upload scripts and run them on your site. so, just in case your script fails to filter out a .php file or a .php5 file, or a .html file, add this to the page that comes after you complete the upload. //clean upload area //folder to upload to $path = "uploaded/pictures/*.*"; foreach(glob($path) as $class_filename) { //use the folloing if statemnt to put in allowed filetypes if(!strpos(strtolower($class_filename), "jpg") && !strpos(strtolower($class_filename), "jpeg") && !strpos(strtolower($class_filename), "gif")){ unlink($class_filename); echo $class_filename." has been deleted"; } } [code] [/code] Link to comment https://forums.phpfreaks.com/topic/93460-please-help-with-php-upload-script/#findComment-478884 Share on other sites More sharing options...
wgordonw1 Posted February 28, 2008 Author Share Posted February 28, 2008 I would like to thank you guys for the help. It is much appreciated =) Link to comment https://forums.phpfreaks.com/topic/93460-please-help-with-php-upload-script/#findComment-479510 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.