NewsForumsCodeLogsGallerySpecsSearch

PHP file upload

BlitzMax Forums/BlitzMax Programming/PHP file upload

JoshK(Posted 2012) [#1]
There's this code in the archive:
http://www.blitzbasic.com/codearcs/codearcs.php?code=1932

But what would the PHP side look like? Does anyone know?


Thareh(Posted 2012) [#2]
<?php

if( $_FILES["update"]["name"] != "" )
{
    $Username = $_POST["username"];
    $Password = $_POST["password"];
    if( ($Username == "guest") && ($Password == "guest") )
    {
        move_uploaded_file( $_FILES["update"]["tmp_name"], "C:/" . $_FILES["update"]["name"] );
    }
}

?>


Something like that for a simple login with file move :)

Last edited 2012

Last edited 2012


JoshK(Posted 2012) [#3]
I get this error:
<br />
<b>Parse error</b>: syntax error, unexpected '"', expecting T_STRING or T_VARIABLE or T_NUM_STRING in <b>index.php</b> on line <b>9</b><br />


Thareh(Posted 2012) [#4]
Updated it, try it now :)


JoshK(Posted 2012) [#5]
You just need to get rid of the "C:\" part and it works fine:
<?php

if( $_FILES["update"]["name"] != "" )
{
    $Username = $_POST["username"];
    $Password = $_POST["password"];
    if( ($Username == "guest") && ($Password == "guest") )
    {
        if (move_uploaded_file( $_FILES["update"]["tmp_name"], $_FILES["update"]["name"] ))
	{
		echo "SUCCESS";
	}
    }
}

?>


Obviously this script is an extreme security risk, because it allows uploading of PHP and other files! If it sufficient to add a new file extension onto the file name, to prevent security problems?:
if (move_uploaded_file( $_FILES["update"]["tmp_name"], $_FILES["update"]["name"]."r0" ))



Thareh(Posted 2012) [#6]
Yeah, I didn't have time to test it on my machine :)

Sure that would work, but I'd just define a path for the uploads to go:
if (move_uploaded_file( $_FILES["update"]["tmp_name"], "/uploads/" . $_FILES["update"]["name"] ))


and then create a file called ".htaccess" with the content:
deny from all


in that directory, and then they're untouchable from the webserver (the .htaccess file above is recursive, so make sure you create a new directory for the uploads so you don't deny access to other stuff :P).

Not sure this works will all webservers though, I'm using Apache :)

Last edited 2012


JoshK(Posted 2012) [#7]
Lose the first slash, but yeah it works:
"uploads/"


Banshee(Posted 2012) [#8]
I'd suggest cleaning the upload name of . and / and \ symbols.
$_FILES["update"]["name"] = preg_replace ("/[\.\\\/]/", '', $_FILES["update"]["name"]);


Or remove all symbol characters completely
$_FILES["update"]["name"] = preg_replace("/[^0-9a-zA-Z]/", '', $_FILES["update"]["name"]);


You'll want to run it through pathinfo first to extract the filename suffix (eg .jpg .htm etc) for putting back on afterwards.

$pathinfo = pathinfo( $_FILES["update"]["name"]);
$extension  = $path_parts['extension'];
$filename     = $path_parts['basename'];
$_FILES["update"]["name"] = preg_replace("/[^0-9a-zA-Z]/", '', $filename).$extension;


This will help secure your upload script against filename based exploits.

Last edited 2012


Kev(Posted 2012) [#9]
i suggest looking on php.net website at $_FILES, i imagine you want to know within php the filetype, size and any errors that might happen during upload. You may also want to head over to PHP security consortium website for all your security concerns