|
|
Posted by Schraalhans Keukenmeester on 06/11/07 07:28
At Mon, 11 Jun 2007 05:02:40 +0000, Bob let h(is|er) monkeys type:
> Hello everyone !!!
> I have a very neat script to download files to the server, the problem is
> that it uploads all kind of files, txt, exe, zip,
> you name it. I have been trying to add some code but still can't get it to
> work. What I would like the script to do is only to allow the jpg, jpeg,
> bmp, gif files to be downloaded. Can anyone can give me a hand?
> Thanks in Advance, Bob.
> This is the script. >>>>>>>>>>>>>>>>>>>>>
> <form name="upload" enctype="multipart/form-data" method="post" action="">
> <input type="file" name="file" />
> <br /><input type="submit" name="submit" value="Upload" />
>
> <?php
>
> if(isset($_POST['submit'])) {
>
> $dir = "files/"; //Upload directory
> $error = ""; //Setting a false error
> $address = "http://".$_SERVER['HTTP_HOST']."/"; //Getting the web address
> $file_name = $_FILES['file']['name']; //Getting the file name
> $file_type = $_FILES['file']['type']; //Getting the file type
> $file_size = "".$_FILES['file']['size']." bytes"; //Getting the file size
> $file_tmp = $_FILES['file']['tmp_name']; //Setting the temporary name
> $file_address = $address.$dir.$file_name; //URL of file
>
> if(file_exists($dir.$file_name)) {
> $error = "<br />Error: A file with the same name already exists!";
> }
>
> else {
> @copy ($file_tmp, $dir.$file_name) or ($error="<br />Error: File could not
> be copied!");
> }
>
> if($error != "") {
> echo $error;
> }
>
> else {
> echo "<br />File successfully uploaded!\n";
> echo "<br />Name: ".$file_name."\n";
> echo "<br />Size: ".$file_size."\n";
> echo "<br />Type: ".$file_type."\n";
> echo "<br />URL: ".$file_address."";
> }
> }
> ?>
You'll have to test for extension first, and then assert what's sent
actually is what it claims to be. A safe way would be to apply the
appropriate imagecreatefrom(jpg|gif|bmp|png) etc functions provided by the
gd library.
There are scripts that 'simply' check exif data, or gif headers and such
to assert valid pictures are sent, but it's not foolproof, in fact it's
quite easy to abuse an image container to send any data to the server.
Additionally, to have some prevention before the form is submitted, a
little javascript could check for the proper extension in the form page.
But you can never rely on that test.
Does that help in any way?
--
Schraalhans Keukenmeester - schraalhans@the.Spamtrapexample.nl
[Remove the lowercase part of Spamtrap to send me a message]
"strcmp('apples','oranges') < 0"
Navigation:
[Reply to this message]
|