PDA

View Full Version : Restricing files from Image Hoster Script

UrbanTwitch
03-27-2008, 10:25 PM
Anyone know how to add simple restricts to uploading files by this script? Like restrict all types of files 'cept image files? I'm sure there is a way.

<?php
/*************************************************
* Micro Upload
*
* Version: 0.1
* Date: 2006-10-27
*
* Usage:
* Set the uploadLocation variable to the directory
* where you want to store the uploaded files.
* Use the version which is relevenat to your server OS.
*
****************************************************/

//Windows way
$uploadLocation = "/home/jsfdan/public_html/files/";
//Unix, Linux way
//$uploadLocation = "\tmp";

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>MicroPing domain status checker</title>
<link href="style/style.css" rel="stylesheet" type="text/css" />

<style>
input.button {
font: bold 12px Arial, Sans-serif;
height: 28px;
margin: 0;
padding: 2px 3px;
color: #fff;
background: #306bc1 url(http://sodadome.com/images/button-bg.jpg) repeat-x 0 0;
border: 1px solid #306bc1;
}
</style>
</head>
<body>
<div id="main">
<div id="caption">UPLOAD FILE</div>
<div id="icon">&nbsp;</div>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="fileForm" id="fileForm" enctype="multipart/form-data">
File to upload:<center>
<table>
<tr><td><input name="upfile" type="file" size="36"></td></tr>
<tr><td align="center"><br/><input class="button" type="submit" name="submitBtn" value="Upload"></td></tr>
</table></center>
</form>
<?php
if (isset($_POST['submitBtn'])){

?>
<div id="caption">RESULT</div>
<div id="icon2">&nbsp;</div>
<div id="result">
<table width="100%">
<?php

$target_path = $uploadLocation . basename( $_FILES['upfile']['name']);

if(move_uploaded_file($_FILES['upfile']['tmp_name'], $target_path)) {
echo "The file: <b>". basename( $_FILES['upfile']['name']).
"</b> has been uploaded!<br /><br /><b>Direct Link:</b> <a href=http://sodadome.com/files/". basename( $_FILES['upfile']['name']). ">http://sodadome.com/files/". basename( $_FILES['upfile']['name']). "</a> <br /><center><img src=http://sodadome.com/files/". basename( $_FILES['upfile']['name']). " border=0></center>";
}

?>
</table>
</div>
<?php
}
?>
<div>
</body>
Fumigator
03-27-2008, 10:38 PM
The following link contains a link to a PDF file titled "Secure File Upload in PHP Web Applications", which is an in-depth look at securing PHP file uploads (namely, restricting uploads to images only).

http://www.scanit.be/projects.html
UrbanTwitch
03-27-2008, 11:32 PM
I read over it. Its PERL as well as some other stuff I really can't do. I tried. Anyone else?
Fumigator
03-28-2008, 12:36 AM
Your code is PERL or the article I linked to is PERL? Cuz it's not PERL, it's PHP. It shows some PERL code that demonstrates how hackers can trick your PHP script into thinking a non-image file is an image. I suspect you didn't really read the article but just looked as the code samples. Oh well... it's a really good primer for those of you out there who want to secure your uploads. Warning, you have to actually read it. :rolleyes: