Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    New to the CF scene
    Join Date
    Feb 2007
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Safe and Secure File Uploader function

    I am developing a method which will take a posted file, perform a series of checks and then write the file to the server (Linux) if it passes all of the checks.

    Currently I perform the following checks:
    • Check to make sure the filesize is not too big
      Check the files extension


    Not quite sure what else to put. I have a very fast server so it okay if it performs a lot of checks. better safe than sorry. I was going to check the mime type but my server does not have that extension installed. I was also thinking of using the is_file() function to make sure a proper file is uploaded and the is_executable() function to make sure that no executable files are uploaded (Currently I am only uploading images).

    I'd like to make my upload function very robust so I am sure that their are other checks which need to be performed. Also I have heard that apache can also report errors on file uploads. Though I am not sure how to do this.

  • #2
    ess
    ess is offline
    Regular Coder
    Join Date
    Oct 2006
    Location
    United Kingdom
    Posts
    866
    Thanks
    7
    Thanked 30 Times in 29 Posts
    This is what I use for uploading images on my website and it seems to work just fine..

    PHP Code:
    // include all allowed mime types here
    $allowed = array( 
            
    'image/pjpeg' => 'jpg',
            
    'image/jpeg' => 'jpg',
            
    'image/gif' => 'gif',
            
    'image/bmp' => 'bmp',
            
    'image/x-png' => 'png'
                
    );
    // check that uploaded type is allowed.
    if( !array_key_exists$_FILES['filename']['type'], $allowed ) ) {
    echo 
    "ERROR....FILE NOT ALLOWED" ;
    } else {
    echo 
    "File type is allowed";

    I also check that the file size is not zero (or below zero for that matter ) or higher than a given size.

    Further, I use chmod , to control the file properties once it has been uploaded to the server. Personally, I make it only readable, not executable and not writeable.

    As for Apache reporting errors...I have not encountered any and I don't think it is Apache that would be throwing any errors...since PHP is the process that handles file uploads in this case. However, I encourage you to check on this.

    Cheers,
    Ess


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •