Validating Upload Script
Hi folks :)
I have just written a file upload script, used for uploading html pages to my clients server and need a little hand with validation if possible?
How do you check uploaded file is '.html' format using example below?
//This is our limit file type condition
if ($uploaded_type =="text/php")
echo "No PHP files<br>";
How do I check that the file is named correctly?
I need the file to be named like so: AV1, AV2 (needs to have 'AV' then numerical number.
Any help would be greatly appreciated :)
Well, I think the best way to go around it would be to store the content in a mysql table. Then use mod rewrite (.htaccess) to display the contents.
That way, even if the file does contain PHP, it'll be displayed unparsed, just like if you were viewing it from the desktop.
It also means that you can use whatever naming scheme you like, you can use REGEX to grab the number after AV and use it as the ID of the file in the table.
Just check the extension of the file. As long as your server is not set to parse html files as php, and you are not including it from a php script the code would not be executed.
If you are including the file into a php file, you can just parse it, stripping the php code.
hi guys, thanks for the replies :)
What funtion do i use to check the extension?
Well, it depends on how through a check you want to do.
Since you mentioned that its html files you want to allow your users to upload, I assume you have a set file limit on a few Kb. If that is the case then you do not really worry about the file content, other than how it should be displayed (Depends on your site and why your allowing html files uploaded). Even if a gif image is uploaded with a html extension, it would not really matter other than it would ruin the users page, due to the size of the file is small.
So in general you can make sure the file is below the Kb limit (perhaps 20Kb or something), if it is below just check the extension provided from the user ($_FILES['inputfilename']['name']). Now keep in mind that this extension can be altered by the user, so it is not "trustworthy".
Now, if you just want your members to customice one of thier own pages, then you actually does not need to worry too much about what your displaying. Just make sure the code is not executed as php, even if a php file is uploaded you could change the extension and suddenly it would be displayed in clear text instead of beeing executed.
Again, I cant stress this enough. Depending on how you use this html data, the above solution might be enough in your case. Since we have limited information about how its used, its very difficult to be certain. You will need to explain more about how its used or make the call on your own.
Also, I would be worried about cross site scripting (XSS) if I had been allowing my users to upload a html page. This one is almost impossible to address when you allow html code.