SitePoint Sponsor |
|
User Tag List
Results 1 to 17 of 17
Thread: Basic File Upload issue
-
Jun 11, 2007, 09:16 #1
Basic File Upload issue
hi, i use the following code to upload a 13k jpg image to the server.
the script works successfully. problem is, uploaded file is not there in the server's 'attachment' folder.
Note:- The attachment folder is located at /public_html/attachment
PHP Code:<?php
if (($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/pjpeg")
&& ($_FILES["file"]["size"] < 20000)) {
if ($_FILES["file"]["error"] > 0) {
echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
}else{
echo "Upload: " . $_FILES["file"]["name"] . "<br />";
echo "Type: " . $_FILES["file"]["type"] . "<br />";
echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";
/*if (file_exists("upload/" . $_FILES["file"]["name"])) {
echo $_FILES["file"]["name"] . " already exists. ";
}else{ */
move_uploaded_file($_FILES["file"]["tmp_name"]. $_FILES["file"]["name"], "attachments/" . $_FILES["file"]["name"]);
echo "Stored in: " . "attachments/" . $_FILES["file"]["name"];
//}
}
}else{
echo "Invalid file";
}
?>
-
Jun 11, 2007, 09:42 #2
- Join Date
- Jun 2007
- Location
- The Netherlands
- Posts
- 112
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Last edited by Servyces; Jun 13, 2007 at 10:27.
Servyces.com
Where it’s all about you.
Your partner in online solutions.
Visit our website at http://www.servyces.com/
-
Jun 11, 2007, 10:09 #3
Hai, servyces, Thanks you for ther reply.
I put this code.
PHP Code:move_uploaded_file($_FILES["file"]["tmp_name"]. $_FILES["file"]["name"], "public_html/attachments/" . $_FILES["file"]["name"]);
* i use filezilla for ftp.
-
Jun 11, 2007, 12:55 #4
- Join Date
- Dec 2005
- Location
- San Martin de los Andes, Patagonia Argentina
- Posts
- 93
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Did you get what Servyces meant afridy?
If
The attachment folder is located at /public_html/attachment
then
"public_html/attachments/" will not work. See the extra "s"...?
I didn't thoroughly check your code though...
Was that just it?
Good luck
-
Jun 11, 2007, 13:08 #5
- Join Date
- Sep 2006
- Location
- Fairbanks, AK
- Posts
- 1,621
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
$_FILES["file"]["tmp_name"]. $_FILES["file"]["name"]
This is most decidedly not where you uploaded file is. Had you been checking the return code from move_uploaded_file (a good thing to do when something isn't working I would think...), you would find it returning FALSE. Had you turned on error reporting (also a good thing to do when something isn't working...), you would see an error to the effect of:
"Unable to open stream: cannot find file /tmp/blah.tmpmyuploadedfile.jpg"
(Where $_FILES["file"]["tmp_name"] is "/tmp/blah.tmp" and $_FILES["file"]["name"] is "myuploadedfile.jpg")
$_FILES['file']['tmp_name'] contains the full path to the temporary file - you do not need to append anything to get to your file. In fact, appending anything will cause you to fail to locate your file in 100% of cases.
Also, very bad to trust the user's supplied filename. What if I upload the file "../../etc/passwd"? Suddenly your script has just overwritten your server's passwd file with my file, and done it quite happily, too! At worst, you must validate the supplied filename to prevent such occurrences; at best, you should ignore the user's supplied filename and generate your own.
-
Jun 11, 2007, 20:40 #6
-
Jun 11, 2007, 20:41 #7
-
Jun 12, 2007, 00:02 #8
Kromey, Yes, you got the point. Working !!!
as you sad
$_FILES['file']['tmp_name'] contains the full path to the temporary file - you do not need to append anything to get to your file. In fact, appending anything will cause you to fail to locate your file in 100% of cases.
also the path should be "../attachments/" and not "public_html....
Follwoing is my new code.
PHP Code:<?php
if (($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/pjpeg")
&& ($_FILES["file"]["size"] < 20000)) {
if ($_FILES["file"]["error"] > 0) {
echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
}else{
echo "Upload: " . $_FILES["file"]["name"] . "<br />";
echo "Type: " . $_FILES["file"]["type"] . "<br />";
echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";
/*if (file_exists("upload/" . $_FILES["file"]["name"])) {
echo $_FILES["file"]["name"] . " already exists. ";
}else{ */
if (move_uploaded_file($_FILES["file"]["tmp_name"], "../attachments/" . $_FILES["file"]["name"])) {
echo "Successfully Moved";
}else{
echo "Unable to move the file";
}
//echo "Stored in: " . "public_html/attachments/" . $_FILES["file"]["name"];
//}
}
}else{
echo "Invalid file";
}
?>Last edited by afridy; Jun 12, 2007 at 05:21.
-
Jun 12, 2007, 10:24 #9
- Join Date
- Sep 2006
- Location
- Fairbanks, AK
- Posts
- 1,621
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I'm still going to stubbornly persist that you should not use $_FILES["file"]["name"] as the filename for the new file, at least not without some intensive validation. As-is, you are allowing any little script kiddie the ability to overwrite nearly any file on your server with whatever they want. Maybe it's just me, but I don't think this is A Good Thing.
Also, you're validating the file based upon the user-supplied file type ($_FILES["file"]["type"] comes from the browser and is not in any way verified by PHP or anything else on the server). This greatly exacerbates the security hole you've created by allowing me to choose the filename my file will be stored as - not only can I choose the filename and file location, but I can literally upload anything I want. Some of the things this makes possible include overwriting Apache's httpd.conf; replacing your system's /etc/passwd file, locking you out of your own server while allowing the script kiddie full access; replacing otherwise innocuous files (e.g. /bin/ls) with arbitrary binaries which would be executed with your permissions and not the (hopefully) limited permissions of Apache.
The fix is simple: replace the check against $_FILES["file"]["type"] with one against the file's extension (this will serve double-duty in forbidding things like virus.exe and slightly mitigating the flaw in using $_FILES["file"]["name"]). Once that passes, add another check using getimagesize, verifying that the image type is what you expect (and that the file is indeed an image!).
Then, do not use $_FILES["file"]["name"] to store the file, at least not without validating it first. See realpath, pathinfo, dirname, and basename to get you started. Best would be to generate a new filename, that way you know beyond a shadow of a doubt that you're not allowing any script kiddie to overwrite any of your files.
-
Jun 12, 2007, 10:57 #10
kromey, this is owsome tips. ok. i have few issues.
as in the script i upload the file to "../attachments" folder. so how can one could be put the file outside the "../attachments" unless he altred the php script which he could not? (coz he dont no the password)
-
Jun 12, 2007, 11:16 #11
- Join Date
- Sep 2006
- Location
- Fairbanks, AK
- Posts
- 1,621
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
It's very simple. Consider what would happen if the contents of $_FILES['file']['name'] are "../../etc/passwd". This means that your full path becomes "../attachments/../../etc/passwd"; if attachments is 2 directories deep in your file structure, then you've just let me overwrite /etc/passwd!
Or consider if the name I supply is "/etc/passwd". The path would become "../attachments//etc/passwd", which may be interpreted as "/etc/passwd" (this one's been inconsistent in my testing - not sure if it's kernel version or shell or what that affects it, but safest to assume you're at risk for it!).
Neither of these require doing anything to alter the PHP file - all it requires is manipulating the data that I'm sending to your server, data which you are treating as trustworthy and safe and which is in fact neither.
Literally everything in $_FILES (except $_FILES['file']['error'] and $_FILES['file']['tmp_name']) is supplied by the user. This means that someone who knows what they're doing, or some script kiddie with the right software, can provide anything they want. This puts the examples I gave above within unbelievably easy reach.
-
Jun 12, 2007, 11:54 #12
First of all sorry for the bit delayed as i had to consentrate on another issue.
Yes, Kromey, i undestand the real security issue. Thank you so much for pointing out this threat.
so you recon me to check the extensions of the files insted of $_FILES['file']['type']. ok . i will fix this matter now. i have to use an string manipulation function.
So i will fix this issue and come to the next point, probably a little later.
bye for now ..
-
Jun 12, 2007, 12:14 #13
Hai Kromi,
my native programming language is VB6. i am just 6 months old to php.
please help me to trim the extension part from a file.
i mean what function and how wil be the code like?
-
Jun 12, 2007, 12:19 #14
hai Kromi,
i think it should be rtrim(string,char). am i correct?
-
Jun 12, 2007, 12:22 #15
-
Jun 12, 2007, 12:29 #16
Yes kromey, it don the trick.
Off Topic:
How do i rate helpfull posts / or Give them reputaion in sitepoint?
-
Jun 12, 2007, 12:37 #17
Bookmarks