SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Guru adammc's Avatar
    Join Date
    Aug 2004
    Location
    Cairns, Australia
    Posts
    762
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Validating Upload Script

    Hi folks

    I have just written a file upload script, used for uploading html pages to my clients server and need a little hand with validation if possible?

    How do you check uploaded file is '.html' format using example below?

    //This is our limit file type condition
    if ($uploaded_type =="text/php")
    {
    echo "No PHP files<br>";
    $ok=0;
    }

    How do I check that the file is named correctly?
    I need the file to be named like so: AV1, AV2 (needs to have 'AV' then numerical number.

    Any help would be greatly appreciated

  2. #2
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Well, I think the best way to go around it would be to store the content in a mysql table. Then use mod rewrite (.htaccess) to display the contents.
    That way, even if the file does contain PHP, it'll be displayed unparsed, just like if you were viewing it from the desktop.

    It also means that you can use whatever naming scheme you like, you can use REGEX to grab the number after AV and use it as the ID of the file in the table.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  3. #3
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,188
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Just check the extension of the file. As long as your server is not set to parse html files as php, and you are not including it from a php script the code would not be executed.

    If you are including the file into a php file, you can just parse it, stripping the php code.

  4. #4
    SitePoint Guru adammc's Avatar
    Join Date
    Aug 2004
    Location
    Cairns, Australia
    Posts
    762
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hi guys, thanks for the replies

    TheRedDevil,
    What funtion do i use to check the extension?

  5. #5
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,188
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Well, it depends on how through a check you want to do.

    Since you mentioned that its html files you want to allow your users to upload, I assume you have a set file limit on a few Kb. If that is the case then you do not really worry about the file content, other than how it should be displayed (Depends on your site and why your allowing html files uploaded). Even if a gif image is uploaded with a html extension, it would not really matter other than it would ruin the users page, due to the size of the file is small.

    So in general you can make sure the file is below the Kb limit (perhaps 20Kb or something), if it is below just check the extension provided from the user ($_FILES['inputfilename']['name']). Now keep in mind that this extension can be altered by the user, so it is not "trustworthy".

    Now, if you just want your members to customice one of thier own pages, then you actually does not need to worry too much about what your displaying. Just make sure the code is not executed as php, even if a php file is uploaded you could change the extension and suddenly it would be displayed in clear text instead of beeing executed.

    Again, I cant stress this enough. Depending on how you use this html data, the above solution might be enough in your case. Since we have limited information about how its used, its very difficult to be certain. You will need to explain more about how its used or make the call on your own.

    Also, I would be worried about cross site scripting (XSS) if I had been allowing my users to upload a html page. This one is almost impossible to address when you allow html code.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •