SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Addict
    Join Date
    Jul 2007
    Posts
    223
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    File upload for txt files only - Security and sanitization questions

    Greetings,

    I need some advice on safely allowing people to bulk upload products to our site using tab-delimited txt files only. My first concern is making sure the file that someone is uploading is actually a plain text file and not a hostile fake.

    Here is the code I have so far for the basic errors and sanitization:
    PHP Code:
    $allowedExts = array("txt");
    $extension end(explode("."$_FILES["ufile"]["name"]));
    if (
    $_FILES['ufile']['type'] != 'text/plain' || !in_array($extension$allowedExts)) {
      echo 
    "Error: This is not a 'txt' file.";
      exit();
    }
    if (
    $_FILES["ufile"]["error"] > 0)
    {
      echo 
    "Error: Something is wrong with this this file: ".$_FILES["ufile"]["error"];
      exit();

    Let me know if this look good so far or if there needs to be anything else added here. I understand that mime_content_type is also depreciated and there is a better method out there?

    Any advice would be greatly appreciated. I've never added a feature like this to my site, so this is very new to me.

    Thanks

  2. #2
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Text files have no mime type, anything can be classified as such. Don't bother checking the mime type or any of that. As long as you only access it as textural data it won't cause harm. The next step of course will be to process the data. The moment the format is incorrect, dump it as an invalid file.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    SitePoint Member
    Join Date
    Nov 2012
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    function control($val,$min,$max,$ctype,$check)
    {
    -----
    }

    function 
    userdata() 
    { if(isset(
    $_POST['btnSub2']))
    {
    $resume_file_name str_replace('_','',$_FILES['filename']['name']);
    $file_error $_FILES['filename']['error'];
    if(!
    is_numeric($strno))
    {
    echo 
    "Phone/Mobile Should be Numeric";

    else
    {
    $upload false;
    echo 
    "4Phone/Mobile Should be Numeric";
    $explode_file explode('.',$filename);
    $extension_supplied $explode_file[count($explode_file) - 1];
    $extension_allowed = array('.doc','.docx');
    for(
    $check=0$check<count($extension_allowed); $check++)
    {if(
    $extension_supplied == $extension_allowed[$check])
    {
    $upload true;}
    }
    // current timestamp //
    $timestamp time();
    // temporary file name //
    $tmp_file_name strtolower($firstname)."_".strtolower($lastname)."_".$timestamp."_".$filename;
    // target directory //
    $target "abc/resume_coll/".$tmp_file_name;
    echo 
    ".$target ,.$temp_file_name ";
    if(
    $upload == true)
    {
    // connecting to database server //
    $sql=mysql_connect('db42.db.com','dbo4256938','abcd123');
    if (!
    $sql
    {die(
    'Connection failed: ' mysql_error());
    }else
    { echo 
    "Connection to MySQL server successful!";
    $sql mysql_select_db($db4256938);
    ---------
    -------
    if(
    is_uploaded_file($_FILES['filename']['tmp_name']))
    {
    if(
    move_uploaded_file($_FILES['filename']['tmp_name'],$target))
    {
    $message ="
    <table>-----<tr><td>Resume</td><td>/td><td><a href=http://abc.com/abc/resume_collect/
    $tmp_file_name>Download Now</a></td></tr>
    ----- </table>
    $receiver = 'abc@xyz.com';
    $subject = "Resume Uploaded by ".ucwords($firstname)." ".ucwords($lastname);
    echo "
    in resume upload";
    $headers = "From:".$email."\r\n"."Reply-To:".$email."\r\n";
    $headers .= "Content-typetext/html\r\n";
    //
    $message = htmlentities($message);
    $mail = mail($receiver,$subject,$message,$headers);
    if(
    $mail)
    {
    echo "
    You will receive a confirmation E-mail with User Name and Password information "; }
    else
    {
    echo "
    Invalid File Extension (<b>$extension_supplied</b>) to Upload.";
    }function execute_code()
    {
    return userdata();
    }
    echo execute_code(); 
    hi, i am trying to upload the file in target path(folder) but m getting error as invalid File Extension to upload(). kindly help me


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •