Is this script adequate to prevent malicious uploading of files?

I recently created this Utility Reviews wanted post and used the following script to rename any PHP files to .TXT files.

#  get the absolute path to $file
   $path = pathinfo(realpath($downloadedZip), PATHINFO_DIRNAME);

   $zip = new ZipArchive;
  $res = $zip->open($downloadedZip);
  for ($i2=0; $i2<$zip->numFiles; $i2++) :
        $BAD = $zip->statIndex($i2)['name'];
        $BAD = strtolower($BAD);
        if( strpos($BAD, '.php') ) : 
           rename('DOWNLOADS/' .$BAD, 'DOWNLOADS/' .$BAD .'-NOT-ALLOWED.txt');
endif; //($res===true):

Could there be any problems from JavaScript files, etc?

strpos is technically insufficient. Verify that the position returned is the last 4 characters of the filename, because people do weird things like name files myfile.phpeditor.wark and that would get caught by a flat strpos check.

As far as javascript files… any HTML file can carry a javascript payload that can be executed, but it would be a client-side script at that point, not a server-side one.

You can add a .htaccess file to prevent php being run in the folder containing the uploaded files.


As suggested I created a myfile.phpeditor.wark with PHP content :

  1. tried in three browsers:
    a. Opera displayed PHP content
    b. Chromium displayed PHP content
    c. Firefox displayed a blank screen

It looks as though Apache2 only recognises PHP extensions and prevents non PHP files from running.

The thought did occur that JavaScript maybe could be used to rename a file such as index.html to ***index.php.***. Activating the renamed file could create havoc :frowning:

Nono… it wasnt that the PHP content would be executed, it’s that your script would false-positive a non-PHP file with the name myfile.phpeditor.wark

1 Like

AHH now I understand :slight_smile:

Perhaps I should ensure the file extension is .php

$file = 'myfile.phpeditor.wark ';
if( '.php' === substr($file, -4) ) :
	echo '<br><br> Not allowed';
   echo '<br><br> this $file OK ==> ' .$file;

$file = 'index-just-testing.php';
if( '.php' === substr($file, -4) ) :
	echo '<br><br> this $file Not allowed ==> ' .$file ;
   echo '<br><br> this $file OK ==> ' .$file;


this $file OK ==> myfile.phpeditor.wark

this $file Not allowed ==> index-just-testing.php

1 Like

Many thanks.

I tried a couple of examples and this one seems the easiest:


php_flag engine off

Testing for an extension string is OK I guess, but I recommend you do a bit more too. i.e.

Example #1 mime_content_type() Example

echo mime_content_type('php.gif') . "\n";
echo mime_content_type('test.php');

The above example will output:


1 Like

Many thanks for the suggestions.

I updated and completely revamped the site. Full page view is now possible and ideal for mobiles and laptops. Pasting HTML script into the following we-page automatically adds the page to Not even a Zip Name or filename is required :slight_smile:

Upload, Zip and Render HTML Script

Wherever the file has a lowercase .php extension I appended .txt. This seems adequate because I am just concerned about preventing the .php file from being called.

Viewing the content as a .txt file seems hamless and hopefully will not cause any problems.