• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 265
  • Last Modified:

password protect a file upload via form

I would like to have the user provide a password to upload files to a the specific directory using the following code:

***** THis is the form so far****

<!-- The data encoding type, enctype, MUST be specified as below -->
<form enctype="multipart/form-data" action="successorfail.php" method="POST">
    <!-- MAX_FILE_SIZE must precede the file input field -->
    <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
    <!-- Name of input element determines name in $_FILES array -->
    Send this file: <input name="userfile" type="file" />
    <input type="submit" value="Send File" />
</form>




****Here is my successorfail.php code:******

<html>

<head>
<title>New Page 2</title>
</head>

<body>
<?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.

$uploaddir = '/home/happyhik/html_public/myPasswordProtectedFolder/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
   echo "File is valid, and was successfully uploaded.\n";
} else {
   echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";

?>
</body>

</html>
0
galneweinhaw
Asked:
galneweinhaw
  • 2
1 Solution
 
galneweinhawAuthor Commented:
In order for what I have to work the file permission is at 777... which I don't think is good...
0
 
dougdayCommented:
That depends on what kind of system you're using.  Usually, you would check the username and password against the database:

<!-- Form -->
<form enctype="multipart/form-data" action="successorfail.php" method="POST">
    <!-- MAX_FILE_SIZE must precede the file input field -->
    <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
    <input type="text" name="username" value="" />
    <input type="password" name="password" value="" />
    Send this file: <input name="userfile" type="file" />
    <input type="submit" value="Send File" />
</form>


/* PHP FILE */
<html>

<head>
<title>New Page 2</title>
</head>

<body>
<?php

$uploaddir = '/home/happyhik/html_public/myPasswordProtectedFolder/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

$db_conn = mysql_connect("servername", "mysql_username", "mysql_password");
if ($db_conn) {
    mysql_select_db("database_name", $db_conn);
    $result = mysql_query("SELECT username, password FROM user_table WHERE username={$_POST[username]} AND password = '" . sha1($_POST["password"] . "'");    
    if (mysql_num_rows($result) > 0) {
        echo '<pre>';
        if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
            echo "File is valid, and was successfully uploaded.\n";
        } else {
            echo "Possible file upload attack!\n";
        }
        echo 'Here is some more debugging info:';
        print_r($_FILES);

        print "</pre>";
    }    
}

?>
</body>

</html>

That example is for a mysql database.  You'd need to change the following:  servername, mysql_username, mysql_password, and database_name to match your mysql settings.  Also, in this scenario, you'd want to store your password in the database as a sha1 hash.  Then, when the user enters their password, the sha1 hash is recreated and compared against the database.  This prevents clear-text passwords from being in the database -- which is a common security precaution.

-Doug
0
 
designbaiCommented:
If you already have a user authentication in your system, you can use as doug said.

otherwise let the user enter specific code, upon matching the code you can allow the user to upload file.

This is my thought, i dont' now how is you designed your system.

bye.
0
 
dougdayCommented:
Also, if you don't have SSL on your server, you'll want to do the sha1 hash of the password in javascript, *before* they submit the form.  That way their password isn't sent as clear text over the internet.  If you're interested let me know.
-Doug
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now