• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1621
  • Last Modified:

php upload file

I have this script that uploads files:

<?php

// Where the file is going to be placed
$target_path = "uploads/";

// Add the original filename to our target path. Result is "uploads/filename.extension"
$target_path = $target_directory . basename( $_FILES['uploadedfile']['name']);
 

$_FILES['uploadedfile']['tmp_name']; // This is how we will get the temporary file...

$target_path = "uploads/";

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
     echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded";
} else{
     echo "There was an error uploading the file, please try again!";
}

?>

But I want it to check to see if the file extension is .exe and if it is then echo "You can't upload an exe file". If not then go ahead with the upload.

Thanks,
Clay
0
pugandjody
Asked:
pugandjody
1 Solution
 
PromethylCommented:
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);

if (stristr($_FILES['uploadedfile']['name']),'.exe') die("You cannot upload exe files. I'm reporting you to the FCC!");

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
     echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded";
} else{
     echo "There was an error uploading the file, please try again!";
}
0
 
str_kaniCommented:
Writing the following with keepting the +s of javascript and client side validation...
You can use a function like the follwing one to validate whether the user uploads a valid file or not.
If you valdate using server side script, it will validate ONLY after the entire file is uploaded, if you validate this in client side, then the following will prompt the user to select a valid file (non-exe) to upload , this will happen well before the browser starts uploading this on to the server....


function validate_extention()
{
      with(document.formname)
      {
            imagefilelength=imgvalue.length;
            indexofdot=imgvalue.indexOf(".");
            extension=imgvalue.substring(indexofdot+1,imagefilelength);
            ext=extension.toLowerCase();
            if(ext=="jpeg")
            {
              alert("You cannot upload .exe file");
              return false;
            }
            else
            {
                  //valid file extention, do the rest
            }
      }
}

Hope this helps you.
0
 
PromethylCommented:
What's with this logic? If the ext is a jpeg then warn/alert it's an exe? Besides, this is PHP support. =)


         if(ext=="jpeg")
          {
            alert("You cannot upload .exe file");
            return false;
          }
0
 
RoonaanCommented:
Wouldn't it be wiser to have a whitelist instead of a blacklist approach?

Also str_kani, having javascript checks isn't security!. It is quite easy to shut down javascript while uploading your executables!

-r-
0
 
hujiCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Accept: Promethyl

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Huji
EE Cleanup Volunteer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now