galneweinhaw
asked on
adding a filename restriction to file-uplaoding
What do I need to add to restrict files to those whose filenames begin with 2 numbers? ie - "45dfsdf.log" and "111111" would be accepted but "a222" and "1two3.log" would be rejected?
SO far here is what I have:
Here is the form to uplaod the Data:
<!-- The data encoding type, enctype, MUST be specified as below --><form action="successorfail.php" method="post" enctype="multipart/form-da ta"><!-- MAX_FILE_SIZE must precede the file input field --><input type="hidden" name="MAX_FILE_SIZE" /> <!-- Name of input element determines name in $_FILES array -->Upload Eternal Campaign Log File: <input type="file" name="userfile" /> <input type="submit" /> </form>
and here is the processing page:
<!--p
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.
$uploaddir = '/home/happyhik/public_htm l/OtherStu ff/Eternal LogFiles/L ogUploads/ ';
$uploadfile = $uploaddir . basename($HTTP_POST_FILES[ 'userfile' ]['name']) ;
echo '<pre>';
if (move_uploaded_file($HTTP_ POST_FILES ['userfile ']['tmp_na me'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "Possible file upload attack!\n";
}
echo 'Here is some more debugging info:';
print_r($HTTP_POST_FILES);
print "</pre>";
-->
SO far here is what I have:
Here is the form to uplaod the Data:
<!-- The data encoding type, enctype, MUST be specified as below --><form action="successorfail.php"
and here is the processing page:
<!--p
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.
$uploaddir = '/home/happyhik/public_htm
$uploadfile = $uploaddir . basename($HTTP_POST_FILES[
echo '<pre>';
if (move_uploaded_file($HTTP_
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "Possible file upload attack!\n";
}
echo 'Here is some more debugging info:';
print_r($HTTP_POST_FILES);
print "</pre>";
-->
You can take out
> 0
from the if statement above
> 0
from the if statement above
ASKER
now it doesn't seem to be working at all...
here is the link:
http://happyhikers.ca/OtherStuff/EternalLogFiles/uploadlogfiles.php
hopefully you can se something obvious I messed up =)
here is the link:
http://happyhikers.ca/OtherStuff/EternalLogFiles/uploadlogfiles.php
hopefully you can se something obvious I messed up =)
Hmm.. we did not consider the directories and drives.. we considered only the filenames...
Try this...
if(preg_match("/\\\d{2}[^\ \]*/i",rep lace("/"," \\",$uploa dfile)) > 0)
Try this...
if(preg_match("/\\\d{2}[^\
ASKER
Actually it looks like somehow the <?php turned into <!--p
changed that and it's working better.... I think. but it's not accepting a properly named file
changed that and it's working better.... I think. but it's not accepting a properly named file
ASKER
gives this error:
Fatal error: Call to undefined function: replace() in /home/happyhik/public_html /OtherStuf f/EternalL ogFiles/su ccessorfai l.php on line 17
you can try to upload a file yourself to test...
thanks again for the help!
Fatal error: Call to undefined function: replace() in /home/happyhik/public_html
you can try to upload a file yourself to test...
thanks again for the help!
oops... that is
str_replace
str_replace
ASKER
almost......there......
=)
Warning: preg_match(): Compilation failed: missing terminating ] for character class at offset 11 in /home/happyhik/public_html /OtherStuf f/EternalL ogFiles/su ccessorfai l.php on line 17
=)
Warning: preg_match(): Compilation failed: missing terminating ] for character class at offset 11 in /home/happyhik/public_html
Try
if(preg_match("/\\\d{2}[A- Z\-.]*/i", str_replac e("/","\\" ,$uploadfi le)) > 0)
if(preg_match("/\\\d{2}[A-
ASKER
getting better =D
I tried to upload a file named "99output.txt" but it gave me the Invalid Filename message.
I tried to upload a file named "99output.txt" but it gave me the Invalid Filename message.
if(preg_match("/\\\d{2}.*/ i",str_rep lace("/"," \\",$uploa dfile)) > 0)
ASKER
The filename is still being rejected
ASKER
does it think the filename's first two characters are "/h" ?? as in /home/......./99output.txt ?
How are you entering the filename ? Is it just 99output.txt or C:\......\99output.txt
or /../99output.txt ?
if(preg_match("/[\\/]?\d{2 }[^\\/]*$/ i",str_rep lace("/"," \\",$uploa dfile)) > 0)
or /../99output.txt ?
if(preg_match("/[\\/]?\d{2
Exactly... it was doing the same thing /h instead of 99 :)
ASKER
Cool.... it is accepting the file now.
tried a few different filenames and for some reason it accepts this one:
a99999999 output.txt
tried a few different filenames and for some reason it accepts this one:
a99999999 output.txt
if(preg_match("/([\\/]\d{2 }|^\d{2})[ ^\\/]*$/i" ,str_repla ce("/","\\ ",$uploadf ile)) > 0)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
YAY!
thanks a ton for all the help.
thanks a ton for all the help.
Great feedback throughout the thread, which made it easy to solve it.. Thanks you
ASKER
I still seem to be having some problems.... so I started a new question here:
https://www.experts-exchange.com/questions/21530286/Problem-restricting-filename-during-file-upload-PHP.html
https://www.experts-exchange.com/questions/21530286/Problem-restricting-filename-during-file-upload-PHP.html
$uploadfile = $uploaddir . basename($HTTP_POST_FILES[
if(preg_match("/^\d{2}.*/i
{
echo '<pre>';
if (move_uploaded_file($HTTP_
{
echo "File is valid, and was successfully uploaded.\n";
}
else
{
echo "Possible file upload attack!\n";
}
}
else
{
echo "Invalid filename $uploadfile";
}