Link to home
Start Free TrialLog in
Avatar of galneweinhaw
galneweinhaw

asked on

adding a filename restriction to file-uplaoding

What do I need to add to restrict files to those whose filenames begin with 2 numbers?  ie - "45dfsdf.log" and "111111" would be accepted but "a222" and "1two3.log" would be rejected?

SO far here is what I have:

Here is the form to uplaod the Data:

<!-- The data encoding type, enctype, MUST be specified as below --><form action="successorfail.php" method="post" enctype="multipart/form-data"><!-- MAX_FILE_SIZE must precede the file input field --><input type="hidden" name="MAX_FILE_SIZE" /> <!-- Name of input element determines name in $_FILES array -->Upload Eternal Campaign Log File: <input type="file" name="userfile" /> <input type="submit" /> </form>


and here is the processing page:

<!--p
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.

$uploaddir = '/home/happyhik/public_html/OtherStuff/EternalLogFiles/LogUploads/';
$uploadfile = $uploaddir . basename($HTTP_POST_FILES['userfile']['name']);

echo '<pre>';
if (move_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'], $uploadfile)) {
   echo "File is valid, and was successfully uploaded.\n";
} else {
   echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($HTTP_POST_FILES);

print "</pre>";

-->
Avatar of Harisha M G
Harisha M G
Flag of India image

$uploaddir = '/home/happyhik/public_html/OtherStuff/EternalLogFiles/LogUploads/';
$uploadfile = $uploaddir . basename($HTTP_POST_FILES['userfile']['name']);

if(preg_match("/^\d{2}.*/i",$uploadfile) > 0)
{
    echo '<pre>';
    if (move_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'], $uploadfile))
    {
        echo "File is valid, and was successfully uploaded.\n";
    }
    else
    {
        echo "Possible file upload attack!\n";
    }
}
else
{
        echo "Invalid filename $uploadfile";
}
You can take out
> 0

from the if statement above
Avatar of galneweinhaw
galneweinhaw

ASKER

now it doesn't seem to be working at all...

here is the link:

http://happyhikers.ca/OtherStuff/EternalLogFiles/uploadlogfiles.php

hopefully you can se something obvious I messed up =)
Hmm.. we did not consider the directories and drives.. we considered only the filenames...

Try this...

if(preg_match("/\\\d{2}[^\\]*/i",replace("/","\\",$uploadfile)) > 0)
Actually it looks like somehow the <?php turned into <!--p

changed that and it's working better.... I think.  but it's not accepting a properly named file
gives this error:

Fatal error: Call to undefined function: replace() in /home/happyhik/public_html/OtherStuff/EternalLogFiles/successorfail.php on line 17


you can try to upload a file yourself to test...

thanks again for the help!
oops... that is
str_replace
almost......there......


=)


Warning: preg_match(): Compilation failed: missing terminating ] for character class at offset 11 in /home/happyhik/public_html/OtherStuff/EternalLogFiles/successorfail.php on line 17
Try

if(preg_match("/\\\d{2}[A-Z\-.]*/i",str_replace("/","\\",$uploadfile)) > 0)
getting better =D

I tried to upload a file named "99output.txt" but it gave me the Invalid Filename message.
if(preg_match("/\\\d{2}.*/i",str_replace("/","\\",$uploadfile)) > 0)
The filename is still being rejected
does it think the filename's first two characters are "/h" ?? as in /home/......./99output.txt?
How are you entering the filename ? Is it just 99output.txt or C:\......\99output.txt
or /../99output.txt ?

 if(preg_match("/[\\/]?\d{2}[^\\/]*$/i",str_replace("/","\\",$uploadfile)) > 0)
Exactly... it was doing the same thing /h instead of 99  :)
Cool.... it is accepting the file now.

tried a few different filenames and for some reason it accepts this one:

a99999999 output.txt
if(preg_match("/([\\/]\d{2}|^\d{2})[^\\/]*$/i",str_replace("/","\\",$uploadfile)) > 0)
ASKER CERTIFIED SOLUTION
Avatar of Harisha M G
Harisha M G
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
YAY!

thanks a ton for all the help.
Great feedback throughout the thread, which made it easy to solve it..  Thanks you
I still seem to be having some problems.... so I started a new question here:

https://www.experts-exchange.com/questions/21530286/Problem-restricting-filename-during-file-upload-PHP.html