We help IT Professionals succeed at work.

uploading files

CFIL
CFIL asked
on
Medium Priority
241 Views
Last Modified: 2008-01-26
Hello Experts ,
i am a new in the PHP world , but i have been study this lang for serverl years but as a part time ,
i have seen lots of codes which are upload files and photo . but the problem there aren't too secure because in some cases some one could upload shell script as a JPG format or another types ..
Can any one help me to get a small code which is can upload the files and photo with the most security methods...
thanx in advance.
 
Comment
Watch Question

I use something similar to this to make sure they are uploading the proper file extension:

$image_types = 'jpg,jpeg,gif,png';
 
function getFileExt($filename) {
	$path_info = pathinfo($filename);
	return $path_info['extension'];
}
$extension = getFileExt($_FILES['photo']['name']);
$extension = strtolower($extension);
$extension = explode('.', $extension);
$ext = $extension[0];
$goode = strtolower($image_types);
$goode = explode(',', $goode);
if( !in_array( $ext, $goode ) ) {
	echo 'Sorry, you can only upload jpg,jpeg,gif and png files.';
         die;
}

Open in new window

Author

Commented:
Hi phpintheusa: ,
thank you for your comment ,
could you please put the whole code from  choosing a file until save it in a particular path.
Sorry for my question , i am not an expert as you think ..

Here you go, tested and no errors.
<?php
$image_types = 'jpg,jpeg,gif,png';	// allowed image type (example: 'jpg,gid,jpeg,png')
$upload_path = 'photos/';		// path to uploads directory
 
if (isset($_POST['action']) && $_POST['action'] == 'upload') {
	if (!isset($_FILES['photo'])) {
		die('Photo not chosen. Please try again.');
	} else {
		$temp = $_FILES['photo']['tmp_name'];
		function getFileExt($filename) {
			$path_info = pathinfo($filename);
			return $path_info['extension'];
		}
		$extension = getFileExt($_FILES['photo']['name']);
		$extension = strtolower($extension);
		$extension = explode('.', $extension);
		$ext = $extension[0];
		$goode = strtolower($image_types);
		$goode = explode(',', $goode);
		if( !in_array( $ext, $goode ) ) {
			echo 'Sorry, you can only upload jpg,jpeg,gif and png files.';
		}
		$upload_path = $upload_path . basename( $_FILES['photo']['name']); 
		if(move_uploaded_file($_FILES['photo']['tmp_name'], $upload_path)) {
		    echo 'Success!';
		} else {
		    echo "Please try again!";
		}
 
	}
} else {
	echo '
		<form enctype="multipart/form-data" action="upload.php" method="POST">
			<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
			<input type="hidden" name="action" value="upload" />
			<p>File to upload: <input name="photo" type="file" /></p>
			<p><input type="submit" value="Upload" /></p>
		</form>
 
	';
}
?>

Open in new window

Author

Commented:
thank you Sir .. its grate .
i tried it and it is work fine but Do you think there is any way to upload some shell scripts or any trojan files
Nah, you should be fine:D

Explore More ContentExplore courses, solutions, and other research materials related to this topic.