PHP-- filtering uploaded files to imags
how can i make sure that no php/html files are uploaded to my server? this is my code i have so far but it isn't working.
<?php
$target = "upload/";
$target = $target . basename( $_FILES['uploaded']['name']) ;
$ok=1;
//This is our开发者_开发技巧 size condition
if ($uploaded_size > 35000)
{
echo "Your file is too large.<br>";
$ok=0;
}
//This is our limit file type condition
if ($uploaded_type =="text/php")
{
echo "No PHP files<br>";
$ok=0;
}
//Here we check that $ok was not set to 0 by an error
if ($ok==0)
{
Echo "Sorry your file was not uploaded";
}
//If everything is ok we try to upload it
else
{
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded and will be revied by moderators. You will recieve points based on the review.";
}
else
{
echo "Sorry, there was a problem uploading your file.";
}
}
?>
Your code uses variables which are not set, for example, $uploaded_size
which will be NULL unless you do something like...
$uploaded_size = $_FILES['uploaded']['size'];
Also, checking the MIME is not too great at telling you whether the file has PHP or not. It just means it has the php
extension (that is if you are inspecting type
in $_FILES
).
For security, move uploads outside of the docroot, rename and drop any extension (to prevent Apache trying to run any malicious file). The original filename and type can be stored safely in a database, with a reference to the (perhaps hashed) new name.
You may also want to ensure if you are streaming the content later to always echo the content using readfile()
and not something like include
(which will run your PHP code, even if embedded in an image with image/gif
MIME, which can be told it is a GIF if it includes the GIF header).
Check out http://www.php.net/manual/en/function.exif-imagetype.php - this checks for certain magic numbers that all JPG's have at the beginning. Also, as others have pointed out, you're using undefined variables... check out the PHP tutorial for file uploading ( which also documents the contents of $_FILE).
http://www.php.net/manual/en/features.file-upload.post-method.php
精彩评论