开发者

PHP-- filtering uploaded files to imags

how can i make sure that no php/html files are uploaded to my server? this is my code i have so far but it isn't working.

<?php 
 $target = "upload/"; 
 $target = $target . basename( $_FILES['uploaded']['name']) ; 
 $ok=1; 

 //This is our开发者_开发技巧 size condition 
 if ($uploaded_size > 35000) 
 { 
 echo "Your file is too large.<br>"; 
 $ok=0; 
 } 

 //This is our limit file type condition 
 if ($uploaded_type =="text/php") 
 { 
 echo "No PHP files<br>"; 
 $ok=0; 
 } 

 //Here we check that $ok was not set to 0 by an error 
 if ($ok==0) 
 { 
 Echo "Sorry your file was not uploaded"; 
 } 

 //If everything is ok we try to upload it 
 else 
 { 
 if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target)) 
 { 
 echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded and will be revied by moderators.  You will recieve points based on the review."; 
 } 
 else 
 { 
 echo "Sorry, there was a problem uploading your file."; 
 } 
 } 
 ?> 


Your code uses variables which are not set, for example, $uploaded_size which will be NULL unless you do something like...

$uploaded_size = $_FILES['uploaded']['size'];

Also, checking the MIME is not too great at telling you whether the file has PHP or not. It just means it has the php extension (that is if you are inspecting type in $_FILES).

For security, move uploads outside of the docroot, rename and drop any extension (to prevent Apache trying to run any malicious file). The original filename and type can be stored safely in a database, with a reference to the (perhaps hashed) new name.

You may also want to ensure if you are streaming the content later to always echo the content using readfile() and not something like include (which will run your PHP code, even if embedded in an image with image/gif MIME, which can be told it is a GIF if it includes the GIF header).


Check out http://www.php.net/manual/en/function.exif-imagetype.php - this checks for certain magic numbers that all JPG's have at the beginning. Also, as others have pointed out, you're using undefined variables... check out the PHP tutorial for file uploading ( which also documents the contents of $_FILE).

http://www.php.net/manual/en/features.file-upload.post-method.php

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜