Weborum Webmaster Forum > Image Upload Script

Weborum Webmaster Forum > Web Page Design > PHP

Joe

May 2 2005, 06:07 PM

Hey guys,

I have been playing with image uploads recently and have just got a little script working ... but not being an expert I was wondering if it was a pretty safe script and also how to do a few things with the filename.

Here's my code;

PHP

<?php
ini_set("upload_max_filesize", "8mb");

// $userfile is where file went on webserver
$userfile = $HTTP_POST_FILES['userfile']['tmp_name'];

// $userfile_name is original file name
$userfile_name = $HTTP_POST_FILES['userfile']['name'];

// $userfile_size is size in bytes
$userfile_size = $HTTP_POST_FILES['userfile']['size'];

// $userfile_type is mime type e.g. image/gif
$userfile_type = $HTTP_POST_FILES['userfile']['type'];

// $userfile_error is any error encountered
$userfile_error = $HTTP_POST_FILES['userfile']['error'];

// userfile_error was introduced at PHP 4.2.0
// use this code with newer versions
// put the file where we'd like it
$upfile = 'upload/'.$userfile_name;

// is_uploaded_file and move_uploaded_file
if (is_uploaded_file($userfile))
{
if (!move_uploaded_file($userfile, $upfile))
{
echo 'Error: Could not move file to destination directory.';
exit;
}
} else {
echo 'Error: Possible file upload attack. Filename: '.$userfile_name.'';
}
echo 'Success! File uploaded successfully. Filename: '.$userfile_name.'.';
?>

Now this works, outputs the exact name of the file. But the thing is, I want to change the filenames all to lowercase and exchange all spaces to underscores (for constistancy).

Is this possible using preg_replace or would I have to use something else?

Cheers

Waleed

May 3 2005, 12:36 PM

I say preg_replace...

sjthomas

May 3 2005, 01:23 PM

Well you can use strtolower($name) to covnert it to lower case and str_replace(" ", "_", $name) for the space and underscore thing.

Joe

May 3 2005, 06:03 PM

Thought so

Thanks.

What do you think about the actual script itself? Is it secure in anyway? What kind of checks would I need to do? I really have no idea where to find all this information ... search brings up nada!

sjthomas

May 3 2005, 10:13 PM

Its a bit hard to say, it depends what you want it to do. When I've built a file upload script before I've made sure it can only take certain types of files, mostly images. But if you want someone to be able to upload any file up to 8meg then that script should be fine. There are a couple of things though. Seeing as you can upload any file whatsoever and your then moving it to a directory called "upload" your making it easy for people to execute arbitrary code on your server. For example I could write a file that deletes all the files in your htdocs directory, upload it to your site using the script above and then just go to www.yoursite.com/uploads/deleteFiles.php and it will be run. That would of course depend on the setup you've got going on there but its safe to assume that an uploaded file could cause at least some damage on the server if it actually resides on that server. Thats assuming 755 permissions for your files btw, which is quite likely for files on a php installation. Another concern I would have is that people could quite easily use it as a storage repository to upload mp3's or other files, 8 meg is reasonable enough and I could see people raring a larger file up into 8meg chunks and then uploading them to your site to use as a file storage server.

All that sort of stuff does depend on a couple of things though. Mostly who you're giving access to the script to. You'd have to have some pretty good protection going on there. The general security and "hardness" of your web server would also be an issue when trying to control attacks. I say that ebcause its possible to upload a shell script and then access it via another php file. Or, more worryingly, a php file that uses something like passthru to access the command line directly, do something nasty like plant a trojan and then delete itself removing all traces.

As an aside one of the first scripts I ever wrote in PHP was to do with file uploading. I signed up to a free isp that gave you loads of free, fast webspace but only let you upload to it when you were on their connection. I was already on a paid monthly unlimited connection so I didn't want to pay for it. So I wrote a script to upload, delete, rename and move filess around from a web interface. Worked a treat to!

Oh and if you have any questions on some of the security things feel free to ask (I could actually tell you how its done, but, you didn't see me

). My advice would be check the type of file being uploaded (by header info as opposed to filename) and limit it to the ones you can control. If the file is only to be used on your site and not accessed directly from somewhere else (I.E you only want it to be available to people currently viewing your site) then move the file to a non-web-viewable directory on the server. Your scripts will still be able to access it via includes etc but other will not.

Joe

May 3 2005, 10:33 PM

That's really what I want to try and accomplish. Obviously people aren't going to be able to upload malicious files or use the space for storage because the actual script is hidden within a password protected area (not even I know where

). So basically I want to make a list of all known image file types that are allowed to be uploaded (png, gif, jpg, JPG, jpeg, tiff etc) and run a test to make sure only those are getting uploaded.

Get the images names formatted accordingly and then the names of which are going to be stored inside a database along with a specific ID. Hopefully. One step at a time first though ay

Nice way to hack their space

I may PM you soon about this ... won't be tonight as I'm far too tired *yawn*

Cheers for your help mate.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.