Image upload php script.

11/06/2007, 06h02

Hello everyone !!!
I have a very neat script to download files to the server, the problem is
that it uploads all kind of files, txt, exe, zip,
you name it. I have been trying to add some code but still can't get it to
work. What I would like the script to do is only to allow the jpg, jpeg,
bmp, gif files to be downloaded. Can anyone can give me a hand?
Thanks in Advance, Bob.
This is the script. >>>>>>>>>>>>>>>>>>>>>
<form name="upload" enctype="multipart/form-data" method="post" action="">
<input type="file" name="file" />
<br /><input type="submit" name="submit" value="Upload" />

<?php

if(isset($_POST['submit'])) {

$dir = "files/"; //Upload directory
$error = ""; //Setting a false error
$address = "http://".$_SERVER['HTTP_HOST']."/"; //Getting the web address
$file_name = $_FILES['file']['name']; //Getting the file name
$file_type = $_FILES['file']['type']; //Getting the file type
$file_size = "".$_FILES['file']['size']." bytes"; //Getting the file size
$file_tmp = $_FILES['file']['tmp_name']; //Setting the temporary name
$file_address = $address.$dir.$file_name; //URL of file

if(file_exists($dir.$file_name)) {
$error = "<br />Error: A file with the same name already exists!";
}

else {
@copy ($file_tmp, $dir.$file_name) or ($error="<br />Error: File could not
be copied!");
}

if($error != "") {
echo $error;
}

else {
echo "<br />File successfully uploaded!\n";
echo "<br />Name: ".$file_name."\n";
echo "<br />Size: ".$file_size."\n";
echo "<br />Type: ".$file_type."\n";
echo "<br />URL: ".$file_address."";
}
}
?>

11/06/2007, 08h28

At Mon, 11 Jun 2007 05:02:40 +0000, Bob let h(is|er) monkeys type:

> Hello everyone !!!
> I have a very neat script to download files to the server, the problem is
> that it uploads all kind of files, txt, exe, zip,
> you name it. I have been trying to add some code but still can't get it to
> work. What I would like the script to do is only to allow the jpg, jpeg,
> bmp, gif files to be downloaded. Can anyone can give me a hand?
> Thanks in Advance, Bob.
> This is the script. >>>>>>>>>>>>>>>>>>>>>
> <form name="upload" enctype="multipart/form-data" method="post" action="">
> <input type="file" name="file" />
> <br /><input type="submit" name="submit" value="Upload" />
>
> <?php
>
> if(isset($_POST['submit'])) {
>
> $dir = "files/"; //Upload directory
> $error = ""; //Setting a false error
> $address = "http://".$_SERVER['HTTP_HOST']."/"; //Getting the web address
> $file_name = $_FILES['file']['name']; //Getting the file name
> $file_type = $_FILES['file']['type']; //Getting the file type
> $file_size = "".$_FILES['file']['size']." bytes"; //Getting the file size
> $file_tmp = $_FILES['file']['tmp_name']; //Setting the temporary name
> $file_address = $address.$dir.$file_name; //URL of file
>
> if(file_exists($dir.$file_name)) {
> $error = "<br />Error: A file with the same name already exists!";
> }
>
> else {
> @copy ($file_tmp, $dir.$file_name) or ($error="<br />Error: File could not
> be copied!");
> }
>
> if($error != "") {
> echo $error;
> }
>
> else {
> echo "<br />File successfully uploaded!\n";
> echo "<br />Name: ".$file_name."\n";
> echo "<br />Size: ".$file_size."\n";
> echo "<br />Type: ".$file_type."\n";
> echo "<br />URL: ".$file_address."";
> }
> }
> ?>

You'll have to test for extension first, and then assert what's sent
actually is what it claims to be. A safe way would be to apply the
appropriate imagecreatefrom(jpg|gif|bmp|png) etc functions provided by the
gd library.

There are scripts that 'simply' check exif data, or gif headers and such
to assert valid pictures are sent, but it's not foolproof, in fact it's
quite easy to abuse an image container to send any data to the server.

Additionally, to have some prevention before the form is submitted, a
little javascript could check for the proper extension in the form page.
But you can never rely on that test.

Does that in any way?
--
Schraalhans Keukenmeester - schraalhans@the.Spamtrapexample.nl
[Remove the lowercase part of Spamtrap to send me a message]

"strcmp('apples','oranges') < 0"

11/06/2007, 10h02

Schraalhans Keukenmeester napisaÅ‚(a):
> At Mon, 11 Jun 2007 05:02:40 +0000, Bob let h(is|er) monkeys type:
>
>> Hello everyone !!!
>> I have a very neat script to download files to the server, the problem is
>> that it uploads all kind of files, txt, exe, zip,
>> you name it. I have been trying to add some code but still can't get it to
>> work. What I would like the script to do is only to allow the jpg, jpeg,
>> bmp, gif files to be downloaded. Can anyone can give me a hand?
>
> You'll have to test for extension first, and then assert what's sent
> actually is what it claims to be. A safe way would be to apply the
> appropriate imagecreatefrom(jpg|gif|bmp|png) etc functions provided by the
> gd library.

Much better way imho is to use getimagesize
(http://pl2.php.net/manual/en/function.getimagesize.php)
to check if its a valid image file.

Additionally you can check extension of uploaded file.

--
Wiktor Walc
http://phpfreelancer.net

11/06/2007, 16h46

At Mon, 11 Jun 2007 11:02:56 +0200, iktorn let h(is|er) monkeys type:

> Schraalhans Keukenmeester wrote:

>> You'll have to test for extension first, and then assert what's sent
>> actually is what it claims to be. A safe way would be to apply the
>> appropriate imagecreatefrom(jpg|gif|bmp|png) etc functions provided by the
>> gd library.
>
> Much better way imho is to use getimagesize
> (http://pl2.php.net/manual/en/function.getimagesize.php)
> to check if its a valid image file.
>
> Additionally you can check extension of uploaded file.

I haven't been able to test if the getimagesize() function can be fooled
easily. If not, it's probably quicker than using imagecreatefromFORMAT()
and therefor a better choice indeed. Great suggestion, it's the PHP manual
suggested way of checking for valid images I noticed. It doesn't give much
explanation though.

--
Schraalhans Keukenmeester - schraalhans@the.Spamtrapexample.nl
[Remove the lowercase part of Spamtrap to send me a message]

"strcmp('apples','oranges') < 0"

11/06/2007, 17h24

This link says a bit more about this function:

http://www.phpfreaks.com/phpmanual/p...imagesize.html

This seems to be the key (from that page):

"If accessing the filename image is impossible, or if it isn't a valid
picture, getimagesize() will return FALSE and generate an error of
level E_WARNING."

--Kenoli

On Jun 11, 8:46 am, Schraalhans Keukenmeester
<Schraalh...@the.spamtrapexample.nl> wrote:
> At Mon, 11 Jun 2007 11:02:56 +0200, iktorn let h(is|er) monkeys type:
>
> > Schraalhans Keukenmeester wrote:
> >> You'll have to test for extension first, and then assert what's sent
> >> actually is what it claims to be. A safe way would be to apply the
> >> appropriate imagecreatefrom(jpg|gif|bmp|png) etc functions provided by the
> >> gd library.
>
> > Much better way imho is to use getimagesize
> > (http://pl2.php.net/manual/en/function.getimagesize.php)
> > to check if its a valid image file.
>
> > Additionally you can check extension of uploaded file.
>
> I haven't been able to test if the getimagesize() function can be fooled
> easily. If not, it's probably quicker than using imagecreatefromFORMAT()
> and therefor a better choice indeed. Great suggestion, it's the PHP manual
> suggested way of checking for valid images I noticed. It doesn't give much
> explanation though.
>
> --
> Schraalhans Keukenmeester - schraalh...@the.Spamtrapexample.nl
> [Remove the lowercase part of Spamtrap to send me a message]
>
> "strcmp('apples','oranges') < 0"

11/06/2007, 20h08

At Mon, 11 Jun 2007 09:24:44 -0700, Kenoli let h(is|er) monkeys type:

> This link says a bit more about this function:
>
> http://www.phpfreaks.com/phpmanual/p...imagesize.html
>
> This seems to be the key (from that page):
>
> "If accessing the filename image is impossible, or if it isn't a valid
> picture, getimagesize() will return FALSE and generate an error of
> level E_WARNING."
>
> --Kenoli

Thanks for the update. I did see that indeed, but I'd hoped there would be
some expansion on what -according to the authors/developers- constitutes
'a valid picture'. I know I can bake a GIF file with no image but having a
valid header according to some scripts at least. Don't know enough about
other popular formats though.

Whether or not a theoretically harmful binary string disguised as an image
could wreak havoc on the server, or -more likely- on other people's pc
after downloading such an 'image' is another matter of course.

11/06/2007, 06h02	#1
Bob Messages: n/a Hébergeur:	Image upload php script. Hello everyone !!! I have a very neat script to download files to the server, the problem is that it uploads all kind of files, txt, exe, zip, you name it. I have been trying to add some code but still can't get it to work. What I would like the script to do is only to allow the jpg, jpeg, bmp, gif files to be downloaded. Can anyone can give me a hand? Thanks in Advance, Bob. This is the script. >>>>>>>>>>>>>>>>>>>>> <form name="upload" enctype="multipart/form-data" method="post" action=""> <input type="file" name="file" /> <br /><input type="submit" name="submit" value="Upload" /> <?php if(isset($_POST['submit'])) { $dir = "files/"; //Upload directory $error = ""; //Setting a false error $address = "http://".$_SERVER['HTTP_HOST']."/"; //Getting the web address $file_name = $_FILES['file']['name']; //Getting the file name $file_type = $_FILES['file']['type']; //Getting the file type $file_size = "".$_FILES['file']['size']." bytes"; //Getting the file size $file_tmp = $_FILES['file']['tmp_name']; //Setting the temporary name $file_address = $address.$dir.$file_name; //URL of file if(file_exists($dir.$file_name)) { $error = "<br />Error: A file with the same name already exists!"; } else { @copy ($file_tmp, $dir.$file_name) or ($error="<br />Error: File could not be copied!"); } if($error != "") { echo $error; } else { echo "<br />File successfully uploaded!\n"; echo "<br />Name: ".$file_name."\n"; echo "<br />Size: ".$file_size."\n"; echo "<br />Type: ".$file_type."\n"; echo "<br />URL: ".$file_address.""; } } ?>

11/06/2007, 08h28	#2
Schraalhans Keukenmeester Messages: n/a Hébergeur:	Re: Image upload php script. At Mon, 11 Jun 2007 05:02:40 +0000, Bob let h(is\|er) monkeys type: > Hello everyone !!! > I have a very neat script to download files to the server, the problem is > that it uploads all kind of files, txt, exe, zip, > you name it. I have been trying to add some code but still can't get it to > work. What I would like the script to do is only to allow the jpg, jpeg, > bmp, gif files to be downloaded. Can anyone can give me a hand? > Thanks in Advance, Bob. > This is the script. >>>>>>>>>>>>>>>>>>>>> > <form name="upload" enctype="multipart/form-data" method="post" action=""> > <input type="file" name="file" /> > <br /><input type="submit" name="submit" value="Upload" /> > > <?php > > if(isset($_POST['submit'])) { > > $dir = "files/"; //Upload directory > $error = ""; //Setting a false error > $address = "http://".$_SERVER['HTTP_HOST']."/"; //Getting the web address > $file_name = $_FILES['file']['name']; //Getting the file name > $file_type = $_FILES['file']['type']; //Getting the file type > $file_size = "".$_FILES['file']['size']." bytes"; //Getting the file size > $file_tmp = $_FILES['file']['tmp_name']; //Setting the temporary name > $file_address = $address.$dir.$file_name; //URL of file > > if(file_exists($dir.$file_name)) { > $error = "<br />Error: A file with the same name already exists!"; > } > > else { > @copy ($file_tmp, $dir.$file_name) or ($error="<br />Error: File could not > be copied!"); > } > > if($error != "") { > echo $error; > } > > else { > echo "<br />File successfully uploaded!\n"; > echo "<br />Name: ".$file_name."\n"; > echo "<br />Size: ".$file_size."\n"; > echo "<br />Type: ".$file_type."\n"; > echo "<br />URL: ".$file_address.""; > } > } > ?> You'll have to test for extension first, and then assert what's sent actually is what it claims to be. A safe way would be to apply the appropriate imagecreatefrom(jpg\|gif\|bmp\|png) etc functions provided by the gd library. There are scripts that 'simply' check exif data, or gif headers and such to assert valid pictures are sent, but it's not foolproof, in fact it's quite easy to abuse an image container to send any data to the server. Additionally, to have some prevention before the form is submitted, a little javascript could check for the proper extension in the form page. But you can never rely on that test. Does that in any way? -- Schraalhans Keukenmeester - schraalhans@the.Spamtrapexample.nl [Remove the lowercase part of Spamtrap to send me a message] "strcmp('apples','oranges') < 0"

11/06/2007, 10h02	#3
iktorn Messages: n/a Hébergeur:	Re: Image upload php script. Schraalhans Keukenmeester napisaÅ‚(a): > At Mon, 11 Jun 2007 05:02:40 +0000, Bob let h(is\|er) monkeys type: > >> Hello everyone !!! >> I have a very neat script to download files to the server, the problem is >> that it uploads all kind of files, txt, exe, zip, >> you name it. I have been trying to add some code but still can't get it to >> work. What I would like the script to do is only to allow the jpg, jpeg, >> bmp, gif files to be downloaded. Can anyone can give me a hand? > > You'll have to test for extension first, and then assert what's sent > actually is what it claims to be. A safe way would be to apply the > appropriate imagecreatefrom(jpg\|gif\|bmp\|png) etc functions provided by the > gd library. Much better way imho is to use getimagesize (http://pl2.php.net/manual/en/function.getimagesize.php) to check if its a valid image file. Additionally you can check extension of uploaded file. -- Wiktor Walc http://phpfreelancer.net

11/06/2007, 16h46	#4
Schraalhans Keukenmeester Messages: n/a Hébergeur:	Re: Image upload php script. At Mon, 11 Jun 2007 11:02:56 +0200, iktorn let h(is\|er) monkeys type: > Schraalhans Keukenmeester wrote: >> You'll have to test for extension first, and then assert what's sent >> actually is what it claims to be. A safe way would be to apply the >> appropriate imagecreatefrom(jpg\|gif\|bmp\|png) etc functions provided by the >> gd library. > > Much better way imho is to use getimagesize > (http://pl2.php.net/manual/en/function.getimagesize.php) > to check if its a valid image file. > > Additionally you can check extension of uploaded file. I haven't been able to test if the getimagesize() function can be fooled easily. If not, it's probably quicker than using imagecreatefromFORMAT() and therefor a better choice indeed. Great suggestion, it's the PHP manual suggested way of checking for valid images I noticed. It doesn't give much explanation though. -- Schraalhans Keukenmeester - schraalhans@the.Spamtrapexample.nl [Remove the lowercase part of Spamtrap to send me a message] "strcmp('apples','oranges') < 0"

11/06/2007, 17h24	#5
Kenoli Messages: n/a Hébergeur:	Re: Image upload php script. This link says a bit more about this function: http://www.phpfreaks.com/phpmanual/p...imagesize.html This seems to be the key (from that page): "If accessing the filename image is impossible, or if it isn't a valid picture, getimagesize() will return FALSE and generate an error of level E_WARNING." --Kenoli On Jun 11, 8:46 am, Schraalhans Keukenmeester <Schraalh...@the.spamtrapexample.nl> wrote: > At Mon, 11 Jun 2007 11:02:56 +0200, iktorn let h(is\|er) monkeys type: > > > Schraalhans Keukenmeester wrote: > >> You'll have to test for extension first, and then assert what's sent > >> actually is what it claims to be. A safe way would be to apply the > >> appropriate imagecreatefrom(jpg\|gif\|bmp\|png) etc functions provided by the > >> gd library. > > > Much better way imho is to use getimagesize > > (http://pl2.php.net/manual/en/function.getimagesize.php) > > to check if its a valid image file. > > > Additionally you can check extension of uploaded file. > > I haven't been able to test if the getimagesize() function can be fooled > easily. If not, it's probably quicker than using imagecreatefromFORMAT() > and therefor a better choice indeed. Great suggestion, it's the PHP manual > suggested way of checking for valid images I noticed. It doesn't give much > explanation though. > > -- > Schraalhans Keukenmeester - schraalh...@the.Spamtrapexample.nl > [Remove the lowercase part of Spamtrap to send me a message] > > "strcmp('apples','oranges') < 0"

11/06/2007, 20h08	#6
Schraalhans Keukenmeester Messages: n/a Hébergeur:	Re: Image upload php script. At Mon, 11 Jun 2007 09:24:44 -0700, Kenoli let h(is\|er) monkeys type: > This link says a bit more about this function: > > http://www.phpfreaks.com/phpmanual/p...imagesize.html > > This seems to be the key (from that page): > > "If accessing the filename image is impossible, or if it isn't a valid > picture, getimagesize() will return FALSE and generate an error of > level E_WARNING." > > --Kenoli Thanks for the update. I did see that indeed, but I'd hoped there would be some expansion on what -according to the authors/developers- constitutes 'a valid picture'. I know I can bake a GIF file with no image but having a valid header according to some scripts at least. Don't know enough about other popular formats though. Whether or not a theoretically harmful binary string disguised as an image could wreak havoc on the server, or -more likely- on other people's pc after downloading such an 'image' is another matter of course.

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email