PHP Uploader (Functions)

furnace · 20 Jun 2007 at 20:53

[Sniper][Wolf] said:
If the web was full of decent tutorials

I think Sniper's right. a lot of the tutorials on the web are a bit pants IMO, and are only good if you actually understand the code in the first place

Which is alright for me, but I can totally see from a 'newbies' point of view

psyr33n · 20 Jun 2007 at 21:22

Yes, the Internet is mostly full of crap. That is where knowing how to use it comes into play... :eek:

marc2003 · 21 Jun 2007 at 09:38

[Sniper][Wolf] said:
It doesnt do anything, when i click submit i just get a blank page and nothing its uploaded/outputted

at first i thought this might be because i only tested on a non-apache windows server.

but i've just tested on a ubuntu/apache box and it works fine. so the problem is with you i'm afraid.....

edit: i've posted a more functional script here

isset · 21 Jun 2007 at 12:26

All of the code posted in this thread is relying on the browser to send the correct mime type of the uploaded file (image/jpeg/pjpeg). You should not trust this information as it is all too easily faked.

marc2003 · 21 Jun 2007 at 12:53

isset said:
All of the code posted in this thread is relying on the browser to send the correct mime type of the uploaded file (image/jpeg/pjpeg). You should not trust this information as it is all too easily faked.

interesting. what's the worse case scenario for someone spoofing the mime type? i'm genuinely curious as i've only recently started messing about with php.

btw the code i linked to in my previous post is using php's imagecreatefrom..... functions so if the script is unable to create a valid image resource, the file doesn't get uploaded. hopefully that should be safe enough?

DJMK4 · 21 Jun 2007 at 13:03

marc2003 said:
at first i thought this might be because i only tested on a non-apache windows server. but i've just tested on a ubuntu/apache box and it works fine. so the problem is with you i'm afraid.....

edit: i've posted a more functional script here

I did get it working in the end, well the file types anyway, i just need to work on the rest of the switch case method including the rest of the restrictions, to test that its worked iv just echo'ed $message at the end and check the file has been uploaded.

marc2003 · 21 Jun 2007 at 13:24

[Sniper][Wolf] said:
I did get it working in the end, well the file types anyway, i just need to work on the rest of the switch case method including the rest of the restrictions, to test that its worked iv just echo'ed $message at the end and check the file has been uploaded.

take a look at the link you just quoted. i posted the full version of the script i did. does the whole thumbnail creation, more image types, displays all the uploaded images, allows you to delete etc....

DJMK4 · 21 Jun 2007 at 13:28

marc2003 said:
take a look at the link you just quoted. i posted the full version of the script i did. does the whole thumbnail creation, more image types, displays all the uploaded images, allows you to delete etc....

Ill have a look at it, thanks for posting it, ill probably get it working, and try and analyse the code, so i can see how it works, i wanted to try and make one on my own so i learn how to do it, not making a good job of it though :rolleyes:

isset · 21 Jun 2007 at 17:45

marc2003 said:
interesting. what's the worse case scenario for someone spoofing the mime type? i'm genuinely curious as i've only recently started messing about with php.

btw the code i linked to in my previous post is using php's imagecreatefrom..... functions so if the script is unable to create a valid image resource, the file doesn't get uploaded. hopefully that should be safe enough?

In the simple script you posted you could easily fool it into uploading myimage.php.jpg (a php script) whilst spoofing the mime type. Since apache is a bit dumb, it'll parse anything with 'php' in the filename as php - so you'd be vulnerable to people uploading and running their own scripts on your server for starters

Your script that uses imagecreatefrom..., as you said, is better as it fails if it can't create a resource. As a side note, you'll probably want to strip out '.'s when you generate the target file path. You could alter where your script attempted to write files to quite easily (move_uploaded_file($tmp_path, '/some/directory/my../../uploaded/file.jpg')... oops

)

marc2003 · 21 Jun 2007 at 22:33

isset said:
As a side note, you'll probably want to strip out '.'s when you generate the target file path. You could alter where your script attempted to write files to quite easily (move_uploaded_file($tmp_path, '/some/directory/my../../uploaded/file.jpg')... oops )

sorry i'm lost again. i don't know what you mean.....