Hello everyone !!!
I have a very neat script to download files to the server, the problem is
that it uploads all kind of files, txt, exe, zip,
you name it. I have been trying to add some code but still can't get it to
work. What I would like the script to do is only to allow the jpg, jpeg,
bmp, gif files to be downloaded. Can anyone can give me a hand?
Thanks in Advance, Bob.
This is the script. >>>>>>>>>>>>>>> >>>>>>
<form name="upload" enctype="multip art/form-data" method="post" action="">
<input type="file" name="file" />
<br /><input type="submit" name="submit" value="Upload" />
<?php
if(isset($_POST['submit'])) {
$dir = "files/"; //Upload directory
$error = ""; //Setting a false error
$address = "http://".$_SERVER['HTTP_HOST']."/"; //Getting the web address
$file_name = $_FILES['file']['name']; //Getting the file name
$file_type = $_FILES['file']['type']; //Getting the file type
$file_size = "".$_FILES['file']['size']." bytes"; //Getting the file size
$file_tmp = $_FILES['file']['tmp_name']; //Setting the temporary name
$file_address = $address.$dir.$ file_name; //URL of file
if(file_exists( $dir.$file_name )) {
$error = "<br />Error: A file with the same name already exists!";
}
else {
@copy ($file_tmp, $dir.$file_name ) or ($error="<br />Error: File could not
be copied!");
}
if($error != "") {
echo $error;
}
else {
echo "<br />File successfully uploaded!\n";
echo "<br />Name: ".$file_name."\ n";
echo "<br />Size: ".$file_size."\ n";
echo "<br />Type: ".$file_type."\ n";
echo "<br />URL: ".$file_address ."";
}
}
?>
6  4418 
At Mon, 11 Jun 2007 05:02:40 +0000, Bob let h(is|er) monkeys type:
Hello everyone !!!
I have a very neat script to download files to the server, the problem is
that it uploads all kind of files, txt, exe, zip,
you name it. I have been trying to add some code but still can't get it to
work. What I would like the script to do is only to allow the jpg, jpeg,
bmp, gif files to be downloaded. Can anyone can give me a hand?
Thanks in Advance, Bob.
This is the script. >>>>>>>>>>>>>>> >>>>>>
<form name="upload" enctype="multip art/form-data" method="post" action="">
<input type="file" name="file" />
<br /><input type="submit" name="submit" value="Upload" />
<?php
if(isset($_POST['submit'])) {
$dir = "files/"; //Upload directory
$error = ""; //Setting a false error
$address = "http://".$_SERVER['HTTP_HOST']."/"; //Getting the web address
$file_name = $_FILES['file']['name']; //Getting the file name
$file_type = $_FILES['file']['type']; //Getting the file type
$file_size = "".$_FILES['file']['size']." bytes"; //Getting the file size
$file_tmp = $_FILES['file']['tmp_name']; //Setting the temporary name
$file_address = $address.$dir.$ file_name; //URL of file
if(file_exists( $dir.$file_name )) {
$error = "<br />Error: A file with the same name already exists!";
}
else {
@copy ($file_tmp, $dir.$file_name ) or ($error="<br />Error: File could not
be copied!");
}
if($error != "") {
echo $error;
}
else {
echo "<br />File successfully uploaded!\n";
echo "<br />Name: ".$file_name."\ n";
echo "<br />Size: ".$file_size."\ n";
echo "<br />Type: ".$file_type."\ n";
echo "<br />URL: ".$file_address ."";
}
}
?>
You'll have to test for extension first, and then assert what's sent
actually is what it claims to be. A safe way would be to apply the
appropriate imagecreatefrom (jpg|gif|bmp|pn g) etc functions provided by the
gd library.
There are scripts that 'simply' check exif data, or gif headers and such
to assert valid pictures are sent, but it's not foolproof, in fact it's
quite easy to abuse an image container to send any data to the server.
Additionally, to have some prevention before the form is submitted, a
little javascript could check for the proper extension in the form page.
But you can never rely on that test.
Does that help in any way?
--
Schraalhans Keukenmeester - sc*********@the .Spamtrapexampl e.nl
[Remove the lowercase part of Spamtrap to send me a message]
"strcmp('apples ','oranges') < 0"
Schraalhans Keukenmeester napisał(a):
At Mon, 11 Jun 2007 05:02:40 +0000, Bob let h(is|er) monkeys type:
>Hello everyone !!!
I have a very neat script to download files to the server, the problem is
that it uploads all kind of files, txt, exe, zip,
you name it. I have been trying to add some code but still can't get it to
work. What I would like the script to do is only to allow the jpg, jpeg,
bmp, gif files to be downloaded. Can anyone can give me a hand?
You'll have to test for extension first, and then assert what's sent
actually is what it claims to be. A safe way would be to apply the
appropriate imagecreatefrom (jpg|gif|bmp|pn g) etc functions provided by the
gd library.
Much better way imho is to use getimagesize
( http://pl2.php.net/manual/en/function.getimagesize.php)
to check if its a valid image file.
Additionally you can check extension of uploaded file.
--
Wiktor Walc http://phpfreelancer.net
At Mon, 11 Jun 2007 11:02:56 +0200, iktorn let h(is|er) monkeys type:
Schraalhans Keukenmeester wrote:
>You'll have to test for extension first, and then assert what's sent
actually is what it claims to be. A safe way would be to apply the
appropriate imagecreatefrom (jpg|gif|bmp|pn g) etc functions provided by the
gd library.
Much better way imho is to use getimagesize
(http://pl2.php.net/manual/en/function.getimagesize.php)
to check if its a valid image file.
Additionally you can check extension of uploaded file.
I haven't been able to test if the getimagesize() function can be fooled
easily. If not, it's probably quicker than using imagecreatefrom FORMAT()
and therefor a better choice indeed. Great suggestion, it's the PHP manual
suggested way of checking for valid images I noticed. It doesn't give much
explanation though.
--
Schraalhans Keukenmeester - sc*********@the .Spamtrapexampl e.nl
[Remove the lowercase part of Spamtrap to send me a message]
"strcmp('apples ','oranges') < 0"
This link says a bit more about this function: http://www.phpfreaks.com/phpmanual/p...imagesize.html
This seems to be the key (from that page):
"If accessing the filename image is impossible, or if it isn't a valid
picture, getimagesize() will return FALSE and generate an error of
level E_WARNING."
--Kenoli
On Jun 11, 8:46 am, Schraalhans Keukenmeester
<Schraalh...@th e.spamtrapexamp le.nlwrote:
At Mon, 11 Jun 2007 11:02:56 +0200, iktorn let h(is|er) monkeys type:
Schraalhans Keukenmeester wrote:
You'll have to test for extension first, and then assert what's sent
actually is what it claims to be. A safe way would be to apply the
appropriate imagecreatefrom (jpg|gif|bmp|pn g) etc functions provided by the
gd library.
Much better way imho is to use getimagesize
(http://pl2.php.net/manual/en/function.getimagesize.php)
to check if its a valid image file.
Additionally you can check extension of uploaded file.
I haven't been able to test if the getimagesize() function can be fooled
easily. If not, it's probably quicker than using imagecreatefrom FORMAT()
and therefor a better choice indeed. Great suggestion, it's the PHP manual
suggested way of checking for valid images I noticed. It doesn't give much
explanation though.
--
Schraalhans Keukenmeester - schraalh...@the .Spamtrapexampl e.nl
[Remove the lowercase part of Spamtrap to send me a message]
"strcmp('apples ','oranges') < 0"
At Mon, 11 Jun 2007 09:24:44 -0700, Kenoli let h(is|er) monkeys type:
This link says a bit more about this function:
http://www.phpfreaks.com/phpmanual/p...imagesize.html
This seems to be the key (from that page):
"If accessing the filename image is impossible, or if it isn't a valid
picture, getimagesize() will return FALSE and generate an error of
level E_WARNING."
--Kenoli
Thanks for the update. I did see that indeed, but I'd hoped there would be
some expansion on what -according to the authors/developers- constitutes
'a valid picture'. I know I can bake a GIF file with no image but having a
valid header according to some scripts at least. Don't know enough about
other popular formats though.
Whether or not a theoretically harmful binary string disguised as an image
could wreak havoc on the server, or -more likely- on other people's pc
after downloading such an 'image' is another matter of course.
Just an info - I have had problems with using GetImageSize on large files
(videos). It was sloooooow (~1s per call). So do be careful.
Do you care if the file is really an image or it contains some other data
too? There is no way to prevent embedding the data in an image against a
skillful hacker.
It is however important that the extension is correct (or someone could
upload for instance .php file and then execute it) and that you can create
a thumbnail from it (getImageFromXX X) if you need to.
Best,
Anze
Kenoli wrote:
This link says a bit more about this function:
http://www.phpfreaks.com/phpmanual/p...imagesize.html
This seems to be the key (from that page):
"If accessing the filename image is impossible, or if it isn't a valid
picture, getimagesize() will return FALSE and generate an error of
level E_WARNING."
--Kenoli
On Jun 11, 8:46 am, Schraalhans Keukenmeester
<Schraalh...@th e.spamtrapexamp le.nlwrote:
>At Mon, 11 Jun 2007 11:02:56 +0200, iktorn let h(is|er) monkeys type:
Schraalhans Keukenmeester wrote:
You'll have to test for extension first, and then assert what's sent
actually is what it claims to be. A safe way would be to apply the
appropriate imagecreatefrom (jpg|gif|bmp|pn g) etc functions provided by
the gd library.
Much better way imho is to use getimagesize
(http://pl2.php.net/manual/en/function.getimagesize.php)
to check if its a valid image file.
Additionally you can check extension of uploaded file.
I haven't been able to test if the getimagesize() function can be fooled
easily. If not, it's probably quicker than using imagecreatefrom FORMAT()
and therefor a better choice indeed. Great suggestion, it's the PHP
manual suggested way of checking for valid images I noticed. It doesn't
give much explanation though.
--
Schraalhans Keukenmeester - schraalh...@the .Spamtrapexampl e.nl
[Remove the lowercase part of Spamtrap to send me a message]
"strcmp('apples ','oranges') < 0"
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: dave |
last post by:
Hello there,
I am at my wit's end ! I have used the following script succesfully to
upload an image to my web space. But what I really want to be able to do is
to update an existing record in a table in MySQL with the path & filename to
the image.
I have successfully uploaded and performed an update query on the database,
but the problem I have is I cannot retain the primary key field in a
variable which is then used in a SQL update...
|
by: doffer |
last post by:
I want to make a portfoliosystem where user can register and get their
own portfolio... I've started the developer work, but I'm stuck on the
image upload part... I'm experiencing some problems getting the picture
resized and thumbnailed... I'm on a apache server running php 5 with
8MB php_memory.
When uploading, the script works fine most times when uploading small
files (below 100kb and sometimes up close to 300kb too), but when...
|
by: John Thompson |
last post by:
We're sooo close. When we load the page to upload the image, all of
the prms go through except the binary image data. Using SQL server
with the data type set to "image".
Please help!
Thanks-
John
|
by: David Lozzi |
last post by:
Howdy,
I have a function that uploads an image and that works great. I love ..Nets built in upload, so much easier than 3rd party uploaders!
Now I am making a public function that will take the path of the uploaded image, and resize it with the provided dimensions. My function is below. The current function is returning an error when run from the upload function: A generic error occurred in GDI+. Not sure what exactly that means. From what...
|
by: Mattia |
last post by:
**************************************************
Manage image without exhausted memory
**************************************************
Hi;
I have a big problem. I must create a script that upload an image an
then resize it, if width or height are more than 250px.
Now, after upload an image (in this example I suppose that it's a JPEG
image):
| | |
by: Poppa Pimp |
last post by:
ImageResizer.php
Image Resizer PLEASE HELP
The URL of the page this is on in my site is http://poppa-pimps-wallpapers.com//ImageResizer.php You can click on browse and get image,but when you upload image it will go to another page and says ]((unable to create emp directory)) Here is a site to be able to see script actually work http://tech.tailoredweb.com/image-editor-52/ and can be DL from there also. I am using FP 2003 and...
|
by: tolkienarda |
last post by:
hi all
I am using a php script to try to upload images to my database. i know i am connecting to my database because the image title is being wirtten to the database. but the image isn't example:
if i upload the coke emblem from my desktop and type in 'coke'; when i look into the phpmyadmin i see that the text coke was written to the database but in the pix field it said below is the code if anyone has insight i would be grateful
this...
|
by: mishrarajesh44 |
last post by:
hii all
Truly telling i hav got this code from net &
i am finding error while running the code below..
code:-
<?php
$idir = "photo/"; // Path To Images Directory
$tdir = "photo/thumbs/"; // Path To Thumbnails Directory
$twidth = "125"; // Maximum Width For Thumbnail Images
|
by: mishrarajesh44 |
last post by:
hii all,
I am facing a problem currently..
i have a script for image uploading and resizing..
the image uploading takes place properly for every size images..
but, the resizing works for only small sized iamages..
for eg. resizing takes place for 70 kb sized images but fails for 600kb or more..
my code is below..
|
by: sravani1 |
last post by:
This code runs like when i submit the form it takes the image and displayed and top of the image a map will displayed. But actually i want that when i give the image it checks the location in the map and after displayed it.plz tell that how to start the logic.
<?php
// Connect to database
$errmsg = "";if (! @mysql_connect("localhost","root","sreeni")) {
$errmsg = "Cannot connect to database";
}
@mysql_select_db("my_db1");...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| | |
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
