PHP Upload script for ZIP/SIT files

.oO(Mark A. Boyd)

>Carlton Chin posted in macromedia.dreamweaver.appdev:
>
>> I'm trying to locate a decent script that would allow clients to
>> upload files to a Web site that I am working on. I found a basic
>> one that works at www.w3schools.com/PHP/php_file_upload.asp.
>> However, it lack the capabilities to upload zip and sit files.
>> Could I modify the existing script that I just mentioned?
>
>The ticket is where the script is checking $_FILES["file"]["type"].
>See http://www.w3schools.com/media/media_mimeref.asp
>
>If you only want to allow zip/sit, try changing this:
>
><?php
>if ((($_FILES["file"]["type"] == "image/gif")
>|| ($_FILES["file"]["type"] == "image/jpeg")
>|| ($_FILES["file"]["type"] == "image/pjpeg"))
>&& ($_FILES["file"]["size"] < 20000))

Be careful. These informations can be faked or might not be available at
all. I can easily upload a PHP script as "image/jpeg". If the file ends
up in a public directory within the document root, I can execute it and
then have a look at the entire server ...

Relying on the content type or file extension is a huge security hole!
I'm quite surprised that W3Schools publishes such an insecure script.

To make sure that an uploaded file is really of the type you expect, you
must look at its content! For images you can use getimagesize(), which
will also return the type if it's a valid image. For other types you
have to use other libs or external tools. On a *nix machine you could
execute the shell command 'file' for example, which recognizes quite a
lot of different file types.

Micha

Michael Fesser posted in macromedia.dreamweaver.appdev:

> Be careful. These informations can be faked or might not be
> available at all. I can easily upload a PHP script as
> "image/jpeg". If the file ends up in a public directory within the
> document root, I can execute it and then have a look at the entire
> server ...
>
> Relying on the content type or file extension is a huge security
> hole! I'm quite surprised that W3Schools publishes such an
> insecure script.
>
> To make sure that an uploaded file is really of the type you
> expect, you must look at its content! For images you can use
> getimagesize(), which will also return the type if it's a valid
> image. For other types you have to use other libs or external
> tools. On a *nix machine you could execute the shell command
> 'file' for example, which recognizes quite a lot of different file
> types.

Very good advice!


--
Mark A. Boyd
Keep-On-Learnin' :)

Thanks everyone for your responses. Good point about the security issue.

Hmm. I was comparing another php script I found, class.upload.php. It definitely is more complex (www.verot.net/php_class_upload.htm).

I tried it and it seems to work well as far as the upload features go. Not sure how good or if I really need the image re-sizing option.

There are two php scripts that are dependent of each other (upload.php and class.upload.php). What I am trying to figure out is that when I upload an image file using this script, it also creates a duplicate file in the destination folder. It does not happen with other file types. Seems redundant. Also, it generates a test page (class.upload.php test forms) showing the results of the operation. It also duplicates the upload success/failure message at the top of the form. Also seems redundant. Perhaps the author has a purpose for this.

Can someone give me their opinion about this script? Thanks.

Sorry, I tried to attach the script but it could not find the original thread???!!!
Please see www.verot.net/php_class_upload.htm