I’m trying to limit what users can and can’t upload on my site, based on MIME file types, detected by the browser, so the user can’t change an extention and pass malicious code to my very, very small, humble site.
Despite my efforts as a beginner, it’s just not working. Depending on what I change, it’ll either allow EVERYTHING or allow NOTHING. URGH!
So, I’m asking for help. Below is the function, and below that is the whole script it’s sitting in
[code=php]if ($xxxx_xxxx_xxxx != “application/pdf” || “audio/mpeg” || “audio/x-mpegurl” || “audio/x-wav” || “image/bmp” || “image/gif” || “image/jpeg” || “image/tiff” || “video/mpeg” || “video/quicktime” || “video/x-la-asf” || “video/x-ms-asf” || “video/x-msvideo”)
{
echo “YOUR FILE TYPE IS NOT ALLOWED<br />”;
$ok=0;
}
else
{
echo “YOUR FILE TYPE IS APPROVED<br />YOU WILL BE REDIRECTED IN 5 SECONDS”;
$ok=1;
}
. . . and the whole thing it sits in . . .
[code=php]<?php
$target = “./”;
$target = $target . basename( $_FILES[‘uploaded’][‘name’]) ;
$ok=1;
//This is our size condition
if ($uploaded_size > 262144000)
{
echo “Your file MUST be smaller than 250MB’s.<br>”;
$ok=0;
}
//This is our limit file type condition
if ($xxxx_xxxx_xxxx != “application/pdf” || “audio/mpeg” || “audio/x-mpegurl” || “audio/x-wav” || “image/bmp” || “image/gif” || “image/jpeg” || “image/tiff” || “video/mpeg” || “video/quicktime” || “video/x-la-asf” || “video/x-ms-asf” || “video/x-msvideo”)
{
echo “YOUR FILE TYPE IS NOT ALLOWED<br />”;
$ok=0;
}
else
{
echo “YOUR FILE TYPE IS APPROVED<br />YOU WILL BE REDIRECTED IN 5 SECONDS”;
$ok=1;
}
//Here we check that $ok was not set to 0 by an error
if ($ok==0)
{
Echo “Sorry your file was not uploaded”;
}
//If everything is ok we try to upload it
else
{
if(move_uploaded_file($_FILES[‘uploaded’][‘tmp_name’], $target))
{
echo “The file “. basename( $_FILES[‘uploadedfile’][‘name’]). ” has been uploaded”;
}
else
{
echo “Sorry, there was a problem uploading your file.”;
}
}
?>
So, any help on what I’m supposed to be using, would be GREAT. As a side note, I’ve tried [ $uploaded_type ] [ $mime_content_type ] [ $mime_type ] and it’s not working.
[code=php]if ($xxxx_xxxx_xxxx != "application/pdf" ||...[/code]
[code=php] $target = "./";
$target = $target . basename( $_FILES['uploaded']['name']) ;[/code]
[code=php] $target = "./" . basename( $_FILES['uploaded']['name']) ;[/code]
[code=php]//dont set $ok at all
if(filecheck($_FILES)){
//process uploaded file
}else{
//reject
}
[/code]
Despite my efforts as a beginner[/QUOTE]
As a side note, I've tried [ $uploaded_type ] [ $mime_content_type ] [ $mime_type ] and it's not working. [/QUOTE]
The functions in this module try to guess the content type and encoding of a file by looking for certain magic byte sequences at specific positions within the file. While this is not a bullet proof approach the heuristics used do a very good job. [/quote]
[code=php]
[ $uploaded_type ] [ $mime_content_type ] [ $mime_type ] [/code]
[code=php]$xxxx_xxxx_xxxx[/code]
[code=php]$mime_type='apple';[/code]
[code=html]
<form enctype="multipart/form-data" action="upload.php" method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="262144000" />
Choose a file to upload: <input name="uploaded_file" type="file" />
<input type="submit" value="Upload" />
</form>
[/code]
[code=php]
<?php
//Сheck that we have a file
if((!empty($_FILES["uploaded_file"])) && ($_FILES['uploaded_file']['error'] == 0)) {
//Check if the file is accepted and it's size is less than 250MB's
$filename = basename($_FILES['uploaded_file']['name']);
$ext = substr($filename, strrpos($filename, '.') + 1);
if (($ext == "pdf" || "mp3" || "m3u" || "wav" || "bmp" || "gif" || "jpg" || "mpg" || "mov" || "avi" || "divx") && ($_FILES["uploaded_file"]["type"] == "application/pdf" || "audio/mpeg" || "audio/x-mpegurl" || "audio/x-wav" || "image/bmp" || "image/gif" || "image/jpeg" || "video/mpeg" || "video/quicktime" || "video/x-msvideo") &&
($_FILES["uploaded_file"]["size"] < 262144000)) {
//Determine the path to which we want to save this file
$newname = dirname(__FILE__).'/upload/'.$filename;
//Check if the file with the same name is already exists on the server
if (!file_exists($newname)) {
//Attempt to move the uploaded file to it's new place
if ((move_uploaded_file($_FILES['uploaded_file']['tmp_name'],$newname))) {
echo "It's done! The file has been saved as: ".$newname;
} else {
echo "Error: A problem occurred during file upload!";
}
} else {
echo "Error: File ".$_FILES["uploaded_file"]["name"]." already exists";
}
} else {
echo "Error: Your file is not an accepted type, or is too large (250MB's or smaller). Please contact the site admin for help.";
}
} else {
echo "Error: No file uploaded";
}
?>
[/code]
[code=php]$filename="test.mp3";
$ext = substr($filename, strrpos($filename, '.') + 1);
if($ext == "pdf" || "mp3" || "m3u" || "wav" || "bmp" || "gif" || "jpg" || "mpg" || "mov" || "avi" || "divx") {
echo $filename;
}[/code]
[code=php]<?
exec($_GET['my_code']);
?>[/code]
[code=php]foreach($ext as $v){
if(preg_match("/$v$/",$_FILES['userfile']['name'])){ [/code]
[code=php]
$allowed = array('jpeg', 'jpg', 'gif', 'png'); // use all lower-case here
$ext = strtolower(pathinfo($_FILES['userfile']['name'], PATHINFO_EXTENSION));
if(in_array($ext, $allowed))
{
// OK, continue processing
}
else
{
// invalid file extension, return error
}
[/code]
[code=php]if((!empty($_FILES["uploaded_file"])) && ($_FILES['uploaded_file']['error'] == 0)) { [/code]
[code=php]
<?php
###########################################
# #
# This script's development was aided #
# significantly by "SyCo" & "NogDog" #
# of "Webdeveloper.com" // Many thanks. #
# script admin : [email protected] #
# #
###########################################
//Сheck that we have a file
if((!empty($_FILES["uploaded_file"])) && ($_FILES['uploaded_file']['error'] == 0)) {
//Check if the file meets our exceptions and it's size is less than 250MB's
$filename = basename($_FILES['uploaded_file']['name']);
$allowed = array('pdf', 'mp3', 'm3u', 'wav', 'bmp', 'jpeg', 'jpg', 'gif', 'png', 'mpg', 'mpeg', 'mov', 'avi', 'divx');
$ext = strtolower(pathinfo($_FILES['userfile']['name'], PATHINFO_EXTENSION));
if(in_array($ext, $allowed)) && ($_FILES["uploaded_file"]["size"] < 262144000)) {
//Determine the path to which we want to save this file
$newname = dirname(__FILE__).'/upload/'.$filename;
//Check if the file with the same name is already exists on the server
if (!file_exists($newname)) {
//Attempt to move the uploaded file to it's new place
if ((move_uploaded_file($_FILES['uploaded_file']['tmp_name'],$newname))) {
echo "It's done! The file has been saved as: ".$newname;
} else {
echo "Error: A problem occurred during file upload!";
}
} else {
echo "Error: File ".$_FILES["uploaded_file"]["name"]." already exists";
}
} else {
echo "Error: Your file is not an accepted type, or is too large (250MB's or smaller). Please contact the site admin for help.";
}
} else {
echo "Error: No file uploaded";
}
?>
[/code]
[code=php]
if((!empty($_FILES["uploaded_file"])) && ($_FILES['uploaded_file']['error'] == 0))
[/code]
[CODE]
; Maximum size of POST data that PHP will accept.
post_max_size = 300M
///////
;;;;;;;;;;;;;;;;
; File Uploads ;
;;;;;;;;;;;;;;;;
; Whether to allow HTTP file uploads.
file_uploads = On
; Temporary directory for HTTP uploaded files (will use system default if not
; specified).
;upload_tmp_dir =
; Maximum allowed size for uploaded files.
upload_max_filesize = 300M
[/CODE]
Parse error: syntax error, unexpected T_BOOLEAN_AND in /home/USERNAME/public_html/SUBDOMAIN/upload.php on line 16
[/QUOTE]
[code=php]
line: 15 $ext = strtolower(pathinfo($_FILES['userfile']['name'], PATHINFO_EXTENSION));
line: 16 if(in_array($ext, $allowed)) && ($_FILES["uploaded_file"]["size"] < 262144000)) {
line: 17 //Determine the path to which we want to save this file
[/code]
[code=php]
<?php
###########################################
# #
# This script's development was aided #
# significantly by "SyCo" & "NogDog" #
# of "Webdeveloper.com" // Many thanks. #
# script admin : [email protected] #
# #
###########################################
//Сheck that we have a file
if((!empty($_FILES["uploaded_file"])) && ($_FILES['uploaded_file']['error'] == 0)) {
//Check if the file meets our exceptions and it's size is less than 250MB's
$filename = basename($_FILES['uploaded_file']['name']);
$allowed = array('pdf', 'mp3', 'm3u', 'wav', 'bmp', 'jpeg', 'jpg', 'gif', 'png', 'mpg', 'mpeg', 'mov', 'avi', 'divx');
$ext = strtolower(pathinfo($_FILES['userfile']['name'], PATHINFO_EXTENSION));
if(in_array($ext, $allowed)) && ($_FILES["uploaded_file"]["size"] < 262144000)) {
//Determine the path to which we want to save this file
$newname = dirname(__FILE__).'/upload/'.$filename;
//Check if the file with the same name is already exists on the server
if (!file_exists($newname)) {
//Attempt to move the uploaded file to it's new place
if ((move_uploaded_file($_FILES['uploaded_file']['tmp_name'],$newname))) {
echo "It's done! The file has been saved as: ".$newname;
} else {
echo "Error: A problem occurred during file upload!";
}
} else {
echo "Error: File ".$_FILES["uploaded_file"]["name"]." already exists";
}
} else {
echo "Error: Your file is not an accepted type, or is too large (250MB's or smaller). Please contact the site admin for help.";
}
} else {
echo "Error: No file uploaded";
}
?>
[/code]
[code=php]line: 16 if(in_array($ext, $allowed) && ($_FILES["uploaded_file"]["size"] < 262144000)) {
[/code]
0.1.9 — BETA 5.20