Jump to content
Sign in to follow this  
shadowayex

Uploading Form, what do I need?

Recommended Posts

I want to a file uploading system to my site, so users can upload videos and pictures. I've worked with PHP quite a bit and know how to structure things, I just need to know functions that I'll need to use.First I need to know how to build the form. I've built many forms before, so more specifically I need to know how to work a browse button and what not. Then a check to make sure that it's an existing file when the user submits.I've used forms a lot, and have done minor security, but I need to have something that will restrict file types (i.e. only JPEG, GIF, and PNG images allowed and only MPEG, AVI, or WMV videos allowed).Next I need to know how I can work it so my server's virus scanner will check the file as it comes in, if possible. If not, I need a way to make sure the file isn't a virus or isn't infected. And if it is infected, I want it to be cleaned if possible, or blocked/deleted if not.Lastly, I don't think it will be a problem at first, but eventually I'll want to restrict file sizes and everything. I figured for a while any size will be fine. It's just once the server's memory is starting to get a little full that I'll want to start watching file sizes.Then (something I've never done) how do I save it to a specific folder, and if that folder does not exist, create it then save it to the folder?I know that this is a lot and I'll probably start off by making a form that doesn't actually check anything to make sure that works, then start adding the security when I get ready to release it. But it'd be nice to know what to use, so I can go right in to figuring out how to use it.

Share this post


Link to post
Share on other sites

Alright so I've been fooling around and I've made a working form, uploads where I want it to, and I've restricted what file types can be uploaded. But I have yet to figure out how this field works:<input type="hidden" name="MAX_FILE_SIZE" value="30000" />No matter what I change it to, the file I'm testing goes through. I even changed it to 1 and it still went through. How do I work that?

Share this post


Link to post
Share on other sites

It's going to upload, but you should be able to check in the error field for the file to see an error that the file was larger than that field setting.

Share this post


Link to post
Share on other sites

Oh. Couldn't I just theoretically block the files that are too big the same way I blocked the file types that aren't acceptable and give the users a warning that if the file is too big, the time they wait for the large files to be uploaded will be in vain? or is there a method to check the file specs BEFORE the upload itself and then proceed or stop as necessary?

Share this post


Link to post
Share on other sites

You can't tell anything about the upload before it happens using PHP. You can put a message on the page showing what the max filesizes are (there's one in php.ini also). But after the file uploads you check $_FILES['file']['error'] and see what the error was, if anything. The list of values for the error code is in the manual.

Share this post


Link to post
Share on other sites

Oh ok. Anyways, is there a way to make it so a virus scanner (preferably the one I have for the server) will check the file before it's moved, then if it's not a virus or isn't infected, it's moved to the uploads file; if it is a virus, it's deleted; if it's infected, the program tries to clean it without harming the file; if it can't be cleaned, delete it. is taht possible?

Share this post


Link to post
Share on other sites

It depends what your virus scanner lets you do through the command line. You can use the exec or system functions to run shell commands, and parse up the output from the scanner to see what the results were. You can use the eicar test virus to see if it's woring.http://www.eicar.org/anti_virus_test_file.htm

Share this post


Link to post
Share on other sites

Uh... any tutorials for that :). It's AVG Free 8.0 by the way, if you know what that is and all that. This might be a little off topic, but PHP has a computer programming side to it as well doesn't it? Like what Java and C++ are. I thought I read that somewhere.And that being said, is what you're saying I can do a part of that? This is out of curiosity and interest.Anyways, I have no idea what exec or system functions are or how they work. But this will be a great way to learn them.

Share this post


Link to post
Share on other sites

I'm not sure what you're asking, every Turing-complete language is considered computer programming, the only types of things I don't consider programming are languages like HTML and CSS that aren't even programming languages.Exec is just a function that lets you run a system command (like from a DOS prompt):http://www.php.net/manual/en/function.exec.phpThe system and passthru functions output the results from the program instead of returning them. If you want to output what the virus scanner says then you can use system or passthru. The AVG website should have a list of the command line options available that will tell you how to run the scanner and how to tell it what file to scan and what action to take.

Share this post


Link to post
Share on other sites

Well, AVG doesn't seem to have a command line deal on their site and their forums won't let me sign in after I signed up 3 different accounts so I guess I'm stuck. Stupid AVG forums gotta go and be retarded :)

Share this post


Link to post
Share on other sites

"C:\Program Files\AVG Anti-Virus\avgscanx.exe" /heur /arc /scan="%file%"That's the command line I need to use. Only problem is I don't know how to get it to point at the specific file being uploaded. The post said "%file%" is one of the different things you put there, it's supposed to depend on the program being used. I'm going to try a little testing to see if that will give me results as is, but I'm doubtful.

Share this post


Link to post
Share on other sites

That's probably supposed to be the full filename of the file that you want to scan. That name will be part of the $_FILES array, it will be a temporary file. You can scan it before you move the uploaded file to a permanent location.

Share this post


Link to post
Share on other sites

Ok, well, I tried this:$test = '"C:\Program Files\AVG Anti-Virus\avgscanx.exe" /heur /arc /scan="C:\wamp\www\www.hugdontmug.com\uploads\"' . $_FIlES['userfile']['name'];$test = system($test, $blah);echo '<br />Test: ' . $test . ' and blah: ' . $blah;$test doesn't have anything and $blah spits out 1. Not sure what that means, but that's what happens. Is there a certain way I'm supposed to write it?

Share this post


Link to post
Share on other sites

First, it's better to use exec instead of system in this case. Also, if you haven't moved the file yet then $_FILES['userfile']['name'] isn't goint to point to the correct file. $_FILES['userfile']['tmp_name'] contains the name of the actual uploaded file in the temp directory. Try printing that variable out and see what it is, it might contain the full path also. And make sure you capitalize $_FILES.

Share this post


Link to post
Share on other sites

Ok, well I probably should show you my whole file. I changed it, it now looks like:upload.php:

<?php$uploaddir = 'uploads/';$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);$filename = $_FILES['userfile']['name'];if($_FILES['userfile']['type'] == 'text/plain') {    if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {        $test = '"C:\Program Files\AVG Anti-Virus\avgscanx.exe" /heur /arc /scan="C:\wamp\www\www.hugdontmug.com\uploads\\' . $filename . '"';        $test = exec($test, $array, $report);        echo 'File was uploaded.';    } else {        echo 'File was not uploaded.';    }} else {    echo 'This is not a valid type.';}echo '<br />Test: ' . $test;echo '<br />Array: ' . $array;echo '<br />Result: ' . $report;echo '<br /><a href="uploading.php">Back to Upload</a>';?>

The $test variable is empty, the $array prints Array, and $report prints 1. Not sure what that means.EDIT: I ran the command "C:\Program Files\AVG Anti-Virus\avgscanx.exe" /heur /arc /scan="C:\wamp\www\www.hugdontmug.com\uploads\todo.txt." in the Run thing on my computer, and it worked. It just closed before I could see the infection results, which is no big deal because I know that file is clean. But point is, I know that command works at least.

Share this post


Link to post
Share on other sites

If you type "cmd" in the run box it will open a box that won't close. If you run a single command it closes the box after the command finishes. It would probably be best to print the command you're trying to run and run it on a prompt to see what happens. You don't print an array with echo though, you can either loop through the array and print each element or use print_r or var_dump to print the structure. The third parameter to exec is the return status of the command, 1 probably means it returned normally and didn't crash.

Share this post


Link to post
Share on other sites

Alright, new file:

<?php$uploaddir = 'uploads/';$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);$filename = $_FILES['userfile']['name'];if($_FILES['userfile']['type'] == 'text/plain') {    if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {        $Test = 'cmd "C:\Program Files\AVG\AVG8\avgscanx.exe" /heur /arc /scan="C:\wamp\www\www.hugdontmug.com\uploads\todo.txt"';        $test = exec($Test, $array, $report);        echo 'File was uploaded.';    } else {        echo 'File was not uploaded.';    }} else {    echo 'This is not a valid type.';}echo '<br />Test: ' . $Test;echo '<br />Array: ';print_r($array);echo '<br />Result: ' . $report;echo '<br /><a href="uploading.php">Back to Upload</a>';?>

New Results:File was uploaded.Test: cmd "C:\Program Files\AVG\AVG8\avgscanx.exe" /heur /arc /scan="C:\wamp\www\www.hugdontmug.com\uploads\todo.txt"Array: Array ( [0] => Microsoft Windows XP [Version 5.1.2600] [1] => © Copyright 1985-2001 Microsoft Corp. [2] => [3] => C:\wamp\www\www.hugdontmug.com> )Result: 0I changed the first test to $Test so I could see what is actually being executed. That's the same line I can put into the Run thing and get the results. Evidently it's going now, and I'm not sure but I think that the result is right, because I found this in one of those command line things:here are the Return codes...

ERRORLEVEL == 0 /* everything is o.k. */ERRORLEVEL == 1 /* user cancelled/interrupted test */ERRORLEVEL == 2 /* any error during the test ? cannot open file etc. */ERRORLEVEL == 3 /* change identified */ERRORLEVEL == 4 /* suspicion detected by heuristic analysis */ERRORLEVEL == 5 /* virus found by heuristic analysis */ERRORLEVEL == 6 /* specific virus detected */ERRORLEVEL == 7 /* active virus in memory detected */ERRORLEVEL == 8 /* AVG corrupted */

Now, if only I could trick it into thinking something is a virus when it's not... hmmm...

Share this post


Link to post
Share on other sites

Don't add "cmd" to the command to run. If you're in Windows, and you want to see a command prompt to type commands in, then you go to Run and type "cmd". The cmd command opens a command prompt. The return value you're getting is what the command prompt prints when it starts, run the cmd command yourself and see it. I was just saying you could use cmd when you're testing the command so you can see the result without the box closing. But don't include it as a command to run the virus scanner. It looks like you are opening the command prompt and nothing else, the output doesn't have any output from the virus scanner.

Share this post


Link to post
Share on other sites

I see.... stupid thing. Anyways, If I run "C:\Program Files\AVG\AVG8\avgscanx.exe" /heur /arc /scan="C:\wamp\www\www.hugdontmug.com\uploads\todo.txt" /clean, out of cmd, I get this as a result:

AVG 8.0 Anti-Virus command line scannerCopyright © 1992 - 2008 AVG TechnologiesProgram cersion 8.0.134, engine 8.0.0Virus Database: Version 270.4.6/1540 2008-07-8Objects scanned     :    1Found infections    :    0Found PUPs          :    0Healed infections   :    0Healed PUPs         :    0Warnings            :    0

But if I have it run from exec(), I get this:File was uploaded.Test: "C:\Program Files\AVG\AVG8\avgscanx.exe" /heur /arc /scan="C:\wamp\www\www.hugdontmug.com\uploads\todo.txt" /cleanArray: Array ( )Result: 1The only difference in the file is $Test, and I changed it to what you see above. Am I making a really dumb mistake here or is there something unknowingly wrong?

Share this post


Link to post
Share on other sites

Well, you store the output of the exec() call to $report, but you never output that... you'll want to use a regular expression or the like to extract the different results out.

Share this post


Link to post
Share on other sites

Uh.... regular expressions are not in my knowledge list. Might need some help with that. But is the command even runs, shouldn't there be something in the array? The array just comes out Array( ) and result just comes out 1. I even tried print_r($result); and it's still 1.

Share this post


Link to post
Share on other sites

Run this on your server:

<?phpini_set("display_errors", 1);error_reporting(E_ALL);$resp = `ping google.com`;echo '<pre>' . $resp . '</pre>';?>

The backtick operator will be easiest, it will just return the response as a string. First, if you're seeing a warning with that code but not with your other code, the first thing you want to do is enable all error messages on your server. If you're developing new code or debugging, it doesn't do any good to do it with error messages disabled. If you're getting a warning that it can't fork a new process then follow these instructions:http://www.somacon.com/p255.php

Share this post


Link to post
Share on other sites

These are the results:Pinging google.com [64.233.187.99] with 32 bytes of data:Reply from 64.233.187.99: bytes=32 time=35ms TTL=239Reply from 64.233.187.99: bytes=32 time=37ms TTL=239Reply from 64.233.187.99: bytes=32 time=37ms TTL=239Reply from 64.233.187.99: bytes=32 time=34ms TTL=239Ping statistics for 64.233.187.99: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 34ms, Maximum = 37ms, Average = 35msI'm not sure what that has to do with anything to be honest... I'm utterly confused.I just thought about it and added error_reporting(E_ALL | E_STRICT); to the top of my page, and it's not reporting any errors. Display Errors is turned on in the PHP sections and it does display errors on pages on my server when there are some (usually unset variables :)).

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...