Search the Community

I was wondering is there is any vulnerabilities in this code: <?php $target_dir = "uploads/"; $target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]); $uploadOk = 1; $imageFileType = pathinfo($target_file,PATHINFO_EXTENSION); // Check if image file is a actual image or fake image if(isset($_POST["submit"])) { $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]); if($check !== false) { echo "File is an image - " . $check["mime"] . "."; $uploadOk = 1; } else { echo "File is not an image."; $uploadOk = 0; } } // Check if file already exists if (file_exists($target_file)) { echo "Sorry, file already exists."; $uploadOk = 0; } // Check file size if ($_FILES["fileToUpload"]["size"] > 500000) { echo "Sorry, your file is too large."; $uploadOk = 0; } // Allow certain file formats if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg" && $imageFileType != "gif" ) { echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed."; $uploadOk = 0; } // Check if $uploadOk is set to 0 by an error if ($uploadOk == 0) { echo "Sorry, your file was not uploaded."; // if everything is ok, try to upload file } else { if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) { echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded."; } else { echo "Sorry, there was an error uploading your file."; } } ?> cause I know attackers can put a virus in images and I don't want any viruses on my website. Also I wanted to know one more thing. How could I make it so that users can only upload a certain size of image like 50x50? The code used in this thread came from this page: https://www.w3schools.com/php/php_file_upload.asp

Dear all, I thought all tutorial scripts are perfectly functioning without any need for amendments. However, codes of the following tutorial have been used exactly as they are written but did not work: http://www.w3schools.com/php/php_file_upload.asp It reports the following: Notice: Undefined index: fileToUpload in C:\xampp\htdocs\Jadeed\upload.php on line 5 Sorry, file already exists. Notice: Undefined index: fileToUpload in C:\xampp\htdocs\Jadeed\upload.php on line 25 Sorry, only JPG, JPEG, PNG & GIF files are allowed.Sorry, your file was not uploaded. Pls. note that PHP is configured to allow file uploads, and the form, upload.php, and uploads directly are in the same directory.

I have got some frustating problems facing file upload with a php script. The problem is that my script is working on my local xampp server. But when I transfer it to my strato host server it won't work anymore. There is no error output, although I have set display_errors to on and error_reporting to E_ALL. Here is my complete code which I copied from the w3school file upload tutorial and is stored in the file upload.php: <?php $target_dir = "./uploads"; $target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]); $uploadOk = 1; $imageFileType = pathinfo($target_file,PATHINFO_EXTENSION); // Check if image file is a actual image or fake image if(isset($_POST["submit"])) { print_r($_FILES); $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]); if($check !== false) { echo "File is an image - " . $check["mime"] . "."; $uploadOk = 1; } else { echo "File is not an image."; $uploadOk = 0; } // Check if file already exists if (file_exists($target_file)) { echo "Sorry, file already exists."; $uploadOk = 0; } // Check file size if ($_FILES["fileToUpload"]["size"] > 500000) { echo "Sorry, your file is too large."; $uploadOk = 0; } // Check if $uploadOk is set to 0 by an error if ($uploadOk == 0) { echo "Sorry, your file was not uploaded."; // if everything is ok, try to upload file } else { if (copy($_FILES["fileToUpload"]["tmp_name"], $target_file)) { echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded."; } else { echo "Sorry, there was an error uploading your file."; } } } ?> <!DOCTYPE html> <html> <body> <form action="upload.php" method="post" enctype="multipart/form-data"> Select image to upload: <input type="file" name="fileToUpload" id="fileToUpload"> <input type="submit" value="Upload Image" name="submit"> </form> </body> </html> The output of the script after every submission is: As you can see the $_FILES array is completly empty.. no matter what type of file I upload. I checked my php.ini and also phpinfo() for the relevant configuration parameters. This is what I got: file_uploads = On; memory_limit = 128M; post_max_size = 128M; upload_max_filesize = 128M; upload_tmp_dir = /tmp; The files I tried to upload of course did not exceed the limit of 128MB. The script itself should not cause my problem, since it works on my local XAMPP server and for many other users and servers. There must be something wrong with my strato server configuration, but I can't figure out what the problem is. The php.ini seems wright. Does anybody have an idea, a clue or maybe just a hint? Thanks in Advance.

I am using Ajax File Upload control for uploading multiple files at same time. but i want use my own upload button (in my case save button) for uploading files not the ajax upload button. how can i do this ?

Hi there, I know how to secure file upload by checking file extension, but how can I secure from files that looks like images(have .jpg extension), but they are something else, like .exe file with .jpg extension (don't know for mac and ubundu, but you can do that trick on windows) Thanks advanced

Can anyone tell me what is wrong with this file that keeps saying that this file is invalid. it seems certain jpg files are invalid while others are not. yet they all meet the guidelines establish. ERROR:Upload: americanrobinbird.jpgType: image/pjpegSize: 12.8095703125 KbStored in: /chroot/tmp/phpfryeow Invalid file Invalid file Upload.php file <?php$query = "SELECT * FROM {$dbprefix}pages ORDER BY hn ASC";$result = mysql_query($query) or die(mysql_error());while($row = mysql_fetch_array($result)){extract($row);$options .= "<option value='$pn'>$hn</option>";}$query = "SELECT * FROM {$dbprefix}leftnav ORDER BY name ASC";$result = mysql_query($query) or die(mysql_error());while($row = mysql_fetch_array($result)){extract($row);$folderoptions .= "<option value='$link'>$name</option>";}echo "<form action='upload_file.php' method='post' enctype='multipart/form-data'> <label for='file'>Filename:</label> <input type='file' name='file' id='file' /><br /> <label for='file'>File Belonges To:</label> <select name='powner' class='form' />$options</select><br /> <label for='file'>File Folder:</label> <select name='folder' class='form' />$folderoptions</select><br /> <input type='submit' name='submit' value='Submit' /> </form>";?> Upload php file: <?php include("config.php");include("themes/$theme/header.php");?><?php if ($_FILES["file"]["error"] > 0) { echo "Error: " . $_FILES["file"]["error"] . "<br />"; } else { echo "Upload: " . $_FILES["file"]["name"] . "<br />"; echo "Type: " . $_FILES["file"]["type"] . "<br />"; echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />"; echo "Stored in: " . $_FILES["file"]["tmp_name"]; } ?> <?php $allowedExts = array("jpg", "jpeg", "gif", "png"); $extension = end(explode(".", $_FILES["file"]["name"])); if ((($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/jpeg") || ($_FILES["file"]["type"] == "image/png") || ($_FILES["file"]["type"] == "image/jpg")) && ($_FILES["file"]["size"] < 20000) && in_array($extension, $allowedExts)) { if ($_FILES["file"]["error"] > 0) { echo "Error: " . $_FILES["file"]["error"] . "<br />"; } else { echo "Upload: " . $_FILES["file"]["name"] . "<br />"; echo "Type: " . $_FILES["file"]["type"] . "<br />"; echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />"; echo "Stored in: " . $_FILES["file"]["tmp_name"]; } } else { echo "Invalid file"; } ?> <?php $allowedExts = array("jpg", "jpeg", "gif", "png"); $extension = end(explode(".", $_FILES["file"]["name"])); if ((($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/jpeg") || ($_FILES["file"]["type"] == "image/png") || ($_FILES["file"]["type"] == "image/jpg")) && ($_FILES["file"]["size"] < 20000) && in_array($extension, $allowedExts)) { if ($_FILES["file"]["error"] > 0) { echo "Return Code: " . $_FILES["file"]["error"] . "<br />"; } else { echo "Upload: " . $_FILES["file"]["name"] . "<br />"; echo "Type: " . $_FILES["file"]["type"] . "<br />"; echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />"; echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />"; if (file_exists("$folder/" . $_FILES["file"]["name"])) { echo $_FILES["file"]["name"] . " already exists. "; } else { $name = $_FILES["file"]["name"]; $newname = "$folder/$name"; $query = "INSERT INTO {$dbprefix}pictures (plocation, powner) VALUES ('$newname', '$powner')"; $result = mysql_query($query) or die(mysql_error()); move_uploaded_file($_FILES["file"]["tmp_name"], "$folder/" . $_FILES["file"]["name"]); echo "Stored in: " . "$folder/" . $_FILES["file"]["name"]; echo "<script language=\"Javascript\">alert(\"Success!\");window.location.href = 'index.php?p=Upload';</script>"; } } } else { echo "Invalid file"; } ?> <?php include("themes/$theme/footer.php");?>

Okay this is part of my file upload script what has been taken from tizag websites. Somehow this is giving me the error and $target_path = ../Materials/ if (isset($_GET['submit'])) {$target_path = $_GET['directory'];$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { echo "File ". basename( $_FILES['uploadedfile']['name']). " has been sussefully added to websites.";} else { echo "There was error during upload, please check that filesize is not higer than 8MB.";echo $target_path;}}