Jesdisciple Posted May 21, 2008 Share Posted May 21, 2008 I have modified the examples at http://us3.php.net/manual/en/features.file-upload.php but keep getting "Possible file upload attack!" returned... Help? <?php error_reporting(E_ALL | E_STRICT); if($_POST['submit'] == 'Send File'){ $name = basename($_FILES['userfile']['name']); if($name !== ''){ $extensions = array('jpg', 'jpeg', 'gif', 'bmp', 'xcf', 'svg', 'tiff', 'png'); $matches = FALSE; foreach($extensions as $extension){ $pattern = preg_replace('/{ext}/', $extension, '/^\w+\.{ext}$/i'); $matches |= strpos($pattern, $name) !== FALSE; if($matches){ break; } } if($matches && move_uploaded_file($_FILES['userfile']['tmp_name'], $name)) { echo "File is valid, and was successfully uploaded.\n"; }else{ echo "Possible file upload attack!\n"; } }else{ echo 'Error: Empty filename given.'; } }?><html> <head> <title>Some Site Somewhere</title> </head> <body> <form enctype="multipart/form-data" action="" method="POST"> <input type="hidden" name="MAX_FILE_SIZE" value="2048"> Send this file: <input name="userfile" type="file"> <input type="submit" name="submit" value="Send File"> </form> </body></html> Link to comment Share on other sites More sharing options...
jeffman Posted May 21, 2008 Share Posted May 21, 2008 Seems pretty complicated. Maybe try this preg_match("/^\w+\.jpg|\.jpeg|\.gif|\.bmp|\.xcf|\.svg|\.tiff|\.png$/i", $filename) Link to comment Share on other sites More sharing options...
Jesdisciple Posted May 21, 2008 Author Share Posted May 21, 2008 I must have made a really weird bug now; it doesn't show anything, even if I type it directly before the <?php... <?php error_reporting(E_ALL | E_STRICT); if($_POST['submit'] == 'Send File'){ $name = basename($_FILES['userfile']['name']); if($name !== ''){ $extensions = array('jpg', 'jpeg', 'gif', 'bmp', 'xcf', 'svg', 'tiff', 'png'); $matches = preg_match("/^\w+(\.jpg|\.jpeg|\.gif|\.bmp|\.xcf|\.svg|\.tiff|\.png)$/i", $name) === 1; if($matches && move_uploaded_file($_FILES['userfile']['tmp_name'], $name)) { echo "File is valid, and was successfully uploaded.\n"; }else{ echo "Possible file upload attack!\n"; } }else{ echo 'Error: Empty filename given.'; } }?><html> <head> <title>Some Site Somewhere</title> </head> <body> <form enctype="multipart/form-data" action="" method="POST"> <input type="hidden" name="MAX_FILE_SIZE" value="2048"> Send this file: <input name="userfile" type="file"> <input type="submit" name="submit" value="Send File"> </form> </body></html> Link to comment Share on other sites More sharing options...
jeffman Posted May 21, 2008 Share Posted May 21, 2008 Sounds like a parse error. Have you tried JSG's wrapper trick? I've got a little file like this. I pass it the name of the file I'm testing in the query string. mydomain.com/test.php?myweirdfile.php <?phperror_reporting(E_ALL);ini_set('display_errors', 1);if (isset($_GET['file']) && !empty($_GET['file'])){ include $_GET['file'];}?> Link to comment Share on other sites More sharing options...
Jesdisciple Posted May 21, 2008 Author Share Posted May 21, 2008 I don't think so... But I'm ready to.EDIT: WAMP isn't started up completely... Link to comment Share on other sites More sharing options...
Jesdisciple Posted May 21, 2008 Author Share Posted May 21, 2008 Never mind; WAMP's PHP service wasn't started and was refusing to start. I restarted the computer and it works now.Doh! My original problem was that I used strpos instead of preg_match - but I could've sworn I printed out the value to make sure that wasn't happening...Thanks! Link to comment Share on other sites More sharing options...
jeffman Posted May 21, 2008 Share Posted May 21, 2008 The new regex? Good deal. Link to comment Share on other sites More sharing options...
Jesdisciple Posted May 21, 2008 Author Share Posted May 21, 2008 No, I was using strpos on the old one... I ended up imploding the extensions to make your regex, because I want them in a separate variable. (I'm helping a friend who's helping a friend. Neither of them know PHP yet, so they don't need to wade through a regex to configure the uploader.)Thanks again! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.