Uploading a File

[Jesdisciple]

I have modified the examples at http://us3.php.net/manual/en/features.file-upload.php but keep getting "Possible file upload attack!" returned... Help?

<?php	error_reporting(E_ALL | E_STRICT);	if($_POST['submit'] == 'Send File'){		$name = basename($_FILES['userfile']['name']);		if($name !== ''){			$extensions = array('jpg', 'jpeg', 'gif', 'bmp', 'xcf', 'svg', 'tiff', 'png');			$matches = FALSE;			foreach($extensions as $extension){				$pattern = preg_replace('/{ext}/', $extension, '/^\w+\.{ext}$/i');				$matches |= strpos($pattern, $name) !== FALSE;				if($matches){					break;				}			}			if($matches && move_uploaded_file($_FILES['userfile']['tmp_name'], $name)) {				echo "File is valid, and was successfully uploaded.\n";			}else{				echo "Possible file upload attack!\n";			}		}else{			echo 'Error: Empty filename given.';		}	}?><html>	<head>		<title>Some Site Somewhere</title>	</head>	<body>		<form enctype="multipart/form-data" action="" method="POST">			<input type="hidden" name="MAX_FILE_SIZE" value="2048">			Send this file: <input name="userfile" type="file">			<input type="submit" name="submit" value="Send File">		</form>	</body></html>

[jeffman]

Seems pretty complicated. Maybe try this

preg_match("/^\w+\.jpg|\.jpeg|\.gif|\.bmp|\.xcf|\.svg|\.tiff|\.png$/i", $filename)

[Jesdisciple]

I must have made a really weird bug now; it doesn't show anything, even if I type it directly before the <?php...

<?php	error_reporting(E_ALL | E_STRICT);	if($_POST['submit'] == 'Send File'){		$name = basename($_FILES['userfile']['name']);		if($name !== ''){			$extensions = array('jpg', 'jpeg', 'gif', 'bmp', 'xcf', 'svg', 'tiff', 'png');			$matches = preg_match("/^\w+(\.jpg|\.jpeg|\.gif|\.bmp|\.xcf|\.svg|\.tiff|\.png)$/i", $name) === 1;			if($matches && move_uploaded_file($_FILES['userfile']['tmp_name'], $name)) {				echo "File is valid, and was successfully uploaded.\n";			}else{				echo "Possible file upload attack!\n";			}		}else{			echo 'Error: Empty filename given.';		}	}?><html>	<head>		<title>Some Site Somewhere</title>	</head>	<body>		<form enctype="multipart/form-data" action="" method="POST">			<input type="hidden" name="MAX_FILE_SIZE" value="2048">			Send this file: <input name="userfile" type="file">			<input type="submit" name="submit" value="Send File">		</form>	</body></html>

[jeffman]

Sounds like a parse error. Have you tried JSG's wrapper trick? I've got a little file like this. I pass it the name of the file I'm testing in the query string. mydomain.com/test.php?myweirdfile.php

<?phperror_reporting(E_ALL);ini_set('display_errors', 1);if (isset($_GET['file']) && !empty($_GET['file'])){	include $_GET['file'];}?>

[Jesdisciple]

I don't think so... But I'm ready to.EDIT: WAMP isn't started up completely...

[Jesdisciple]

Never mind; WAMP's PHP service wasn't started and was refusing to start. I restarted the computer and it works now.Doh! My original problem was that I used strpos instead of preg_match - but I could've sworn I printed out the value to make sure that wasn't happening...Thanks!

[jeffman]

The new regex? Good deal.

[Jesdisciple]

No, I was using strpos on the old one... I ended up imploding the extensions to make your regex, because I want them in a separate variable. (I'm helping a friend who's helping a friend. Neither of them know PHP yet, so they don't need to wade through a regex to configure the uploader.)Thanks again!