|
PHP - Is This Upload Script Secure?
Code: [Select]
<?php // Maximum file size for upload $maxFileSize = 5242880; // If file is too large if(!empty($_SERVER['CONTENT_LENGTH']) && $_SERVER['CONTENT_LENGTH'] > $maxFileSize) echo "File too large"; else { if(isset($_POST['submit'])) { // List of acceptable file types $whitelist = array( "application/vnd.openxmlformats-officedocument.wordprocessingml.document", // .docx "application/msword", // .doc, .rtf "text/plain", "image/jpeg", "image/gif", "image/png", "application/pdf", "application/octet-stream", // .rar "application/x-zip" // .zip ); // Is uploaded file type in whitelist array if(!in_array($_FILES['file_upload']['type'], $whitelist)) exit("Bad Filetype"); // Don't allow php files if(preg_match("/\.php.*$/i", $_FILES['file_upload']['name'])) exit("We do not allow uploading PHP files\n"); // Move the file $uploaddir = '../uploads/'; $uploadfile = $uploaddir . "[" . time(). "]." . basename($_FILES['file_upload']['name']); if (move_uploaded_file($_FILES['file_upload']['tmp_name'], $uploadfile)) exit("File is valid, and was successfully uploaded.\n"); else exit("File uploading failed.\n"); } } ?> <html> <head> <title>Upload Test</title> </head> <body> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" enctype="multipart/form-data" method="POST"> <input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $maxFileSize; ?>" /> <input type="file" name="file_upload" /> <input type="submit" name="submit" value="upload" /> <br /> <?php echo "(Max: " . number_format($maxFileSize/1048576,0) . " MB)" ?> </form> </body> </html> Similar TutorialsI'm allowing users to upload a file into a directory that is inside of my ftp's root directory(what is the proper term for this area anyway?) Anyway, I am uploading to this folder: Code: [Select] + www.mywebsite.com/ + files/ + images/ - welcome.jpg + system/ - text.txt - index.php + upload/ <-- here, this one right here - an_uploaded_file.zip If I have a php script that downloads from this folder would I need to worry about someone doing something that is not intended? I don't want someone overwriting my index.php with their own. Hello,
i want to know if this code is ok or do i have sql-injection, session hijacking etc.
thank you very much for your help.
Rafal
<?php
INI_SET('SESSION.USE_ONLY_COOKIES', 1);
SESSION_START();
SESSION_CACHE_EXPIRE(10);
SESSION_REGENERATE_ID();
$uname = "mail@mail.com";
$upassword = "a4ca6e1f044a98a8a72e7b356a134319433f4d98adb3f463202246bddb883712459e66ea985f37cb2e7171165500c341be4effd1f6e4461246e3c61e5767741f";
if (isset($_POST["inp_name"]) && isset($_POST["inp_pwd"]))
{
if ($uname == $_POST["inp_name"] && $upassword == hash('sha512', $_POST["inp_pwd"]))
{
$_SESSION["e64X96ea"] = 1;
}
}
?>
<?php
if ($_SESSION["e64X96ea"] != 1)
{
header ( 'Location:login.php' );
exit;
}
?>
Edited by rafal, 16 November 2014 - 08:39 AM. Hi All, I am using HTTP Session2 pear module in my project. My logout code is HTTP_Session2::set('user_id',''); HTTP_Session2::set('user_type',''); HTTP_Session2::regenerateId(true); HTTP_Session2::destroy(); pageRedirect("index.php?q=registration/login"); exit; My Check Login Script is if(trim(HTTP_Session2::get('user_id'))=='' || trim(HTTP_Session2::get('user_type'))=='') { HTTP_Session2::set('user_id',''); HTTP_Session2::set('user_type',''); HTTP_Session2::regenerateId(true); HTTP_Session2::destroy(); pageRedirect("index.php?q=registration/login"); exit; } problem here is whenever I click on back button after logout then I can see the user homepage, on which I have written "Check Login Script ". Is there a good solution available ? Hi everyone, I have a page that i use to upload images to my website, i got a bit fed up of uploading one at a time so i decided to add multiple file fields to the form to upload multiple images at the same time. Im having a few problems, iv read up he http://www.php.net/manual/en/features.file-upload.multiple.php and it seems all i have to do is add [] to the form names to turn them into arrays. However when i come to upload the images, i keep getting the "$error[] = "Incorrect format!...." error from the code below. I cant seem to figure out what the problem is. Could anybody please point me in the right direction? <?php session_start(); $id = $_SESSION['id']; $connect = mysql_connect("localhost","leemp5_admin","p7031521"); mysql_select_db("leemp5_database"); $query = mysql_query("SELECT * FROM users WHERE id='$id'"); $row = mysql_fetch_assoc($query); $username = $row['username']; $submit = $_POST['submit']; $type = $_FILES['image']['type']; $size = $_FILES['image']['size']; $max_size = "1000"; $width = "100"; $height = "100"; $error = array(); function make_thumb($image_name,$filename,$new_width,$new_height) { $ext=getExtension($image_name); if(!strcmp("jpg",$ext) || !strcmp("jpeg",$ext)) $source_image=imagecreatefromjpeg($image_name); if(!strcmp("png",$ext)) $source_image=imagecreatefrompng($image_name); if(!strcmp("gif",$ext)) $source_image=imagecreatefromgif($image_name); $old_x=imageSX($source_image); $old_y=imageSY($source_image); $ratio1=$old_x/$new_width; $ratio2=$old_y/$new_height; if($ratio1>$ratio2) { $thumb_width=$new_width; $thumb_height=$old_y/$ratio1; } else { $thumb_height=$new_height; $thumb_width=$old_x/$ratio2; } $destination_image=ImageCreateTrueColor($thumb_width,$thumb_height); imagecopyresampled($destination_image,$source_image,0,0,0,0,$thumb_width,$thumb_height,$old_x,$old_y); if(!strcmp("jpg",$ext) || !strcmp("jpeg",$ext)) { imagejpeg($destination_image,$filename); } if(!strcmp("png",$ext)) { imagepng($destination_image,$filename); } if(!strcmp("gif",$ext)) { imagegif($destination_image,$filename); } imagedestroy($destination_image); imagedestroy($source_image); } function getExtension($str) { $i = strrpos($str,"."); if (!$i) { return ""; } $l = strlen($str) - $i; $ext = substr($str,$i+1,$l); return $ext; } if($submit) { $image=$_FILES['image']['name']; if ($image) { $filename = stripslashes($_FILES['image']['name']); $extension = getExtension($filename); $extension = strtolower($extension); if (($extension != "jpg") && ($extension != "jpeg") && ($extension != "png") && ($extension != "gif")) { $error[] = "Incorrect format! Please make sure your image is a .jpg, .jpeg, .png or .gif file."; } else { $size=getimagesize($_FILES['image']['tmp_name']); $sizekb=filesize($_FILES['image']['tmp_name']); if ($sizekb > $max_size*1024) { $error[] = "Your image is too big! The maximum upload size is 1MB."; } else { $image_name=time().'.'.$extension; $newname="uploads/" . $username . "/images/".$image_name; $copied = copy($_FILES['image']['tmp_name'], $newname); if (!$copied) { $error[] = "There was an error uploading your image. Please try again!"; } else { $thumb_name='uploads/' . $username . '/images/thumbs/thumb_'.$image_name; $thumb=make_thumb($newname,$thumb_name,$width,$height); } } } } else { $error[] = "Please select an image to upload!"; } if(empty($error)) { echo "Upload Successfully!<br />"; echo '<img src="'.$thumb_name.'">'; mysql_query("INSERT INTO images VALUES ('','$username','$image_name','','','','','uploads/$username/images/$image_name','uploads/$username/images/thumbs/thumb_$image_name','$type','$size')"); } else { echo implode($error); } } ?> <form method="post" enctype="multipart/form-data" action="upload_images.php"> <input type="file" name="image[]" /><br /> <input type="file" name="image[]" /><br /> <input type="file" name="image[]" /><br /> <input type="file" name="image[]" /><br /> <input type="file" name="image[]" /><br /> <input type="file" name="image[]" /><br /> <input type="submit" name="submit" value="Upload"> </form> Thanks Hello, I made an login script, it works but i want to be sure if its secure to use in everyday use, here is the script: <?php session_start(); require_once('include/config.inc.php'); require_once('include/functions.php'); function clean($str, $encode_ent = false) { $str = @trim($str); if ($encode_ent) { $str = htmlentities($str); } if (version_compare(phpversion(),'4.3.0') >= 0) { if (get_magic_quotes_gpc()) { $str = stripslashes($str); } if (@mysql_ping()) { $str = mysql_real_escape_string($str); } else { $str = addslashes($str); } } else { if (!get_magic_quotes_gpc()) { $str = addslashes($str); } } return $str; } if (isset($_POST['submit'])) { if ($_POST['code'] == $_SESSION['rand_code']) { //Sanitize the POST values $username = clean($_POST['username']); $password = clean($_POST['password']); $ip = clean($_SERVER['REMOTE_ADDR']); $query="SELECT * FROM user WHERE username='$username' AND password='".md5($_POST['password'])."'"; $result=mysql_query($query); //Check whether the query was successful or not if ($result) { if (mysql_num_rows($result) == 1) { //Login Successful session_regenerate_id(); $user = mysql_fetch_assoc($result); $_SESSION['SESS_MEMBER_ID'] = $user['username']; session_write_close(); $query_login_ok = "INSERT INTO logs (`username`, `password`, `result`, `ip`) VALUES ('$username', '$password', 'SUCCESS', '$ip');"; $result_query_login_ok = mysql_query($query_login_ok) or die('MYSQL ERROR'); header("location: pmt.php"); exit(); } else { //Login failed $query_login_fail = "INSERT INTO logs (`username`, `password`, `result`, `ip`) VALUES ('$username', '$password', 'FAILED', '$ip');"; $result_query_login_fail = mysql_query($query_login_fail) or die('MYSQL ERROR'); header("location: index.php"); exit(); } } else { die("ERROR"); } } } ?> <form id="login" name="login" method="post" action=""> <table width="300" border="0" align="center" cellpadding="2" cellspacing="0"> <tr> <td width="112"><b>Username</b></td> <td width="188"><input name="username" type="text" class="textfield" id="username" value="admin" /></td> </tr> <tr> <td><b>Password</b></td> <td><input name="password" type="password" class="textfield" id="password" value="qazwsx" /></td> </tr> <img src="include/captcha.php"/> <tr> <td><b>Code</b></td> <td><input type="text" name="code" /></td> </tr> <tr> <td> </td> <td><input type="submit" name="submit" value="Login" /></td> </tr> </table> </form> Hi guys, It's my first post here, not looking to leech, I'm simply here to learn and develop my skills and any contributes will be greatly appreciated! Anyways I have made a simple login script, however I would like to make it more secure. However before that, can you please explain to me as to why it is not secure in the first place? A basic explanation so I can understand would be great. Then after that, could you please give help as to how I would make this login code more secure? Thank you very much Code: [Select] <?php $rowsfound=false; if (isset($_GET['frmStudentId'])) { // functions to make performQuery() work correctly require_once("dbfunctions.inc.php"); $query = "SELECT dbStudentId, dbStudentName " . " FROM student " . " WHERE dbStudentId = '".$_GET['frmStudentId']."'" . " AND dbPassword = '".$_GET['frmPassword']."'"; $result = performQuery($query); if(count($result) > 0) { $rowsfound=true; // allow login } } // code continues by generating appropriate response ... Hi guys, sorry for such a newbish question. Any help would be greatly appreciated. HTML FORM: Code: [Select] <form action="form.php" method="post" onsubmit="return validateForm()" name="form"> <b>First Name:*</b> <input type="text" name="first_name" size="50" /> <b>Last Name:*</b> <input type="text" name="last_name" size="50" /> <b>Phone:*</b> <input type="text" name="phone" size="50" /> <b>Email:*</b> <input type="text" name="email" size="50" /> <p><b>What is your favorite color?*</b></p> <p align="left"> <select name="se"> <option value="W">White</option> <option value="G">Green</option> <option value="Y">Yellow</option> </select> <input type="submit" value="Submit"/> </form> FORM.PHP script Code: [Select] <?php $se = $_POST['se']; $seURL = ''; switch ($se) { case 'W': $seURL = "http://url1.com"; break; case 'G': $seURL = "http://url2.com"; break; case 'O': $seURL = "http://url3.com"; break; default: $seURL = ""; } if ($seURL != "") { /* Redirect browser */ /* make sure nothing is output to the page before this statement */ header("Location: " . $seURL); } // get posted data into local variables $EmailFrom = "noreply@domain.com"; $EmailTo = "email@domain.com"; $Subject = "Form"; $first_name = Trim(stripslashes($_POST['first_name'])); $last_name = Trim(stripslashes($_POST['last_name'])); $phone = Trim(stripslashes($_POST['phone'])); $email = Trim(stripslashes($_POST['email'])); // validation $validationOK=true; if (!$validationOK) { print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">"; exit; } // prepare email body text $Body = ""; $Body .= "first_name: "; $Body .= $first_name; $Body .= "\n"; $Body .= "last_name: "; $Body .= $last_name; $Body .= "\n"; $Body .= "phone: "; $Body .= $phone; $Body .= "\n"; $Body .= "email: "; $Body .= $email; $Body .= "\n"; $Body .= "color: "; $Body .= $se; $Body .= "\n"; // send email $success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>"); // send email to user if ($se=="W") $EmailFrom = "noreply@domain.com"; $to = $email; $subject = "form email"; $body = "thank you for filling out our form"; if (mail($to, $subject, $body, "From: <$EmailFrom>")) { echo("<p>Message successfully sent!</p>"); } else { echo("<p>Message delivery failed...</p>"); } ?> [code] MOD EDIT: [nobbc][code] . . . [/code][/nobbc] tags added . . . Hi i have found this code : <?php if (isset($_POST['submit_bilde'])) { $error = 'Wrong image file..'; define( 'THUMBNAIL_IMAGE_MAX_WIDTH', 250 ); define( 'THUMBNAIL_IMAGE_MAX_HEIGHT', 250 ); function generate_image_thumbnail( $source_image_path, $thumbnail_image_path ) { list( $source_image_width, $source_image_height, $source_image_type ) = getimagesize( $source_image_path ); switch ( $source_image_type ) { case IMAGETYPE_GIF: $source_gd_image = imagecreatefromgif( $source_image_path ); break; case IMAGETYPE_JPEG: $source_gd_image = imagecreatefromjpeg( $source_image_path ); break; case IMAGETYPE_PNG: $source_gd_image = imagecreatefrompng( $source_image_path ); break; } if ( $source_gd_image === false ) { return false; } $thumbnail_image_width = THUMBNAIL_IMAGE_MAX_WIDTH; $thumbnail_image_height = THUMBNAIL_IMAGE_MAX_HEIGHT; $source_aspect_ratio = $source_image_width / $source_image_height; $thumbnail_aspect_ratio = $thumbnail_image_width / $thumbnail_image_height; if ( $source_image_width <= $thumbnail_image_width && $source_image_height <= $thumbnail_image_height ) { $thumbnail_image_width = $source_image_width; $thumbnail_image_height = $source_image_height; } elseif ( $thumbnail_aspect_ratio > $source_aspect_ratio ) { $thumbnail_image_width = ( int ) ( $thumbnail_image_height * $source_aspect_ratio ); } else { $thumbnail_image_height = ( int ) ( $thumbnail_image_width / $source_aspect_ratio ); } $thumbnail_gd_image = imagecreatetruecolor( $thumbnail_image_width, $thumbnail_image_height ); imagecopyresampled( $thumbnail_gd_image, $source_gd_image, 0, 0, 0, 0, $thumbnail_image_width, $thumbnail_image_height, $source_image_width, $source_image_height ); imagejpeg( $thumbnail_gd_image, $thumbnail_image_path, 100 ); imagedestroy( $source_gd_image ); imagedestroy( $thumbnail_gd_image ); return true; } define( 'UPLOADED_IMAGE_DESTINATION', 'annonsebilder/orginaler/' ); define( 'THUMBNAIL_IMAGE_DESTINATION', 'annonsebilder/thumbs/' ); function process_image_upload( $field ) { $temp_image_path = $_FILES[ $field ][ 'tmp_name' ]; $temp_image_name = $_FILES[ $field ][ 'name' ]; list( , , $temp_image_type ) = getimagesize( $temp_image_path ); if ( $temp_image_type === NULL ) { return false; } switch ( $temp_image_type ) { case IMAGETYPE_JPEG: break; default: return false; } $uploaded_image_path = UPLOADED_IMAGE_DESTINATION . $temp_image_name; move_uploaded_file( $temp_image_path, $uploaded_image_path ); $random_digit=rand(0000000000000,9999999999999); $thumbnail_image_path = THUMBNAIL_IMAGE_DESTINATION . preg_replace( '{\\.[^\\.]+$}', '.jpg', $annonse_ref.'_'.$random_digit.'.jpg' ); $result = generate_image_thumbnail( $uploaded_image_path, $thumbnail_image_path ); return $result ? array( $uploaded_image_path, $thumbnail_image_path ) : false; } for ( $i = 1; $i <= 5; $i++ ) { if ( $_FILES[ 'Image' . $i ][ 'error' ] == 0 ) { $result = process_image_upload( 'Image' . $i ); } } if ( $result === false ) { echo $error; } else { //THIS ECHO SHIT IS KILLIN' ME!!! echo '<br />1: '.$result['1'] ; echo '<br />2: '.$result['2']; echo '<br />3: '.$result['3']; echo '<br />4: '.$result['4']; echo '<br />5: '.$result['5']; } } if (!isset($_POST['submit_bilde'])) { ?> <form action="" method="post" enctype="multipart/form-data"> <input type="file" name="Image1"><br> <input type="file" name="Image2"><br> <input type="file" name="Image3"><br> <input type="file" name="Image4"><br> <input type="file" name="Image5"><br><br> <input type="submit" value="GOOOOOOOO!!!!" name="submit_bilde"> </form> <?}?> and if you look in the code there is a part where i want to echo the uploaded files' path's.. I only se one of those 5 files listet in the "echo"-thing :p Can someone please, please, please help me to echo ALL the 5 images path?? I currently have the following script used on my site to upload files. When the linked web page executes it, however, I receive the infamous Parse Error - Unexpected '<' in x:/xxxx. The problem lies in Line 11 where I attempt to define a command that will display a message box to the user upon successful file upload. The syntax is not correct and I was hoping someone would be able to help me with it. Here is the contents of the PHP file. <?php // Where the file is going to be placed $target_path = $_SERVER['DOCUMENT_ROOT'] . "/file_uploads/"; /*Add the original filename to our target path. Result is "uploads/filename.extension"*/ $target_path=$target_path.basename($_FILES['file']['name']); //Move file to upload directory if(move_uploaded_file($_FILES['file']['tmp_name'], $target_path)) { echo <script type="text/javascript">alert("Upload was successful. Thank you for your contribution")</script>; } else{ echo "There was a problem submitting the file. Plese try again!"; } ?> Thank you in advance for any help. hey guys im trying to make a file upload script so that when the user uploads a pic it gets shown in a div...when you add another it is the added by the side of the 1st pic...but some reason when selecting a image nothing shows...
what am i doing wrong?
here is my code below if anyone can tell me what it is wrong im doing...thank you
<script src="//ajax.googleapis.com/ajax/libs/jqueryui/1.11.2/jquery-ui.min.js"></script>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
<script>
$( document ).ready(function() {
var files = $('.input-file').prop("files");
var file_count = files.length;
var names = $.map(files, function(val) {
return val.name;
});
$('#input-file-button').click(function() {
$('.input-file').click();
});
$('.input-file').change(function (){
var file_name = $(this).val();
var file_path = URL.createObjectURL(event.target.files[0]);
$('#uploaded-images').append('<div><img src="'+ file_path +'" /></div>' + file_name);
});
if (file_count < 1)
{
$('#uploaded-images').text("No images are selected.");
}
});
</script>
<style>
.input-file
{
display: none;
}
</style>
</head>
<body>
<div id="uploaded-images"></div>
<br />
<input type="file" name="files[]" class="input-file"/><span id='input-file-button'>Upload Photo</span>
</body>
</html>
But I need some help. I built part of this script off a tut, and did the rest myself however, I want it so it send the information into a database. What I want is, once a user uploads an image, it can also be deleted by that user with the code given. I have made the html, bbcode & direct link. I want an option for a box where it shows Delete link.... maniaupload.net here's my FULL php upload script. Quote <?php define ("MAX_SIZE","100000"); function getExtension($str) { $i = strrpos($str,"."); if (!$i) { return ""; } $l = strlen($str) - $i; $ext = substr($str,$i+1,$l); return $ext; } $errors=0; if(isset($_POST['Submit'])) { $image=stripslashes($_FILES['image']['name']); if ($image) { $filename = stripslashes($_FILES['image']['name']); $extension = getExtension($filename); $extension = strtolower($extension); if (($extension != "jpg") && ($extension != "jpeg") && ($extension != "mov") && ($extension !="PNG") && ($extension !="bmp") && ($extension != "png") && ($extension != "gif")) { echo '<font color="red"><b>Extension not allowed</b></font><br>'; $errors=1; } else { $size=filesize($_FILES['image']['tmp_name']); if ($size > MAX_SIZE*100000) { echo 'You have exceeded the size limit!'; $errors=1; } $image_name=time().'.'.$extension; $newname="images/".$image_name; $fullname="http://www.maniaupload.net/".$newname; $copied = copy($_FILES['image']['tmp_name'], $newname); if (!$copied) { echo '<font color=\"red\"><b>Upload Unsuccessful! Try Again?</b></font>'; $errors=1; }}}} if(isset($_POST['Submit']) && !$errors) { echo "File Uploaded Successfully! <br /><br /> <img src=\"$newname\" /> <br /><br /> <b>Direct Image Link:</b><br/><table width=\"338\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\" id=\"Table1\"> <tr> <td align=\"center\" valign=\"middle\"><textarea readonly name=\"message\" rows=\"1\" cols=\"50\">$fullname</textarea></td> </tr> </table></center><br> <b>HTML Code:</b><br/><table width=\"338\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\" id=\"Table1\"> <tr> <td align=\"center\" valign=\"middle\"><textarea readonly name=\"message\" rows=\"1\" cols=\"50\"> <a href=\"$fullname\" target=\"_blank\"><img border=\"0\" src=\"$fullname\"></a> </textarea></td> </tr> </table><br> <b>BBCode <font color=\"red\">*NEW*</font></b><br> <table width=\"338\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\" id=\"Table1\"> <tr> <td align=\"center\" valign=\"middle\"> <textarea readonly name=\"message\" rows=\"1\" cols=\"50\"> </textarea></td> </tr> </table><br> "; } ?> I made the appropriate databases in the myadmin area, i just need a starting point to where it injects the image that was uploaded into the database. Basically the ID and all that crap. I have more code but its not needed, its outside of the php tags. But can anyone help please. It's just adding a delete link so users can delete it if they choose. I'm thinking it's MYSQL involved, but I'm still learning. Anyone know how I could do this? Thanks. It says error unexpecting T_ELSE on line 50...Any help is appreciated <?php if (is_uploaded_file($file_tmp)){ ///SUPPORTED IMAGE TYPES $tgif = "IMAGETYPE_GIF"; $tjpeg = "IMAGETYPE_JPEG"; $tpng = "IMAGETYPE_PNG"; $twsf = "IMAGETYPE_SWF"; $tbmp = "IMAGETYPE_BMP"; $file_size = $_FILES["file"]["size"]; $file_tmp = $_FILES['file']['tmp_name']; $file_name = $_FILES["file"]["name"] ; $file_type = $_FILES["file"]["type"]; $file = $file_name . $file_type; $path = "images/" . $title_id . "/"; $path - $path . basename($file_name); if (exif_imagetype('$file') != $tgif || $tjpeg || $tjpng || $twsf || $tbmp){ if ($file_size < 20000000){ /////20mb///// if (file_exists($path . $file_name)){ if (move_uploaded_file($file_tmp,$path)){ $msg = "File upload successful"; } else{ $msg = "There was an error"; } }else{ $msg = "This file already exists on the server"; { }else{ $msg = "File size is too large"; } }else{ $msg = "File type not supported"; } }else{ $file = ""; } ?> im getting a warning saying 'Warning: mkdir() [function.mkdir]: File exists in /home/multisea/public_html/BSGN/secure_upload.php on line 5' if i execute the script below Code: [Select] <?php $secure_folder = "upimg/$rand/$time"; $rand=rand(0000000000,9999999999); $time=time(); mkdir("$secure_folder", 0777); echo "secure folder made successfully... not done yet so dont close this window..."; $target = "$secure_folder"; $target = $target . basename( $_FILES['uploaded']['name']) ; $ok=1; if ($uploaded_size > 1500000) { echo "Your file is too large.<br>"; $ok=0; } if ($ok==0) { echo "sorry your file was not uploaded..."; } else {if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target)) {echo "the file ". basename( $_FILES['uploadedfile']['name']). "hasbeen uploaded the link to your file is http://multi-search.org/BSGN/$secure_folder/". basename( $_FILES['uploaded']['name'])."<br />"; } else {echo "sorry, there was a problem uploading your file."; } } ?> Hello, I'm planning on making a website where people are able to upload files and directly link to them. Ideally, I want to keep the same file names that the people use when they upload the file. I was planning on keeping the directory that stored all of the files outside of the www directory and disable execute permissions. However, how would I avoid file overwriting with the same file name? Hi everyone. I have been looking for a PHP upload script that handles various different document types like PDF, DOC and XLS. So far all I have found is image upload scripts. Can anyone point me in the right direction? I would be most greatful. Thank you! I need to set my script here to change the CHMOD settings to 644. The images that are uploaded into the Yahoo server are not able to be accessed. I believe this is the CHMOD, however I have never worked with CHMOD. Please help, or if you notice an error in my coding please let me know. Code: [Select] <?php $Name = $_POST['Name']; $Pic = $_FILES["file"] ["name"]; if ((($_FILES["file"] ["type"] == "image/gif") || ($_FILES["file"] ["type"] == "image/jpeg") || ($_FILES["file"] ["type"] == "image/pjpeg")) && ($_FILES["file"] ["size"] < 100000)) { if ($_FILES["file"] ["error"] > 0) { echo "Return Code: " . $_FILES["file"] ["error"] . "<br />"; } else { if (file_exists("../Graphics/" . $_FILES["file"] ["name"])) { include("../Admin/photos.php"); echo $_FILES["file"] ["name"] . " already exists. "; } else { move_uploaded_file($_FILES["file"] ["tmp_name"], "../Graphics/" . $_FILES["file"] ["name"]); chmod("$pic",0644); } } } else { echo "<font size='5' face='Arial'><b>Invalid file</b></font>"; } $Category = $_POST['Category']; include('database.php'); mysql_select_db("bluemoonmastiff", $con); $good_data = $_POST; foreach($good_data as $field => $value) { if($field != "submitted") { $field_array[] = $field; $clean = strip_tags(trim($value)); $escaped = mysqli_real_escape_string($cxn,$clean); $value_array[] = $escaped; } } $fields = implode(",",$field_array); $values = implode('","',$value_array); $sql = "INSERT INTO gallery SET Name='$Name',PicAddress='Graphics/$Pic',Category='$Category'"; if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } echo "<font size='5' face='Arial'><b>Picture Upload Complete</b></font>"; ?> Hi All Not so much help as here is a handy class for uploading images Please feel free to find security bugs and let me know. Also feel free to use it if you want. http://onlyican.com/test_samples/bl_upload_img.phps To use the class, simply use the following require_once('bl_upload_img.php'); $objUploadImg = new UploadImg(); //Set values here if you wish such as $objUploadImg->setFormField('myFormField'); // The Name from <input type="file" name="myFormField" /> $objUploadImg->setSaveDirMain($_SERVER['DOCUMENT_ROOT'].'/MyImageFolder'; //Make sure to set the permissions //You can change most settings, just look at the function setDetaultValues() to get the function name //Now upload the image if($objUploadImg->uploadImage()){ $strFileName = $objUploadImg->getFileNameMain(); }else{ echo 'Error uploading Image<br />'.$objUploadImg->getErrorMessage(); } Hey guys!! i'm after a bit of help with a script i am using for simple image upload to server. At the moment the script works fine and will allow upload of JPG files, i want to extend on this to allow GIF and PNG files to be uploaded aswell. This is the script i am using... <?php //?heck that we have a file if((!empty($_FILES["uploaded_file"])) && ($_FILES['uploaded_file']['error'] == 0)) { //Check if the file is JPEG image and it's size is less than 600Kb $filename = basename($_FILES['uploaded_file']['name']); $ext = substr($filename, strrpos($filename, '.') + 1); if (($ext == "jpg") && ($_FILES["uploaded_file"]["type"] == "image/jpeg") && ($_FILES["uploaded_file"]["size"] < 600000)) { //Determine the path to which we want to save this file $newname = dirname(__FILE__).'/uploads/'.$filename; //Check if the file with the same name is already exists on the server if (!file_exists($newname)) { //Attempt to move the uploaded file to it's new place if ((move_uploaded_file($_FILES['uploaded_file']['tmp_name'],$newname))) { echo "Upload Complete! You can use the following link in the IMS:" .$newname; } else { echo "Error: A problem occurred during file upload!"; } } else { echo "Error: File ".$_FILES["uploaded_file"]["name"]." already exists"; } } else { echo "Error: Only .jpg images under 600Kb are accepted for upload"; } } else { echo "Error: No file uploaded"; } // $sessionid=session_id() //$newname=$_SESSION['session_name'] header( 'Location: success.php?newname1='.$filename ) ; ?> Any help would be appriciated!! ta!! jonny |
|||||||