Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 4 of 4
  1. #1
    Senior Member
    Join Date
    May 2003
    Location
    UK
    Posts
    2,354
    Member #
    1326
    A possible client requires a system where users (who register) can upload files.

    I made a simple image upload a while back in PHP.

    However, my client wants the possibility of uploading different types of files.

    I use
    PHP Code:
    $acceptable_files "image/gif|image/jpeg|image/pjpeg"
    to state which files I want to be uploaded.

    How would I change it to allow different file types?

    And is there a possible security situation, if they try and upload .exe, .com etc?

    Cheers

  2.  

  3. #2
    Senior Member rosland's Avatar
    Join Date
    Jul 2003
    Location
    Norway
    Posts
    1,944
    Member #
    2096
    you can check the file against a set of legal extensions using for ex 'eregi': http://no2.php.net/manual/en/function.eregi.php

    If you need to find the MIME type: http://no2.php.net/mime_content_type
    S. Rosland

  4. #3
    Member
    Join Date
    Jan 2005
    Posts
    97
    Member #
    8727
    Well, since the only security situation would be if they uploaded a script or deleted/replaced files, you would probably just check if the filename is already used or check the extension. Don't use eregi. It's too slow and complicated for something like this (the manual expressly states use ereg/preg for fancy pattern matching like [a-z][0-9]) This is my code for my uploader:
    Code:
        $valid=true;
        $filename=$_FILES['userfile']['name'];//these next few lines check if the
        explode('.',$filename);//user is trying to screw us over by being a
        $i=count($filename);//1337 h4x0Rz
        $ext=$filename[$i-1];
        //checks to see if the filename is already taken, so no overwrites happen
        if (file_exists($uploadpath)) {
            echo 'Filename already taken on the server. Try something else.';
            $valid=false;
        }
        //checks if the file is a php, perl/cgi, javascript, JSP, Shockwave/Flash or htaccess, to prevent some avoidable nastiness
        if (stristr($ext,'php') || stristr($ext,'pl') || stristr($ext,'cgi') || stristr($ext,'js') || stristr($ext,'swf') || stristr($ext,'jsp') || stristr($ext,'htaccess') || stristr($ext,'phtml') || stristr($ext,'asp')) {
            echo 'Trying to upload a script eh? HAH!';
            $valid=false;
        }
    It checks whether or not a script is uploaded that has the possibility of execution on my server.

  5. #4
    Senior Member rosland's Avatar
    Join Date
    Jul 2003
    Location
    Norway
    Posts
    1,944
    Member #
    2096
    I must admit I tend to use preg/eregi more than I should.

    When I was reading up on regular expressions (that can do some fancy search/reference/replace/validate operations), preg and eregi functions are the ones to use.
    I got comfortable with them, and tend to use them where simple string operations would be sufficient.
    Even though an operation like str_replace() is 5 times faster than the eregi_replace equivalent, we're talking less than a fifth of a thousand of a second for the slowest one (parsing a 500 character string).
    For low traffic sites, you would hardly notice any difference.

    However, you should aim for the simplest/fastest solution.

    Test script parsing a 500 character string:
    PHP Code:
    function Extime() 

       list(
    $msec$sec) = explode(" "microtime()); 
       return ((float)
    $msec + (float)$sec); 


    //Test string
    $text "Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo consequat. Duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero eros et accumsan et iusto odio dignissim qui blandit praesent luptatum zzril delenit.";


    $start Extime();
    $preg preg_replace("/e/""|*|"$text);
    $end Extime();

    print 
    "<b>Original:</b><br />\n$text";
    print 
    "<p><b>Parsed:</b><br />\n$preg";

    //Preg time
    $pregtime number_format(($end $start), 6);
    print 
    "<p><i>preg_replace: <b>$pregtime</b> seconds</i>";

    $start Extime();
    $eregi eregi_replace("e""|*|"$text);
    $end Extime();
    //Eregitime
    $eregitime number_format(($end $start), 6);
    print 
    "<p><i>eregi_replace: <b>$eregitime</b> seconds</i>";

    $start Extime();
    $string str_replace("e""|*|"$text);
    $end Extime();
    //Strtime
    $strtime number_format(($end $start), 6);
    print 
    "<p><i>str_replace: <b>$strtime</b> seconds</i>"
    S. Rosland


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 10:51 PM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com